Account closures, terminations, transfer blocks without explanation – where banks go too far legally and systematically undermine GDPR rights!
‘Which is the greater crime, robbing a bank or founding one?’
(Bertolt Brecht)
When risk management becomes a legal vacuum
Account closures and transaction blocks are now part of everyday life for many private and business customers. Banks regularly cite money laundering prevention, internal risk models or regulatory obligations as reasons for this.
From a purely legal perspective, account closures or temporary blocks are permissible in many cases, but not without limits.
We explain why AI-supported risk analyses are increasingly leading banks to block or terminate access to accounts. The Banking Act gives credit institutions considerable leeway in this regard. What is often concealed, however, is the corresponding right of customers to information.
This is because customers are entitled to know the actual reasons why their personal data is being processed and evaluated.
However, a problematic pattern is becoming increasingly apparent:
banks are using AML arguments to avoid providing any substantive information – even when customers or payees have demonstrably done nothing illegal.
At this point, risk management becomes a constitutional problem.
Right to terminate yes – refusal to provide information no
It is undisputed that:
Banks are allowed to terminate business relationships if they consider their risk tolerance to have been exceeded. They are not required to disclose their internal models or provide detailed reasons for their suspicions that could jeopardise investigations.
However, what is not permissible is complete isolation from those affected when personal data is processed, evaluated or passed on.
This is precisely where European data protection law comes into play.
GDPR as a limit to internal bank power
The General Data Protection Regulation is not a ‘customer service law’ but an instrument for the protection of fundamental rights.
Article 15 of the GDPR gives data subjects a clear right to information about
- whether personal data is being processed,
- what data is involved,
- how it has been evaluated or classified,
- to whom it has been transferred,
- and to a complete copy of this data.
This right also applies to banks – and also in the context of AML and fraud.
The processing of risk, scoring or fraud assessments is not exempt from data protection.
The critical point: ‘Possible fraud’ without justification
It becomes particularly problematic when banks not only assess risks internally, but also:
- classify payment recipients as ‘suspicious’ or ‘possible fraud’,
- block transfers,
- and this classification becomes effective vis-à-vis third parties
without even informing the person concerned on what factual basis this is done.
In such cases, it is no longer a matter of prevention, but of reputation-relevant data processing.
Such a classification is:
- personal,
- potentially damaging to reputation,
- economically disadvantageous,
- and thus fully covered by the scope of the GDPR.
Anyone who refuses to provide any information in this regard risks violating:
- Art. 5 GDPR (lawfulness, transparency, accuracy),
- Art. 15 GDPR (information),
- and, where applicable, Art. 16 GDPR (rectification).
Documented case studies from practice
Concrete documented cases from practice show that these problems are not theoretical borderline cases.
In the case of SEB Pank AS, a customer’s transfer order was blocked after the payee had been classified internally by the bank as a ‘possible case of fraud’.
A comprehensible explanation or disclosure of the underlying personal assessments was refused – with blanket reference to banking secrecy and internal compliance requirements.
The incident has been documented by the authorities and is the subject of a data protection investigation.
Another particularly relevant example concerns the payment service provider WISE.
In this case, there is already a legally binding, EU-wide ruling by the European Court of Justice that clarifies that even in a financial and risk context, personal assessments, scoring information and classifications are subject to the right to information under Article 15 of the GDPR.
The Court has expressly ruled that payment service providers may not invoke either business or banking secrecy to deny data subjects access to their own data.
Both cases show the same structural pattern:
where banks make internal risk decisions with de facto external effects, but at the same time remove them from any transparency, they come into clear conflict with European data protection law.
Banking secrecy as a protective shield – legally untenable
In practice, banks regularly invoke banking secrecy across the board. This argument is not legally tenable.
Banking secrecy protects:
- business secrets,
- internal processes,
- sensitive third-party information.
It does not protect against
- withholding personal data from affected individuals
- or concealing the existence and disclosure of negative assessments from them.
The case law is clear here:
A complete refusal to provide information is inadmissible.
At most, the following would be permissible:
- restricted,
- abstract,
- or partially redacted information.
Complete silence is not permissible.
When banks effectively become judges and prosecutors
The structural problem goes beyond individual cases.
Banks are increasingly making decisions with quasi-sovereign effect:
- they prevent payment flows,
- they stigmatise market participants,
- they effectively deprive companies of their economic capacity to act,
without justification, without access to files and without effective legal remedy.
This shifts a central principle of the rule of law:
control over the assessment of suspicions no longer lies with courts or authorities, but with private actors – without sufficient transparency requirements.
Infobox: Case law – ECJ / HG Vienna
European Court of Justice (ECJ)
The Court of Justice has clarified that the right to information under Article 15 GDPR also covers assessments, scores and risk classifications.
Business or banking secrets may not completely exclude the right to information, but may at most lead to information that is limited in content or redacted.
Commercial Court Vienna (HG Vienna)
The Commercial Court Vienna has confirmed this line in several decisions and emphasised that banks may not refuse to provide full transparency in the case of personal risk assessments with external effects.
Internal compliance considerations do not justify a legal vacuum.
Conclusion: AML must not be a legal vacuum
Money laundering prevention is necessary and important.
However, it does not justify the blanket withdrawal of fundamental rights.
The line is clear:
banks are allowed to manage risks.
However, they may not decide on economic livelihoods without transparency, without information and without a sound legal basis.
When banks begin to systematically deny legitimate requests for information, they are leaving the realm of law – and crossing a line that European legislators have deliberately drawn.
Note:
This article is a journalistic analysis. It is based on publicly available sources. It does not constitute a legal assessment or financial advice. All assessments have been researched to the best of our knowledge and are marked as opinions within the meaning of Art. 10 ECHR / Art. 5 GG. Counterstatements will be taken into account in accordance with § 56 RStV.
Sources:
European Court of Justice (ECJ)
Case law on Art. 15 GDPR (right to information, including ECJ, Case C-487/21).
Vienna Commercial Court (HG Wien)
Several decisions on the transparency obligations of banks in relation to personal risk assessments with external effects.
Key message: Internal compliance or AML considerations do not constitute a legal vacuum and do not justify a complete refusal to provide information.
Leave a Reply
Want to join the discussion?Feel free to contribute!