Another reason I trust Starling more than a legacy bank is their size.
Humans are usually the biggest security risk, not computer systems.
If a bank has thousands of staff and hundreds of physical locations, you can be sure there are at least a few staff, right now, trying to make money out of selling data.
Access control within the legacy banks is not as good as you might think. At branch level it’s truly atrocious. Branch staff can lookup accounts with very few details, and go on to access balance and transaction history, without additional security checks.
I know for sure this is the case with one high street bank. I don’t know about others.
The legacy banks rely on audits far too much, and by the time the audit happens, the damage is done. Punishment of the member of staff doesn’t undo the damage.
Any customer account access should require a trigger event such as an active phone call, live chat session or recent message. Without the trigger event, access should not be authorised. Accounts should only be accessible without these triggers for KYC/ML teams.
Basically, human greed worries me, not systems.