[jon-wood]

A GDPR request may not go far because banking regulations supersede GDPR when it comes to retaining records that might be required for financial investigations. I believe in a UK there's a requirement that they hold onto details of any transactions done for at least eight years.

[robotmay]

I understand the banking requirements but in theory they should only be keeping certain information for security practices and scrubbing it from everywhere else (e.g. marketing/analytics etc)