Let us see the account details for faster payments again

No details for me on Starling, on Android.

No details in Halifax (although I’m doubting whether I’ve ever seen them, as it’s been so long…)

Starling only show the sort code and account number for incoming payments from one of your saved payees. If the payments are coming from someone you haven’t saved, you can’t see their bank details.

Barclays, Lloyds, Halifax, First Direct, TSB, don’t show any bank details (sort code and account number) for either incoming or outgoing payments. As far as I know, they never have done.

Nationwide is very peculiar. You don’t normally see any bank details, -except when it’s a payment to or from another Nationwide account. In this case, the Nationwide sort code and account number are all you will see, and you won’t see the other person’s name.

So if I send a payment from my Nationwide account to your Nationwide account you will see my account details, but you won’t have a clue who the money’s come from unless you were expecting it. Similarly, I will see your Nationwide account details but not your name, so if I’m checking my transactions a few weeks later It can be a struggle to remember who I’ve paid. I’ve been complaining to Nationwide about this for years, but they don’t seem interested in changing it.

That makes sense to me. If you’ve been given details and entered them yourself then why not show them? If you haven’t then I understand hiding them. It’s a bit of extra engineering effort but that’s OK.

I’m not sure I agree with the idea but I do understand it. I’m assuming (hoping) it’s ‘unintended consequences’ of GDPR rather than someone’s bright idea. The downside of that is that I don’t see any way that it’s going to change. (Depends how ‘personal’ you feel your bank details are, I guess, I think we’re a bit more free with them than in some other countries.)

This is quite interesting. I recall asking Starling back in 2018 why they don’t show the bank details on incoming payments and their response was that they aren’t allowed to reveal the bank details of the sender unless you already have them saved as a payee. I replied pointing out that Monzo do it, so it must surely be allowed and their response was simply that Monzo’s interpretation of the rules must be different to theirs. I guess it must have been quite ambigious.

Perhaps the rules have since been clarified? It would be interesting to know exactly which payment scheme rule forbids it and the wording.

This all makes sense to me.

Inbound transfers should never show sender account details by default. But it is probably acceptable (to me) for them to show if they’re a saved sender that I’ve sent money to before.

This means one-off payees, like a supplier that you use for a single job, or someone you send money to for the purchase of goods (e.g. car purchase etc) will never see your account details, only your name and a reference, which should be enough to identify you, and what the payment was for.

However, if you are receiving a payment from someone you’ve paid before (and they’re saved as one of your payees), it makes sense you can see details. You’ve already used the details to pay that person in the past. This means you can tie details together for money sent between your own accounts, or between you and your friends/family that you pay/receive from regularly.

I found it quite odd when I first saw that Monzo displayed (or used to display!) details for all inbound FPS transfers. I’d never seen that before on other accounts, and it didn’t quite sit right with me. I’m glad it’s now gone.

I’m curious about why you hold this view.

The sticking point for me about the GDPR explanation that’s been cited is that incoming funds already display your name. And, indeed, with confirmation of payee your full name can (in some circumstances) be displayed even if you haven’t provided it. So it can’t be identity protection.

I’m struggling to see where the harm will be. Your identity is already displayed. The only thing I can think of is that someone malicious might be able to set up a direct debit in your name. But there are better ways to deal with that (digital authorisation / confirmation of direct debits comes to mind).

So what’s the problem that whoever has decided on this is trying to solve?

But your name, in and of itself, is not necessarily personal information from a GDPR standpoint, because it is not necessarily a unique identifier for you. However, name and bank account details might well be.

So I can understand that, especially for particularly common names.

But there are three considerations here: 1) some names are unique down to the person - but they would be shown - why are these okay and numbers not be? 2) is it clear that anyone transferring money would have a reasonable expectation of privacy? To take an analogy, should all incoming calls be anonymous, or all cheques have the sort code and account number scrubbed from them? 3) GDPR aside, I’m still struggling to see the harm. I’m very open to the being real issues, but the niche case of direct debits aside, I can’t see any.

Some big companies might have separate accounts for receivable vs payable, and I guess customers might make assumptions that could cause mild confusion if they assumed that not to be the case, but that’s about all I can come up with.

That makes sense, but I’d classify that as inconvenience rather than harm.

(Incidentally Coventry Building Society has a different sort code for faster payments in and faster payments out. But money always tends to end up in the right place, anyway).

I’d say there are sufficiently few cases where a totally unique name exists that this is an issue. However two identifiers (name and account details) stands a much better chance of being a unique handle on a person’s identity than just their name. So greater care must be taken with how this information is disseminated.

I would say yes. To give an example, if I’m paying into a company’s account, to pay an invoice, their requirements for identifying me are served entirely by the payer name shown in the transaction, and the invoice number shown in the reference. They have no need to know the exact account details that the payment came from.

You make a good point there. Anybody who pays by cheque is giving the payee their account details, so why shouldn’t this be the same for Faster Payments?

Because the only reason the account details are on a cheque is for the purpose of processing the cheque for payment. That the recipient of the cheque sees the details too is purely a by-product of this.

When a Faster Payment is made, the processing is done already, so no need to show unnecessary info.

It is probably also why banks want to get rid of cheques at some point, and strides have been made (by enabling faster direct payments, safer online payments, contactless etc) to make them uncompetitive for most applications.

This is still confusing to me. Your argument, if I’ve understood it correctly is that individuals have a reasonable expectation of privacy when they make a bank transfer. But then you used the example of an invoice and matching on name. While you’ve said that you think that names are not unique, I still cannot believe that a reasonable person wouldn’t take a name to be personally identifiable information.

The key thing thing here is the expectation of privacy: by using this example you are ceding that there’s no reasonable expectation of privacy. Instead what you are (quite reasonably) doing is asking for data held to be minimised. That is a different issue.

My argument isn’t a technocratic GDPR one: it’s a fundamental one of trying to understand where the harm is. I still haven’t heard examples of what that might be. Indeed, as I think of it I think I’m of a view that, on balance, there may be greater harm in not having the details shown (inability to return funds, unknown payments causing distress, potential for abusers to send messages anonymously…)

If a sort code and account number combination can be used to identify an individual, and therefore be considered personally identifiable information, so could a unique identifier included in the reference field? Granted, the second may be company specific.

But if someone has invoiced me, they will know my name already and have tied it into e.g. an order.

That’s exactly my position.

I would politely disagree. I think it is quite legitimate that someone knows my name, so that they know who paid them, but they don’t see my account details. I feel that is a level of privacy that I am entitled to.

In that situation, details could be provided as required, rather than being displayed along side the transaction, indiscriminately.

But if a name is attached to the transaction, this shouldn’t cause distress. Presumably you’re able to ask the party concerned, if they’re paying you for something you’d forgotten about. Doesn’t need the account details attached.

Possible risk, although on balance not one I feel outweighs the data protection issues.

Thanks, that’s all clear now. And you’re absolutely allowed to feel entitled to not have that information shared

But, to conclude this, I respectfully disagree. I come not from a absolutist position, but one of a balance of harms. I’m yet to be convinced there is actual harm in sharing that information and potential harm in withholding it, not to mention usability issues.

We are, though, no closer to knowing why Monzo has done this. You may have made an argument that adherence to GDPR is the issue here (however we individually feel about it), but it’d be good to hear from Monzo about it.

Agreed!

And to be honest im quite disappointed its taken them so long to actually respond to this.