I agree with you completely @Peter_G, and I think I said as much in the previous thread on this!
I think it was heavily implied previously that it was a GDPR thing where many (Monzo?) argued that account details constituted “personal information” which the data minimisation principle of GDPR requires to be processed in a way which is relevant, adequate, and absolutely necessary for a “legitimate purpose”.
There was then much argument about whether or not there was a legitimate purpose for revealing the data, grounded in discussion of various usage scenarios, and how the other tests of the data minimisation principle were met.
Essentially, it was decided that the test was not satisfied fully, so on balance the compromise approach was taken based on the following logic: somebody who has given you their bank details before self-evidently trusts you with that information and might reasonably expect you to retain them, and therefore the details appear in cases where you’ve sent money to people who are saved payees. If somebody hasn’t volunteered their bank details then the details don’t appear.
Or, at least, that is my reading of where we got to with the previous discussion here and inference of internal Monzo discussions. I am also very unconvinced of this, although I do see how the logic runs.
The principle is inherently subjective, and therefore difficult to apply consistently; it is also relatively new and, consequently, relatively untested. This makes for a lack of legal clarity and I believe that this is why Monzo (and Starling) have chosen to be cautious and take the approach they have. I do not believe that an actual banking regulation explicitly requires them to restrict access to this information; my personal (non-expert) reading of GDPR is also that this is an overly-cautious reading and therefore overzealous application of the principle.