I don't believe the right to be forgotten here is at all relevant. It only covers the indexing of data. For example if I commit a crime a media organisation will write a story about it, google will index it, after a number of years I have the right to ask google to unlink those stories, however I don't believe it covers removal of the original story.
Certainly it's hard to believe some of this would be completely compatible with the GDPR. Perhaps you could make the argument that there is a legitimate business need to prevent fraud but from what's included in the article the data goes far beyond what anyone would consider minimal.
Then I'm curious how do they enforce it. Maybe with US there are some treaties signed, but what about a foreign country that has no treaties with the EU?
To date, the answer to that question appears to be: Sternly worded letters, which will be promptly ignored.
There's no actual enforcement mechanisms against an entity that does not exist in the EU and has no financial exposure to it. That includes with the US, as far as I can tell.
https://en.wikipedia.org/wiki/Right_to_be_forgotten
https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
But the GDPR does have the 'right to erasure' which replaces the 'right to be forgotten'.