Every bank I've worked with uses SFTP rather than FTP.

Just to be pedantic. SFTP (file transfer subsystem of SSH) or FTPS (FTP + TLS)?

I mean, either is fine, I would just imagine that if it was FTP at some point, moving to FTPS wouldn't be unreasonable.

SFTP means exactly SFTP, and it's not ambiguous. FTPS is a completely different protocol.

To you, maybe. To the rest of the world, you have to check and be explicit about it.

Most i've seen use Connect:Direct Secure Plus

Ah, yes, for interbank reconciliation and talking to the Fed. Typically not for merchant services related ACH applications.

I've worked on a similar system running on plain FTP (wasn't SFTP created just in something like 2000? So that it wouldn't have been an option back when the system was created) but it had no obvious security flaws because of this - all the FTP handled was the exchange of encrypted&signed files with encrypted&signed ACK messages, the same system might have been run over something like plain email.

Same here when I worked at a Mortgage company. SFTP everywhere.

Did they use sftp from the OpenSSH package or was it some sort of commercial variant?

Just sharing mine. My company customer consist of major international financial establishment.

As some simply can't go with certain open source project due to compliance, we settled with Tectia SSH[1]. Similar story with VPN and other security-related stuff.

Everything is SFTP with them. Even API json response lol

1. https://www.ssh.com/products/tectia-ssh

Linux/Ruby systems used openssh sftp. Windows Server/SQL Server used some POS SQL Server SSIS sftp plugin.