Behind the Vault - Banks are often seen as bastions of trust, where personal financial information is locked away under layers of regulation and security. But a new study from the University of Michigan suggests that this trust may be misplaced. Despite being among the most tightly regulated institutions in the United States, banks may be sharing customer data far more freely than most people realize and doing so behind a maze of confusing and contradictory privacy policies.[1]
The research, titled “Layered, Overlapping, and Inconsistent” and summarized in a plain-English article “Is your bank keeping your secrets?”, analyzed privacy policies from over 2,000 American banks. The findings are disturbing. Nearly half of these banks publish multiple privacy policies, many of which contain conflicting statements about how customer data is collected, used, and shared. In some cases, banks explicitly state in federally mandated notices that they do not share data with third parties, only to contradict themselves elsewhere on their websites or through undisclosed tracking technologies.
The Privacy Expectation Gap - Most consumers assume their financial data is protected by law and handled with care. After all, banks are subject to federal regulations like the Gramm-Leach-Bliley Act (GLBA), which requires them to issue a standardized two-page privacy notice explaining how personal information is shared and safeguarded. But this notice only covers a narrow slice of data, specifically, “nonpublic personal information” related to financial products or services. It does not account for the broader range of data banks collect through websites, mobile apps, and third-party trackers.
This gap between consumer expectations and legal reality creates a false sense of security. People believe their data is protected, but in practice, much of it is fair game for marketing, analytics, and behavioral profiling that feeds into an overall surveillance capitalism mechanism.
How Banks Share Your Data - The study focused on one of the most sensitive areas of data sharing, third-party marketing. Researchers found that many banks deploy advertising cookies and tracking scripts that collect user behavior data, often without clear disclosure. These practices fall outside the scope of the GLBA but are covered under state laws, such as the California Consumer Privacy Act (CCPA), which requires businesses to offer opt-outs for data sharing used in cross-context behavioral advertising.
Despite these requirements, many banks fail to provide the necessary opt-out mechanisms. Some ignore browser-based Global Privacy Control signals, while others bury opt-out links deep within their websites or use confusing language that discourages users from exercising their control.
The Policy Labyrinth - One of the most striking findings is the sheer number of privacy policies consumers may encounter. Nearly half of the banks studied provided multiple documents ranging from GLBA notices to general privacy policies, mobile app policies, cookie policies, and CCPA-specific disclosures. These documents often contradict each other. For example, 55.2% of banks with multiple policies claimed in their GLBA notice that they do not share data for marketing purposes yet disclosed such sharing elsewhere.
The average reading level required to understand these policies is equivalent to a college education. Larger banks tend to publish longer, more complex documents, making it even more difficult for consumers to understand what’s happening with their data.
What the Researchers Did - To uncover these inconsistencies, the research team built a custom web crawler and manually reviewed privacy documents from 2,073 banks, representing 97.3% of all assets held by FDIC-insured commercial banks. They analyzed disclosures about third-party sharing, opt-out mechanisms, cookie practices, and responses to automated privacy signals. The study was conducted from October 2024 to January 2025.
What They Found and Why It Matters - The findings reveal a systemic problem. The layering of federal and state privacy laws has created a fragmented regulatory landscape, allowing banks to selectively disclose or obscure their data practices. The GLBA notice, once a cornerstone of financial privacy, now offers an incomplete and sometimes misleading picture. Consumers must navigate multiple documents with varying scopes and formats to understand their rights and make informed choices.
This complexity undermines the transparency that privacy laws are meant to promote. It also raises questions about regulatory effectiveness and the need for harmonized standards that reflect the realities of digital banking.
The study’s implications are significant. By exposing the inconsistencies and usability barriers in bank privacy policies, the researchers provide a roadmap for reform. They suggest that regulators should streamline disclosure requirements, enforce consistency across documents, and mandate clearer opt-out mechanisms. These changes would empower consumers to make informed decisions and hold institutions accountable.
Real-World Impacts - The consequences of opaque data sharing are not theoretical. When banks share behavioral data with third parties, it can influence everything from targeted advertising to creditworthiness assessments. Consumers may be profiled based on browsing habits, location data, or app usage, usually without their knowledge or consent. This can lead to discriminatory outcomes, reduced access to financial products, impacts on healthcare options, and subtle behavioral modification.
While regulatory reform is essential, consumers can take steps to protect themselves:
- Use the “To limit sharing” box in the GLBA notice to restrict financial data sharing.
- Click “Do Not Sell My Personal Information” links on bank websites or enable Global Privacy Control in your browser.
- Manage advertising cookies through website banners, browser settings, or opt-out tools like the Network Advertising Initiative.
These actions won’t eliminate all risks, but they can reduce exposure and signal to banks that privacy matters.
A Way Ahead - The path forward requires collaboration between regulators, banks, and consumer advocates. Privacy policies must be simplified, standardized, and made actionable to ensure transparency and compliance. Opt-out mechanisms should be easily accessible and user-friendly. And banks must be held to a higher standard of transparency and accountability.
This study is a wake-up call. It demonstrates that even in a heavily regulated industry, consumer data can be mishandled due to loopholes, complexity, and inconsistent disclosures. By shining a light on these practices, the researchers have opened the door to meaningful change and provided consumers with the tools to demand it.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://six3ro.substack.com/p/behind-the-vault-how-us-banks-quietly
Comments