Revisiting Financial Privacy
Buckle up. This is going to be a very long post.
In the past week, I’ve had a number of people ask me the same question: namely what are my thoughts on privacy and banking (with some variation and additional expansions). This is a topic I’ve covered before, however with so many asking about it it’s clear that it wouldn’t hurt to bring some updated thoughts to the discussion. So without further ado, let’s talk about financial privacy.
To Bank or Not To Bank
Let’s start at the top: banks are not your friend. Period. There’s a reason “bankers hours” just so happen to coincide with the traditional 9-5 working hours, making it nearly impossible to do any in-person errands involving financial institutions: you’re not their primary customer. Prior to World War II, banks didn’t even offer many services to the general public. Banks originally existed to serve other businesses. They just so happened to decide “hey, we can make more money if we offer services to individuals, too,” so they did. I was unable to find an exact breakdown of how much money banks make off businesses versus how much they make off individuals, but I’d be shocked if the numbers aren’t vastly skewed toward the businesses.
The problem is further exacerbated by the manipulative and hostile actions banks sometimes take toward individuals and organizations. In the previously-linked blog post, I talked about how American Express lowered one man’s credit limit because he shopped at Walmart and aggregated data showed that most people who shopped there had poor credit or payment histories. The UK uses financial data to penalize welfare recipients they feel are abusing the system, even for things as small as buying name-brand products instead of generic alternatives. And of course, in 2022 people who donated to truckers that were on strike to protest vaccine mandates found their donations blocked, while PornHub was blocked from receiving payments from Visa and Mastercard. These are just a few of the ways that financial institutions can wield control of our own money and weaponize it against those they wish. And of course I’d be remiss if I didn’t mention that banks frequently – almost universally – sell your transaction data to data brokers who use your shopping habits to build a better profile on you, your personality, habits, values, and more for a variety of reasons, usually advertising, but who’s to say that it can’t and doesn’t get abused for other purpose? (Spoiler alert: it does.)
With so much rampant data collection and abuse going on, you’d think that I’d be a staunch hater of banks. But you’d be wrong. Don’t misunderstand me: I’m not here singing the praises of JP Morgan or Bank of America. The modern financial system is absolutely riddled with problems from inequality to systemic oppression to the potential for – and actualization of – political oppression and more. I’m talking specifically about banks as a place to store and invest your earnings because in today’s modern era, you basically have three options there: store it in cash/gold, store it in crypto, or use a bank.
Storing your money in cash or gold is absolute lunacy. You see, here in America we have this absolutely wonderful (note my sarcasm) legal doctrine called “civil asset forfeiture.” This is basically where the government has the legal right to say “we want your thing, so it’s ours now.” On paper, one way it could work is like so: you sold a ton of meth and bought a Lamborghini. The cops arrested you, your meth, your meth-making equipment, and anything else meth-related, including said Lambo you bought with illegal meth money. The cops then auction said sweet ride and pocket the money to bust more meth dealers. On paper, that’s semi-reasonable (depending on who you ask). You used illegal money to buy stuff, and the cops confiscated that illegal money. It’s the same principle as getting part of the proceeds if someone plagiarizes your work and sells it as theirs. In practice, however, what happens is that the cops say “I think you obtained this thing – potentially including cash – illegally, therefore I’m going to take it. Fight me if you want it back.” This is not rare (nor limited to cops, for the record, but let’s focus on the cops for now). It’s not even uncommon. In 2014, police stole more money from innocent civilians than burglars did. And 2014 was not an anomaly. They’ve been stealing so much money consistently that in 2019 the US Supreme Court attempted to intervene. If you want to read about a specifically poignant case of this, click here to read about how combat veteran Stephan Lara got robbed of his life savings, $87,000 USD, leaving him stranded on the side of the road.
This may read as an anti-cop post, but that’s not my intent. My intent is to point out that you are gambling by carrying your money around in a tangible format like cash, gold, silver, etc. All it takes is one bad cop to find it for any reason and go “mine now” and now you have to burn thousands of dollars fighting the local police department to get it back. You can decide how likely you think that is, but personally I think you’d be insane to take that gamble regardless of how pro- or anti-police you may be. That doesn’t even account for things like natural disasters, robberies, etc.
Your next thought may be “okay, what about the crypto route?” I also find this to be mindblowingly insane in all but the most extreme cases. As I write this blog post, the price of Bitcoin has fluctuated 3.23% in the last 24 hours. That may not sound like much, but consider that for Bitcoin, that’s an $857.78 difference. I make pretty good money, but that’s still nearly ½-1/3 of my paycheck (depending on how much overtime I’ve worked that pay period). Furthermore, consider that last year, Bitcoin went from nearly $32,000 to just under $16,000 in just a few months. In fact, it went from just over $31,000 to just over $15,700 in less than two weeks (June 8-19, 2022). Imagine if your bank account cut in half in a single pay period. Couple this with the fact that most place just don’t accept cryptocurrency. Sure, some niche places do, probably enough of them in different markets for you to scrape by if you’re okay with only being able to buy from a handful of vendors for each area of your life, but even in my town – which is a very techy area – I’d be hard pressed to walk into any store and find vendors still accepting Bitcoin – or any cryptocurrency for that matter. Now, for the record, there are ways around this. You can use cryptocurrency to buy gift cards from sites like Coincards for example, but that’s gonna get real old real quick, and it only works for the gift cards they support. It’s not sustainable (or available outside of the US, Canada, and UK).
Now before I defend banks, let me note that I’m not at all opposed to cash or cryptocurrency. I believe you should use both whenever possible. I use cash for my day-to-day in-person purchases like coffee, groceries, and gas. I’m trying to get better about using cryptocurrency – Monero being mine of choice – for services who offer it like IVPN or Tutanota. I’m also a huge fan of diversification. I personally don’t believe the dollar will ever go to zero – at least not in our lifetimes (yes, I know, I’m a moron who’s brainwashed by the WEF or whatever, save your emails) – but I’ve personally lived through prolonged power outages where the ATMs are down and cash is the only way to get through the week, and while I don’t think the dollar will become worthless I certainly know that recessions and depressions are things and that crypto could potentially be resilient in those situations. There are plenty of valid reasons to diversify your money. That said, I think going all-in on any one of these strategies is careless, paranoid, and gambling. You’re even more likely to lose all or significant amounts of your money by avoiding a bank. Here’s why:
Banks are FDIC insured up to $250,000 USD. That’s it. That’s really it. If my house catches on fire, all that money under my mattress is gone and I’m screwed (assuming a crooked cop didn’t confiscate it first after my New Year’s party got too rowdy and they got called). If Bitcoin halves in value overnight, I better be pretty rich to be able to take that kind of hit and still pay my rent (spoiler alert: I’m not. I’m still waiting to get my first $100 check from YouTube ads). Meanwhile, you know how much the dollar has changed in value over the last 14 years since Bitcoin was invented? Forty-one percent. Bitcoin, meanwhile, has fluctuated from 9 cents upon launch to a peak value of just shy of $69,000 in November of 2021. That’s 76,566.6%. And you may think “but that’s an increase in value, Nate!” Until it’s not. The current price of Bitcoin is just over $27,000 USD. Let’s call it $27,400 to be generous. That’s a 60% decrease in value. Bitcoin has fluctuated multiple times as much as 5 figures in the same amount of time the USD has steadily moved only double digits. The US dollar may be losing value, but I’m willing to bet money that I’m never going to wake up and discover that my bank account lost half of it’s value overnight short of a total national collapse – which I won’t rule out for the record, but at that point all personal finance advice goes out the window and I strongly suspect your Bitcoin will be just as useless as your Tesla. If you make so much money and have so much in savings that you can go all-in on crypto, you do you. But most people aren’t in that kind of position and I wouldn’t recommend it even if they were. Diversify, but don’t go all-in.
Now finally, you may be thinking “but banks need so much data about me!” Yup. You’re not wrong. They sure do. These are what’s known as “Know Your Customer” or “KYC” laws, and they are one method the government takes to attempt to fight financial fraud, requiring banks to verify your true identity with things like full real name, date of birth, social security number, and more. This is not the banks being data-hungry (necessarily), this is a law. Accusing the banks of just being after your data because of the law is like accusing someone of being a wussy driver because the speed limit is 25 mph. Being a privacy advocate, I’m not a fan of KYC laws. Perhaps they work. Perhaps they don’t. I don’t know and frankly I don’t care. While I’m certain that these measures do stop a considerable amount of crime, the potential for abuse – intentional or not – still exists and thus I’d prefer we found other ways to fight that crime. Unfortunately however, there’s not much we can do here. We’ve already discussed the absurdity of keeping bucks, bullion, or blockchain. And if you find a bank who’s willing to eschew KYC laws, well, to be frank, I wouldn’t trust it. There’s something shady going on there and they’re most certainly not FDIC insured, meaning that if they run off with all your money you’re sort of screwed.
So all this to say that basically, like it or not, your best choice for storing your money in a format that’s stable and secure at this point in time is with a bank. Those of you preparing to send me a YouTube link from Davos can leave now, thank you. Feel free to come back and smug when your predictions come true and I look like a jackass.
Picking a Bank
This leads us to the main question I’ve been getting lately and have actually gotten many times before: “how do I pick a bank?” You may not like my answer: pick the one with the best financial incentives for your lifestyle and goals.
You see, a lot of people in the privacy community have become convinced that banks must be both a privacy and security nightmare because of KYC laws and weak customer-facing security measures. You are both right and wrong. You’re right that banks are a privacy nightmare, not only because of KYC laws but because of their side hustle of selling your transaction data to various data brokers (more on that soon). But you’re wrong about security. The main assumption of banks as having poor security arises from their customer-facing policies: mainly the fact that most banks have poor two-factor authentication options and some even enforce maximum character limits for passwords. However, these points overlook other, more salient defenses. Consider the fact that banks aggressively rate limit sign-on attempts. In fact, you likely saw this when you first got into privacy: suddenly everyone and their mother was asking you to solve a CAPTCHA or do additional verification because suddenly you weren’t acting like you anymore. Banks are also pretty aggressive about demanding a second form of authentication when signing in from a new location, even if you don’t have 2FA enabled. And while SMS can be easily SIM-swapped, most banks offer verification via email which is more secure and can be locked down with a hardware token or TOTP (plus most banks allow VoIP numbers which are significantly harder to SIM-swap). To put it frankly, if a bank suffers a breach of your credentials, there are three possible outcomes: 1) the attacker may not have accessed the funds as those would be on different servers, 2) the attacker did access funds, in which case your credentials mean nothing and your money is FDIC insured anyways, or 3) the attacker only accessed your credentials but the bank has still placed a significant number of hurdles for them to log in with them.
But really, the big thing here is that banking regulations are expansive. Like, really really complicated and expansive. In the US, banking regulations are so complicated that it actually warrants having a full-time lawyer on staff just to figure out what the actual f*ck is going on and what rules you need to be following to be in compliance. The Wikipedia page about US banking regulations suggests three different pages of additional reading just on “consumer protection” alone, which includes electronic funds transfers. In other words: banks have high standards to meet. On Surveillance Report, we have a weekly section where we share all the data breaches we heard about that week, and we almost never have banks. We regularly have SaaS companies, tech startups, game companies, crypto exchanges and hot wallets, even dating and porn sites, but we almost never have banks. In all the years I’ve been talking about data breaches, I can probably count all the bank breaches on one hand. That’s not to say they never happen. They absolutely do. But they pale in comparison (frequency-wise) to companies like T-Mobile, who has had at least 5 major data breaches in 4 years (with allegations of hundreds of compromises per year), or Amazon’s AWS web-hosting service who was responsible for so many exposed databases that I successfully turned it into a drinking game among listeners. Banks face so many regulations regarding consumer security and privacy – plus the incentive to not lose all their customers’ money lest the angry customer take their business elsewhere – that they actually manage to have a much higher standard of security than – by comparison – unregulated industries.
So let’s go back to the original question: “how should I pick a bank?” Well privacy is clearly already a non-starter since any trustworthy institution will absolutely abide by KYC laws and verify your identity. And security is also a relatively pointless metric because the same organizations will be abiding by the extensive patchwork of regulations and working tirelessly to defend your funds. So how should you pick a bank? By picking the one that fits your financial needs and goals best (and ensuring that they are FDIC insured to be certain that you’re actually getting the benefits of everything I’ve talked about thus far). At the end of the day, basically all FDIC-insured institutions are essentially the same. So instead pick based on your needs and goals. Are you trying to retire at age 65? Then you should pick a bank that has great retirement accounts. Are you trying to save up for next year’s vacation? Then you should be looking into banks with high-interest savings accounts or who offer credit cards with travel bonus points or similar offerings.
Now, to quickly touch on it, there are some small variations out there. Bank of America, for example, allows the use of a 2FA hardware token for login. And generally speaking, larger banks will have more money to ensure they’re staying current with regulations, technology, and other defenses while smaller banks will make for smaller targets because they have less money and fewer customers (in theory). But at the end of the day, I strongly believe these differences to be negligible for the end-user. Like them or not, trust them or not (and rest assured, despite all my glowing words here, I do not trust banks, I’m certain the CEO of JP Morgan would personally throw me into a meat grinder for a dollar), banks really aren’t a security nightmare waiting to happen, and as long as your institution of choice is FDIC insured (and you stay within the $250k limit) you’re safe in all but the most extreme of circumstances. Again, that doesn’t mean don’t diversify. That doesn’t mean don’t take precautions and have backup plans in place. But it does mean you should run from banks like the plague. For better or worse, they’re probably your best bet.
But That Said…
Banks are still a privacy nightmare. They may be a secure place to store your money and prevent wild fluctuations in value or sudden loss from any number of factors, but they won’t hesitate to sneak in something in the Terms of Service about how they can “share your data with trusted third parties,” aka “sell your transaction data to data brokers.” So while I strongly believe a bank is great place to store the majority of your money – especially savings and investments – I don’t for a moment recommend it as a place to spend directly from. As noted in my blog post from 2021, I strongly believe that it’s only a matter of time before your spending habits start to directly impact your life (as it already has for the person who got their credit limit lowered for saving money). I think in the future we’ll see where you shop or what you buy affect your health insurance premiums or other related fields. Thus, my recommendations from that blog post still stand.
Generally speaking, conventional privacy wisdom says to pay for everything in cash where possible. Where not, pay with masked payment options such as prepaid gift cards or virtual credit/debit cards like Privacy.com or Revolut. Overall, I agree with this strategy. But for those who are willing to deal with a little added complexity in exchange for some perks, I have additional advice I’d like to add onto that: strategic use of credit cards.
In a perfect world, it would be nice to simply swear off the credit system and ignore it. We never really agreed to it. But for most of us that’s simply not an option. I know I’m already tripled my usual word count, but if I may share something quickly: over the past few years I’ve been working hard to get my financial life together – building up savings, fixing my credit score, and investing for retirement. In just those few short years, I’ve noticed something shocking: the better my credit score, the easier my life is. A few years ago, moving into an apartment meant first and last month’s rent plus security deposit up front. Starting utilities likewise meant a security deposit. Internet required a credit check with a deposit for the ISP’s router (mandatory). Five grand might be a good buffer to get all this stuff handled in most cases. This last time I moved – about a month ago as I write this – I didn’t pay a single deposit. For anything. We moved in with our five-grand savings we had set aside specifically for the move mostly untouched. And honestly my credit isn’t even that good yet. It’s better, but it’s not where I want to be. Life is just easier when you play the system. You get better terms, you save more money, and you meet less resistance.
I say that to say this: being that The New Oil is aimed at “average” people who want to find a good balance between convenience and privacy/security and is not aimed at the extremists who wish to live in a cabin in the woods devoid of all prying eyes, I think that those who can be responsible with credit cards can use them to their advantage: both their personal finance and privacy advantage. Personal finance experts preach that you should use credit cards responsibly. They point out that – for example – most credit cards come with purchase protections, and if a credit card gets stolen you’re not out the money until it get resolves like you would be with a debit card. They also like to note that using cards correctly can save you money and even earn you extra money. You can get cashback on things like gas or groceries or earn airline miles for your next vacation. Just be sure to pay the balance off in full every month to avoid incurring interest. In light of my earlier conspiracy theory about our purchases being used to calculate our premiums, I would like to encourage this strategy (again, if you can be responsible with a credit card) while adding another recommended layer: use credit cards to paint a positive picture of yourself. Buy your healthy groceries with your credit card that gives you 3% cashback on groceries, but put the sodas on a separate cash transaction. Put your gym membership on card, pay for movie tickets and snacks with cash. Maybe I’m being overly paranoid and creating more work for myself, but I strongly suspect that in the near future approaching your finances like this creates a carefully construed positive image of yourself as a healthy, responsible person and will earn you better rates and privileges from the industries who are increasingly turning to Big Data to solve their problems.
This brings us to a final topic one reader asked me to talk about: the use of data and AI. Truthfully, I don’t think there’s anything new here. ChatGPT may be the big story in the news, but financial institutions have been using aggregate data for years to make decisions. Cathy O’Niel covers this extensively in her book “Weapons of Math Destruction,” which I reviewed and recommended. I don’t see this getting any better any time soon, hence my recommendations about strategic use of credit cards, but whether it’s via aggregate data or a glorified Clippy, we’ve long been living in an age where machines are making these decisions more than individuals, usually to mixed results. Now of course, that raises the point that this is morally questionable stuff and we probably shouldn’t just be okay with it. I agree. But then this blog post would balloon by another 2,000 or so words. So pardon the rush but let me just summarize on that note: “I agree. Call your politicians. Demand oversight and regulation. Try to push back on companies who use it when you know and can.”
In the meantime, I know this is a record-setting blog post. There was so, so much to unpack and I hope it made sense and was helpful. Privacy is always complicated and nuanced, and mixing it with money makes it even more so. As always, at the end of the day, you have to do what’s best for you, but I hope this blog post gave you a peak inside my thought process and opinions. You’re welcome to take them or leave them, or adapt and evolve them to fit your needs, but hopefully it at least gave you some things to consider with your own finances. Good luck out there. This stuff is never easily, especially in today’s landscape, but I hope I made it at least a little easier to sort through.