this post was submitted on 15 Jan 2026
0 points (50.0% liked)

Personal Finance đź’¸

77 readers
2 users here now

US-centric community for content related to consumer retail banking, credit, & investment.

founded 2 years ago
MODERATORS
freedomPusher@sopuli.xyz
0
🤖🕵→🏦 AI bot needed to harvest the privacy policies, app permissions, and Tor-hostility of all banks in a given country and rank them (🎓 good student project) (self.personalfinance)
submitted 3 weeks ago by evenwicht to c/personalfinance@sopuli.xyz
7 comments fedilink hide all child comments
 

cross-posted from: https://lemmy.sdf.org/post/48532948

Banks are on an unstoppable uncontrolled trajectory in pursuit of KYC over-achievement. That is, they over-collect far more data on people than legally required (before it gets leaked to criminals in data breaches). Banks’ privacy policies are rife with anti-consumer weasel words.

It’s such a shit-show that privacy proponents have no real choice other than to quit banks and operate entirely with cash. Not many people have that level of discipline.

Software can turn this situation around. For example, there are ~6000 privacy-abusing banks and credit unions in the US. If a robot harvests all the privacy policies, fetches AOS apps to check permission reqs, records those with websites MitMd by Cloudflare, and uses all that info to find the lesser of evils, consumers can participate in creating a competition for privacy (as opposed to a competition of meaningless soul-selling fractions of a percent of interest earnings). The heart of the problem is banks are only getting pressure from the side of oppressors and tyranny and no pressure from the side of the people they purport to serve. Software and data can remedy this.

Worth noting that long before the AI bubble started, a university in the US studied bank privacy policies in bulk using a scraper bot that just looked at the standardised privacy disclosure forms for which all banks must conform to a standard layout. The data has rotted by now so their research is not of much use.

top 7 comments
sorted by: hot top controversial new old
[–] actionary@slrpnk.net 2 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

This is not a bad idea. I don't know why you're being downvoted so much. Lots of people hate corpo LLM, understandably. But then when someone try to use LLM for user benefits against the corpo? The people here... still hate it. I never understood why.

[–] TragicNotCute@lemmy.world 3 points 3 weeks ago (1 children)

He said the no-no word and the brainless anti-AI masses swarm to downvote without engaging or discussing. Par for the course here unfortunately.

[–] evenwicht 1 points 3 weeks ago (1 children)

I think there is also widespread support for KYC-overachieving banks -- because there seems to be no pushback from consumers. I think most people believe only criminals need privacy and they are happy to let banks snoop without warrant or restraint to catch the bad guys. They give banks whatever data they ask for and answer their interrogations without hesitation.

So I really can’t be sure to what degree the contempt for my idea is anti-AI hysteria or pro-KYC boot licking.

[–] TragicNotCute@lemmy.world 2 points 3 weeks ago

I’d bet money it’s way more blind anti-AI than pro-KYC.

[–] evenwicht 1 points 3 weeks ago

I’m definately in the corpo AI hating group myself because it really looks bleak for LLMs controlled by NGOs and tiny operations. It looks like we must choose between licking the boots of a tech giant to get chatgpt-like service, or be excluded.

There are exceptions though for some services. I run argos-translate to do offline language translations using FOSS. It’s entirely free world stuff. I wonder if the answer is to promote argos-translate while spotlighting that it’s an LLM that you can self-host.

[–] okwhateverdude@lemmy.world 1 points 3 weeks ago (1 children)

FWIW, as someone working in fintech in the EU, that "KYC over-achievement" is not as overzealous as you think it is. Each of those pieces of data are very useful at making fraud very expensive for the fraudsters. They need to burn a lot of capital to compromise people or fabricate personas.

And, at least at my place of employment, we take the PII protection very seriously because of GDPR.

[–] evenwicht 2 points 3 weeks ago* (last edited 3 weeks ago)

FWIW, as someone working in fintech in the EU, that “KYC over-achievement” is not as overzealous as you think it is.

It is not as reckless in the EU as it is in the USA, but still overzealous in the EU. Examples:

  • Guy in Finland was refused a home mortgage because his bank transactions revealed that he buys a lot of wine. Alcohol consumption was tracked and seen as a risk for lending.
  • Some banks’ privacy policies openly admit that they keep records of the IP address for the purpose of tracking geolocation. Yes, in Europe. And yes, it violates GDPR Art.5 (data minimisation).
  • No GSM number? No account. Some banks don’t even just accept what number you give them -- they demand proof from the GSM carrier that the number belongs to the applicant (even in a region that mandates GSM registration).
  • ID card on file at a bank expired. What does the bank do? They simply cut off the card, even if it’s a Friday and the bank doesn’t reopen until next week. That is how they communicate to the customer that they need to provide an updated document. No, people’s identity does not change. It is still the same person.
  • Some EU banks now refuse to give customers a statement of account on paper, thus forcing them online.
  • Some EU banks collect frivilous data for marketing purposes which they treat as “legitimate interest”. They write this in the privacy policy. People can opt-out, but for me it’s an abuse that it’s not the other way around. It should be opt-in.

Not KYC but still an abuse: All EU banks with mobile apps force customers to obtain their closed-source app from Google or Apple, who then collects the IMEI number of the user, their GSM number, and tracks which apps they download so Google or Apple has a record of where people do their banking. Likewise, some banks choose Microsoft or Google for their email service and they never provide a PGP key. In this case MS or Google sees where people bank and their msg payloads.

None of that privacy abuse is legally necessary or required to execute the contract.

And, at least at my place of employment, we take the PII protection very seriously because of GDPR.

You could only express that in terms of your own place of employment. The DPAs in most member states report annually being understaffed. They are up to their necks in an unsurmountable ocean of Art.77 complaints because the GDPR is widely ignored.