This article considers the position of banks regarding the provisions of automatic exchange of information regimes. The author focuses on whether a bank’s behaviour relating to such regimes is subject to a fiduciary duty to customers and any General Data Protection Regulation consequences of some approaches to compliance by banks.