The Hidden Ledger: What Banks Collect Beyond Your Balance

Jul 16

Singaporeans have long trusted their banks to be safe, secure, and responsible stewards of their money. But in today’s digital age, it’s not just your cash they’re managing — it’s your data.

Each tap on your banking app, each form you fill, and every transaction you make reveals more than you might think. From biometrics to behaviour tracking, your bank might know more about you than your best friend.

So we dove into the privacy policies of three of Singapore’s biggest banks — DBS, OCBC, and UOB — and used a Large Language Model (LLM) to break down what they really collect, how they use it, and what it means for you.

Here are 8 critical questions you probably haven’t asked your bank (but should). We answer them for you.

1. What kind of personal data are banks collecting these days?

Banks today collect far more than just your name and account number. Their reach extends to biometric identifiers, behavioral patterns, and even location data:

DBS: Collects your name, NRIC, contact information, voice recordings, thumbprints, survey responses, location data, and risk profile — all clearly listed in its privacy documents.

OCBC: Gathers identifiers, account and transaction data, behavioral trends, device and usage logs, and may also incorporate data shared via ecosystem partners (e.g. third-party apps integrated with OCBC’s platforms).

UOB: Sticks to a narrower scope — name, identification number, contact details, transactional data, and cookies that track session activity.

        Identifiable information includes any data that can directly or indirectly pinpoint you — such as your NRIC, voiceprint, or digital footprint when paired with other markers.
      

2. Why do they need all this information?

Banks collect data for a range of legitimate (and increasingly automated) purposes. But these aren’t always obvious to users.

DBS: Uses your data for fraud prevention, onboarding, AI-powered personalization, targeted marketing, and service enhancement.

OCBC: Lists use cases including loyalty programs, predictive analytics, risk profiling, onboarding, and CCTV-based security — where surveillance footage is cross-referenced with your account activity to detect fraud.

UOB: Focuses on fraud detection, determining creditworthiness, providing financial services, and enabling co-branded products.

        Much of this data use is framed as improving user experience — but it's also about boosting automation, refining marketing, and anticipating your financial behavior.
      

3. Are they telling you when they share your data — and with whom?

All three banks disclose data-sharing practices, but the terminology they use can be opaque. Here’s a breakdown of what they say — and what it means:

DBS: Shares data within the DBS Group, with trusted vendors, and overseas affiliates (with safeguards). It clearly states that your data is not sold.

OCBC: Shares with internal affiliates, service providers, third-party marketers, government agencies, and “ecosystem partners” — which may include ride-hailing apps, insurers, or e-commerce platforms.

UOB: Shares with co-brand partners (e.g. joint credit card issuers) and other legal entities for service delivery or partnership benefits.

        Let’s decode the terms:

        ‣ Internal affiliates: Subsidiaries or entities under the same corporate group.

        ‣ Service providers: Vendors handling analytics, IT systems, cloud storage, or CRM support.

        ‣ Ecosystem partners: Third-party digital services you interact with via the bank — such as travel apps, insurance, or loyalty platforms.

        ‣ Third-party marketers: External agencies hired to send you ads.

        ‣ Co-brand partners: Brands like airlines or telcos offering joint cards or promotions.

        ‣ Legal entities: Entities involved in regulatory compliance or outsourced service delivery.

        ‣ Government agencies: Courts, regulators, or law enforcement bodies acting under legal authority.

        These terms are technically valid — but they’re often used vaguely in privacy policies, making it harder for users to know who exactly has their data.

4. Do I get to say 'no'? Can I opt out of data sharing or marketing?

Consent exists — but the catch is that it’s often only partial.

DBS: Lets you opt out of telemarketing. Broader data use continues unless you formally withdraw consent, which may require submitting a request via their DPO i.e. Data Protection Office.

OCBC: Provides an option to opt out of marketing and profiling, and gives contact details for their Data Protection Office.

UOB: Allows limited opt-out — but warns that some services may become unavailable if you don’t agree to core data use.

        In short, you can say "no" — but depending on the bank, that "no" might cost you access to features you actually need.
      

5. How long do they keep my data? Forever?

All three banks say they retain your personal data “for as long as necessary” — which could be years, even after you close your account.

DBS, OCBC, and UOB: All specify that data will be retained to meet legal, operational, and regulatory obligations.

        There’s no specific deletion window. So deleting your app doesn’t mean deleting your data — it may remain archived in the bank’s systems for auditing or compliance.
      

6. What kind of tracking is happening behind the scenes?

Modern banking apps and websites track more than your clicks — often without making that clear upfront.

DBS: Tracks your behavior using cookies and pixel tags, including across different devices and sessions.

OCBC: Uses Facebook Pixel, web beacons, and third-party analytics to monitor behavior both on and off their platforms.

UOB: Tracks session-level interactions through cookies — a more minimal approach.

        Quick explainer:

        ‣ Cookies are stored on your browser and used to remember preferences or track sessions.

        ‣ Web beacons (aka tracking pixels) are invisible elements embedded in emails or web pages that notify servers when a user opens or interacts with content — typically harder to detect or block.

7. Can I see what data they have on me? Can I ask for corrections?

Yes — and you should. All three banks allow users to request access to and correction of their personal data.

DBS: Mentions GDPR-style rights like erasure and portability, but stops short of guaranteeing deletion.

OCBC and UOB: Allow access and correction but may impose fees or require form submissions.

        GDPR stands for the General Data Protection Regulation, a landmark EU law that enforces clear rights around consent, access, and deletion. While DBS borrows language from GDPR, Singapore's own PDPA doesn't yet give users a guaranteed "right to be forgotten."

        In practice, asking to view or amend your data may involve several steps — and don’t expect instant results.

8. Are these banks actually playing by the rules?

Yes. All three banks comply with Singapore’s Personal Data Protection Act (PDPA). Some even reflect GDPR principles — though implementation varies.

They conduct internal audits.
They require vendor compliance.
They have breach notification policies.

        But compliance ≠ clarity. Just because they follow the law doesn’t mean you’re being kept in the loop. Much of what’s allowed under the PDPA still leaves the user in the dark.
      

Final Thoughts

You trust your bank with your money. Maybe it’s time to ask what they’re doing with your identity.

From cookies to consent forms, Singapore’s banks are building intelligent systems powered by your data. And while they aren’t necessarily breaking rules, the real question is: Are they doing enough to help you understand them?

So the next time you tap “I Agree,” pause and ask:

What am I actually agreeing to?

Who else is reading this data?

And how long will it stay there?

Because yes — your bank knows your balance. But it may also know your sleep schedule, your 3 a.m. spending habits, and your favourite bubble tea order.

And that’s the real ledger we should be watching.

Sanchi Arora