[daveoc64]

To whom, and on what basis?

There is nothing in UK law that says banks have to store your passwords "securely".

Issues like this have been raised in the past, and authorities like the ICO have said no law is being broken. GDPR, for example, does not specify technical mechanisms required to store any form of data.

[Recursing]

See https://news.ycombinator.com/item?id=22356101

[daveoc64]

Unfortunately, they are still non-committal on what is required. They advise that passwords should be hashed, but there is nothing that makes that a binding requirement.

The gist is still "do what you think is appropriate".

The ICO talks about balancing risks and convenience, and the banks will argue that their systems are secure overall, and don't make the consumer liable anyway.

Under the ICO's guidance, an organisation could argue that plain text (or reversibly encrypted) passwords allow them to do things like password reminders.

You or I might think that's terrible, but they can argue that it's a better user experience.

[Recursing]

Are you sure? What about the fines they're already giving? https://news.ycombinator.com/item?id=18531588

[daveoc64]

That's in Germany. It's up to the regulator in each country to enforce the rules.

The ICO has a reputation for being toothless.