That is pretty much the case for any legacy industry, not just banking. It's 30% engineering, 70% actually knowing someone who will let your engineers anywhere near the data source.
In some cases regulations like PSD2 give you a "shortcut", but even then it's a sham because in practice the APIs you're given are dysfunctional and you will have to spend significant efforts making up for the shortcomings of the API (in some cases it's insane things like blatantly violating both the specification and even common sense, such as settled bank transactions outright disappearing without a corresponding reversal transaction).
In some cases regulations like PSD2 give you a "shortcut", but even then it's a sham because in practice the APIs you're given are dysfunctional and you will have to spend significant efforts making up for the shortcomings of the API (in some cases it's insane things like blatantly violating both the specification and even common sense, such as settled bank transactions outright disappearing without a corresponding reversal transaction).