Under GDPR, they should be allowed to store all personally identifiable information they need in order to provide their service.
However, offering the same information to a third party would need explicit, non-obfuscated opt-in approval to be compliant.
Also, in order to be compliant, a user has to be able to request a copy of all data stored about them, and upon request, the company should delete all data they have stored on the user.
But, this assumes that they are not breaking other laws in order to comply with GDPR. In the case of a bank, they would probably be legally required to store certain information about users for a certain amount of time. In this case, banking law sort of overrides GDPR.
A lot of users on this forum alone think otherwise and either way
Is this in reference to showing a list of contacts who are Revolut users?