What Your UK Bank Must Tell You — and What It Is Allowed to Keep Private

Confidentiality in UK banking is real, but it has clear legal limits. Here is what you are entitled to request and when those rules change.

UK banks have a well-established duty of confidentiality toward their customers — one rooted in common law and reinforced by data protection legislation. In practice, this means a bank cannot routinely share your financial details, transaction history, or account behaviour with third parties without your knowledge and consent. That is the general rule. What matters equally are the exceptions.

When Confidentiality Gives Way to Disclosure

There are four principal circumstances under which a UK bank will share customer information without asking for permission first. A request from HMRC — which holds broad statutory powers to require account information as part of tax compliance work — obliges banks to comply and generally prohibits them from telling the customer. A court order can compel a bank to produce financial records in civil or criminal proceedings. Suspicion of financial crime requires banks to file a Suspicious Activity Report with the National Crime Agency under the Proceeds of Crime Act 2002. And regulatory oversight by the FCA and PRA includes rights to inspect bank records as part of supervisory functions.

Automatic International Information Sharing

Since 2016, the UK has participated in the Common Reporting Standard, under which financial institutions automatically share account information with tax authorities in over one hundred countries annually. For anyone with international financial connections, this represents a significant departure from older assumptions about banking privacy.

What You Are Entitled to Request Directly

Banks must provide transaction records going back up to six years on request. Fee charges must be explained if queried. Credit decision refusals must be explained in general terms. And under UK GDPR, any customer can submit a Subject Access Request at no cost, requiring the bank to provide within thirty calendar days every piece of personal information it holds — including internal notes, risk flags, credit assessments, and correspondence logs.

What Banks Are Permitted to Withhold

The specific criteria used in automated credit scoring systems are protected as commercially sensitive. Internal fraud investigation procedures are not disclosed in order to preserve their effectiveness. Crucially, a bank cannot tell you whether a Suspicious Activity Report has been filed about you — doing so would constitute a criminal offence under UK law.

A Practical Step Worth Knowing

The Subject Access Request is one of the least-used but most useful rights available to UK bank customers. It can be submitted by email or letter to the bank's data protection team and costs nothing. Within thirty days, the bank must provide a complete record of all personal data held — which typically includes far more than most customers expect.

Editorial note: This article is intended for general informational purposes. medinitiatives.com is an independent publisher.