cross-posted from: https://lemmy.sdf.org/post/48532948

Banks are on an unstoppable uncontrolled trajectory in pursuit of KYC over-achievement. That is, they over-collect far more data on people than legally required (before it gets leaked to criminals in data breaches). Banks’ privacy policies are rife with anti-consumer weasel words.

It’s such a shit-show that privacy proponents have no real choice other than to quit banks and operate entirely with cash. Not many people have that level of discipline.

Software can turn this situation around. For example, there are ~6000 privacy-abusing banks and credit unions in the US. If a robot harvests all the privacy policies, fetches AOS apps to check permission reqs, records those with websites MitMd by Cloudflare, and uses all that info to find the lesser of evils, consumers can participate in creating a competition for privacy (as opposed to a competition of meaningless soul-selling fractions of a percent of interest earnings). The heart of the problem is banks are only getting pressure from the side of oppressors and tyranny and no pressure from the side of the people they purport to serve. Software and data can remedy this.

Worth noting that long before the AI bubble started, a university in the US studied bank privacy policies in bulk using a scraper bot that just looked at the standardised privacy disclosure forms for which all banks must conform to a standard layout. The data has rotted by now so their research is not of much use.

  • evenwichtOPEnglish
    2·
    2 days ago

    FWIW, as someone working in fintech in the EU, that “KYC over-achievement” is not as overzealous as you think it is.

    It is not as reckless in the EU as it is in the USA, but still overzealous in the EU. Examples:

    • Guy in Finland was refused a home mortgage because his bank transactions revealed that he buys a lot of wine. Alcohol consumption was tracked and seen as a risk for lending.
    • Some banks’ privacy policies openly admit that they keep records of the IP address for the purpose of tracking geolocation. Yes, in Europe. And yes, it violates GDPR Art.5 (data minimisation).
    • No GSM number? No account. Some banks don’t even just accept what number you give them – they demand proof from the GSM carrier that the number belongs to the applicant (even in a region that mandates GSM registration).
    • ID card on file at a bank expired. What does the bank do? They simply cut off the card, even if it’s a Friday and the bank doesn’t reopen until next week. That is how they communicate to the customer that they need to provide an updated document. No, people’s identity does not change. It is still the same person.
    • Some EU banks now refuse to give customers a statement of account on paper, thus forcing them online.
    • Some EU banks collect frivilous data for marketing purposes which they treat as “legitimate interest”. They write this in the privacy policy. People can opt-out, but for me it’s an abuse that it’s not the other way around. It should be opt-in.

    Not KYC but still an abuse: All EU banks with mobile apps force customers to obtain their closed-source app from Google or Apple, who then collects the IMEI number of the user, their GSM number, and tracks which apps they download so Google or Apple has a record of where people do their banking. Likewise, some banks choose Microsoft or Google for their email service and they never provide a PGP key. In this case MS or Google sees where people bank and their msg payloads.

    None of that privacy abuse is legally necessary or required to execute the contract.

    And, at least at my place of employment, we take the PII protection very seriously because of GDPR.

    You could only express that in terms of your own place of employment. The DPAs in most member states report annually being understaffed. They are up to their necks in an unsurmountable ocean of Art.77 complaints because the GDPR is widely ignored.