What UK Banks Are Required to Tell You — and What They Can Legally Keep Private

What Banking Secrecy Actually Means in the UK

British banks have a long-standing duty of confidentiality toward their customers, rooted in common law and reinforced by data protection legislation. In practice this means a bank cannot share your account details, transaction history, or financial behaviour with third parties without your consent — in ordinary circumstances.

The word "ordinary" is doing considerable work in that sentence. There are several well-established situations in which the duty of confidentiality is overridden entirely, and customers are rarely told about them in any detail when they open an account.

When a Bank Is Legally Required to Disclose Your Information

There are four main circumstances under which a UK bank will share customer data without asking for permission:

• 1.
  HMRC requests. HM Revenue & Customs has broad powers to require banks to hand over account information as part of tax compliance checks. Banks are legally obliged to comply and are generally not permitted to inform the customer that a request has been made.
• 2.
  Court orders. A judge can compel a bank to produce financial records as part of civil or criminal proceedings. This applies to both the account holder and, in some cases, third parties connected to a case.
• 3.
  Suspicion of financial crime. Under the Proceeds of Crime Act 2002, banks are required to file a Suspicious Activity Report (SAR) with the National Crime Agency if they suspect a customer of money laundering or fraud. Filing a SAR without telling the customer — known as "tipping off" — is itself a legal obligation, not a choice.
• 4.
  Regulatory oversight. The Financial Conduct Authority and the Prudential Regulation Authority both have rights to inspect bank records as part of their supervisory role over the financial sector.

What Changed After 2016: Automatic International Sharing

Since 2016, the UK has participated in the Common Reporting Standard, a global framework under which financial institutions automatically share account information with tax authorities in over 100 countries. If you hold accounts in the UK and are a tax resident elsewhere — or vice versa — that information is shared annually without any individual request being needed.

This represents a significant shift from the older model of banking confidentiality. It means that for anyone with international financial ties, the assumption that a UK bank account is a private matter is no longer accurate in any meaningful sense.

What Your Bank Must Tell You Directly

Beyond what banks share with authorities, there is a separate and important set of information that banks are required to provide to customers on request:

• Transaction history — up to six years of account records must be made available.
• Fee explanations — if charges have been applied to your account, you are entitled to an explanation of what they relate to.
• Credit decision reasoning — if you are refused a loan or credit product, the bank must tell you, in general terms, why.
• All personal data held about you — under UK GDPR, you can submit a Subject Access Request at no cost. The bank has 30 days to respond with every piece of information it holds about you, including internal notes, credit assessments, and risk flags.

What Banks Are Not Required to Reveal

There are legitimate areas where banks can and do withhold information. Internal fraud investigation procedures, the specific criteria used in automated credit scoring, and the details of any Suspicious Activity Reports filed about you are all protected from disclosure. Banks are legally prohibited from telling a customer if a SAR has been filed — doing so could constitute a criminal offence under UK law.

Similarly, banks will not share information about other customers, even if those customers are connected to transactions in your own account history.