We are rapidly losing our freedoms to the will of these companies. If they decide they don't want to they can even if the law doesn't forbid it.
People in Switzerland and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD. The US has started to sanction people for free speech resulting in de-banking.
Swiss law requires one bank (Postfinance) to offer banking irregardless but if you are sanctioned you can't use the wire system, no other currencies, no credit cards and you cant use Twint either so it's in effect useless. You can't pay for your health insurance or rent.
What is this about? I'm a EU citizen, never heard about any EU citizen getting removed from any EU bank because of USD. Nor have I heard anyone being sanctioned by the US in the EU unless they're Russia-related somehow. Is there any link to a story about this?
The real solution is for them to fix their shitty systems but I don't a handful of judges, lawyers, and human rights activists are important enough for them to make that investment.
I don't think there are any European banks that don't communicate with American payment providers in some way by default. It's possible that there are some that trust their feature gates enough to take on these sanctioned people (like government-run banks for those who can't get a normal bank account, i.e. because of a history of fraud and crime), but I don't think these banks will advertise that ability.
Perhaps if she'd take an Iranian, North Korean, or Russian bank account, she might be able to do America-free banking, but that's not very practical outside of Iran, North Korea, or Russia at the moment.
The only actual hard part was just that the rental market in Berlin has vastly more demand than supply.
* hopefully next month I pass a B1 exam, which tells you how hard it has been for me to get fluent.
If you were in London, it's like you never left home!
I'm not sure about how London compares, but Berlin has rent controls so the queues for open house viewings around here can go all the way down the apartment staircase and along the street.
I don't think it is? I moved to Spain from other EU country the same way, basically bought the cheapest one-way plane ticket I could find, spent ~1 month here before deciding I wanted to live here, then got myself the local residence card one morning and that's about it. Everything else just worked by using my passport in the meantime.
Then you need a social security number exist is different than the NIE, you need empradonamiento, you need to register with the health service and you need to set up your tax if you're going to work here (or if you live there more than 180 days of the year)
Here in Finland for example the process is actually no different than for a non-EU migrant (same amount of time taken for an unproblematic application, same amount of appointments). You are just much more likely to be accepted but in fact they do still reserve the right to reject people. And it is, probably unintentionally, much harder to exist in Finland as a non-resident as you can't have a bank account, can't use foreign phone numbers for most things and any phone you can get is very limited (can't call many numbers, etc). I couldn't even log into the local eBay for the first 6 months. All the Nordics I would guess are similar.
And people have contested in the comments to you that Spain is not actually so easy as you suggested...
I actually don't know any western country that is as easy to move to as the UK was pre-Brexit. I still think the UK is in fact one of the easier Western countries to move to, especially if you can't find moderately paid work
Countries with a national id system I would guess tend to be more difficult overall though. And the UK famously is not one of those.
But then even with appointment one only gets a temporary permit unless one already got a job offer. One gets the permanent card only after starting a business or buying a property or getting a work.
Also to open a permanent bank account one needs to have at least a temporary residence. Otherwise banks can only open a tourist account valid for few months.
"Permanent residence" is also again different and requires residence under those criteria for at least 5 years.
Well, exactly. Some countries require/required registration and residence card. That did not exist in the UK when it was in the EU, you just showed your passport/ID card when you needed to prove your right to be there (basically once in a blue Moon). Even now EU residents don't have any physical documents.
The National Insurance number @pdpi mentioned is unrelated as everyone has one once they work and an appointment is not always required to get one, and you can actually start working before you get one.
If you work as an employee there is also usually nothing to do regarding tax.
But international travel becomes painful. (Hence EC cards are co-badged as a fall-back with Visa Debit or Maestro, impossible if you are sanctioned.)
These days however the focus has moved to digital payments, and Europe is now backing Wero, which they aim to start rolling out properly in 2026.
US and USD need not be involved - EU does this on it's own without any pressure:
https://www.swissinfo.ch/eng/foreign-affairs/former-swiss-in...
"As a result Baud will not be allowed to travel within EU countries and his assets in the Euro zone will be frozen."
His assertions are not particularly extreme and, without question, fall into the realm of protected, free speech.
This is orthogonal to whether you or I agree with what he is saying. Finding his views "dangerous" is an admission of profound weakness.
There were some other sanctions involving visas, but as far as I understand that did not affect the individuals' ability to to bank: https://www.cnbc.com/2025/12/24/us-bans-visas-for-ex-eu-comm...
Did you read the article?
The judge reported closed/blocked bank accounts, booking being cancelled (successful booked, then later cancelled by the companies)...
https://verfassungsblog.de/sanctions-us-icc-united-states/
From a other poster:
> He cannot: open or maintain accounts with Google, Amazon, Apple, or any US company; make hotel reservations (Expedia canceled his booking in France hours after he made it); conduct online commerce, since he can't know if the packaging is American; use any major credit card (Visa, Mastercard, Amex are all American); access normal banking services, even with non-American banks, as banks worldwide close sanctioned accounts; conduct virtually any financial transaction.
Same with recently Garry Kasparov been designated a "T" by Russia. Banks simply do not take risks dealing with hot customers, as this can affect their entire business (especially if they have branches in the US).
So they rather railroad individuals that have little power, then take the risk that they will lose millions if the US sanctions their bank. Its also linked to a lot of other things.
Somebody who worked at a bank gave a description yesterday on how it works. And if your on that list, you are really in a world of hurt.
Yes, I read the article. You misread my comment.
I don't think GP misread your comment at all. I do, however, think you just deliberately truncated your own quote.
Here is what you said, in full (emphasis mine):
> There were some other sanctions involving visas, but as far as I understand that did not affect the individuals' ability to bank.
And here is a quote from the article you read (once again, emphasis mine):
> Beyond the ban on entry into the US, they report that from one day to the next they could no longer receive goods, services, or funds from US companies (e.g., Amazon, Airbnb, PayPal, Visa, Master Card), along with indirect (secondary) effects on transactions with European companies as well, such as their domestic bank or a travel company.
I've updated my original post with a link that hopefully helps explain what "other" means.
Unpaywalled link https://archive.is/20251203115217/https://www.lemonde.fr/en/...
(it's the same problem as healthcare and construction, a shitton of regulation, some competition, but no real big differences, and a lot of global dependencies [from generic pharma producers to HVAC/heatpumps and global commodity prices for construction materials and patents and prefab systems and ...], but ultimately local bottlenecks.)
obviously it sucks that FATCA compliance is hard, but it shouldn't be, and ... it's on the banking industry that it's not using some kind of common reporting backend ... oh wait, it does! (CRS!)
(okay, I'm being probably unfair here, of course it's still more work, more support requests, more papers to push, than the counterfactual, but banks already have their reporting systems integrated to the various tax and financial-authority agencies) ... and FATCA is implemented in part through intergovernmental agreements (IGAs), and the "model 1" is a reciprocal tax info sharing between the parties, the bank reports to the local tax service, and that's it.
see also https://www.deloitte.com/us/en/services/tax/articles/common-...
this is doing a lot of work. at what point person stops being Russia related in your view?
This is doing a lot of work. at what point person starts or stops having ties with russia?
if you have any siblings or parents or grandparents or cousins or classmates or ex girlfriends who are living in Russia?
I know a bunch of foreigners with stronger ties to Russia than some of my Russian friends by this logic my friend;) especially Ukrainians and Israelis but really anywhere in the world. debank them all you say?
What it sounds like is the old USSR way "make sure most people are guilty of something so that if you want to press them you always have some excuse"
You're arguing against a point no one here made.
> We are rapidly losing our freedoms to the will of these companies. If they decide they don't want to they can even if the law doesn't forbid it.
I asked some questions to see how solid your reply was. seems not very. you basically say nah, no one is losing freedom, people are only sanctioned if they have
this
> Nor have I heard anyone being sanctioned by the US in the EU unless they're Russia-related somehow
means you heard of ppl are arbitrarily sanctioned unless there is a specific criteria for what means Russia related
Parent's comment gave me the impression that this was something exclusive to EU (and Swiss) banks in particular, since they were mentioned by name.
So technically, she can pay by card in France, Belgium, India and others countries that don't rely exclusively on Visa/MasterCard.
With local cards.
> She cannot open a bank account anywhere in the world or have a credit card, because she has been placed on the Office of Foreign Assets Control (OFAC) list of the U.S. Treasury Department, which targets money laundering and terrorism.
Are you saying this isn't true then? She's not actually on OFAC, but instead just targeted via Visa/MC?
The OFAC apply to US companies only and forbid VISA/MasterCard to manage her transactions (and a LOT of others companies ... like a lot, not just Visa and MasterCard).
Legally Europeans bank shouldn't apply US sanctions, maybe they do, but legally, they should not (CJUE thing, I'm not an expert). I don't think it ever happen, because ... money launder generally doesn't complains about US sanction, it's wasn't a problem.
Former intelligence agent, worked also with NATO.
[0] https://www.defenddemocracy.press/eu-sanctions-swiss-intelli...
Yuh, which once was owned by both Postfinance and Swissquote, works without Play Integrity. Support for GrapheneOS is confirmed - see https://github.com/PrivSec-dev/banking-apps-compat-report/is...
The real issue is that most "legacy" banks have to comply with stupid regulations that force them to come up with these stupid solutions.
Banks are lazy and find the quickest way to comply with said regulations - simply by enabling Google Play Integrity.
About the whole US thingie - yes, that's true, and it's what happens if you get sanctioned. I'm pretty sure russians (and other people from sanctioned countries) have similar limitations elsewhere. In Switzerland US nationals have huge problems in opening accounts because of the whole bank secrecy law that allowed many americans to hide money from the IRS in Switzerland.
The catch is that you need Google Play Services installed and for many, you need to disable GrapheneOS' "Secure App Spawning" feature, which often trips root detection heuristics.
I know many Russians living here and when sanctions came in, their accounts became unable to receive deposits until they provided evidence of a valid residence permit. Some have problems during permit renewals as well but overall, it's nothing like as bad as it is for Americans.
Google are assholes for building this.
1) An iPhone Se 2022 that I use for TOTP, banking and auth. It is always in airplane mode, unless I need to login to banks (etc). The OS will receive security updates till 2032.
2) A Pixel phone with GrapheneOS for daily use: Internet browsing, routing, phone, message etc.
I found this is the only usable way in 2025.
which companies? google? I'm the first to blame them for almost anything, but how about Postfinance, twint, health insurers, landlords, all those companies you mention? shouldn't they offer ways to do business with them that does not involve some third party? - for example, OP mentions that hsbc website still works for them on android, this is more than what can be said of other banks that basically removed certain "sensitive" features from their homepages. Or practically all the neobanks who 100% rely on apps.
Even those governments you mention: how hard/easy do they make for citizens to engage in commercial activity without relying on third parties or adversarial systems?
I know the argument used by all of them - companies, governments: we are just "following the rules enforced on us (as interpreted by our lawyers)".
Everyone goes to the "simplest" target - Google in this case - to blame for the status quo, but Google is in this position because everybody else - consumers, companies, governements, etc - buys into the "convenience" and neglect everything else.
Eh, I think we ought to dole out our ire in accordance with the damage. All are responsible to varying degrees, but Google is the most powerful, and has the greatest ability to curb bad behavior if they wanted to, so they get and deserve the most blame second only to the governments that let them become that powerful.
That's not quit accurate.
American citizens will indeed have a very hard time to open a bank account in Switzerland. But the reason is not so much free speech than FATCA (Foreign Account Tax Compliance Act) [0] [1]
The requirements to host bank accounts for Americans are so onerous that banks rather forgo business with such clients than having to deal with the legal mess it incurs.
Another reason for a bank not wanting to deal with customers are if they are on a sanctions list. People winding up on such lists usually don't do so, because they said something nasty about Mr. Trump.
This, alas, may change if you look who got sanctioned in recent times just for raising the ire of the president (such as EC commissioners or ICC judges).
[0] https://home.treasury.gov/policy-issues/tax-policy/foreign-a... [1] https://en.wikipedia.org/wiki/Foreign_Account_Tax_Compliance...
Well that's outrageous, I'm sure you've got a list of such people ready to tell us about it.
What is Google's rationale for flagging Bitwarden?
They don't always flag it. Only when SafeNet is set to paranoid levels. However, sideloading is considered a risk for some reason. Even if sideloading is a synonym for "installing".
The developers of this app would have it turned off during debug builds, and on during release, so would be fine.
Also being an American in Switzerland trying to do banking is eye opening. Local banks mostly tell you to pound sand when they find out you're American. Regardless of this or that administration, the US is really totalitarian when it comes to finance and taxes.
What's funny is that this particular jurispudence was actually enforced due to a Russian oligarch (Vekselberg) on a C permit.
I am not sure regarding the rent and the health insurance, the health insurance especially as it is a legal requirement.
Guess where all these un-banked HNWI are going and who is offering them a gold card to run their businesses from?
Dismantling off-shore banking is generally a good thing since I'd like the ultra rich to pay tax as that funds services that I use.
Most likely, the US.
> Dismantling off-shore banking is generally a good thing since I'd like the ultra rich to pay tax as that funds services that I use.
There are lots of uses to off-shore banking than tax-evasion. In fact, I don't think it's feasible to use any modern (CRS/FATCA compliant) banking for tax-evasion.
Today there is no such criticism from the US because censorship is something that is also of an interest to the christian backers of the current government.
When the cat is out of the house, the mice dance on your dinner table.
1: https://en.wikipedia.org/wiki/Zugangserschwerungsgesetz
2: https://en.wikipedia.org/wiki/Internet_censorship_in_Austral...
3: https://web.archive.org/web/20100123181634/http://www.abc.ne...
More to the point, Trump is not (obviously) making all these countries and the EU demolish online privacy protections. There are laws constantly proposed all over the world to wreck free speech and privacy.
The sanctioned people were "hate-speech" fighters. Which is the most Orwellian branch of Brussels machinery. While it irks me on pure power level, you could hardly imagine people more deserving to be taken couple of pegs down.
https://english.elpais.com/international/2025-12-28/the-comp...
When it comes to this kind of thing, an injury to one is an injury to all and we need to not tolerate it. At minimum, we need regulations guaranteeing that Visa and MasterCard, as well as participating banks, aren't allowed to debank anyone without judicial oversight. Make the same true of apps: call it a Banking Access Tribunal.
Such dishonest mis-characterization.
She's a UN Special Rapporteur on Palestine talking and writing about Israel-Palestine war in such a biased way that many, including me and US State Department led by Rubio, consider her a mouthpiece of Hamas. The system is what system does and person is what a person does.
You might agree or disagree about her de-facto supporting Hamas, or if US State Department (i.e. Marc Rubio) should sanction her for what she does but it's so dishonest to claim that it has anything to do with Trump.
Especially problematic is that her actions would be unambiguously protected speech under US law if she did them in the USA.
That's an irrelevant detail right? The point is, she was debanked because someone in the US didn't like her, regardless of whom this person is.
We're reaching levels of wretchedness that I've never thought possible. Truly no shame anymore.
This is her statement essentially saying Israel bombed a hospital that we now know as close to a fact as we can, that they did not and that in fact it was a palestinian rocket that fell on the hospital.
But lets say we can't know that for a fact.
She was still parroting Hamas's line without any ability to validate the statement.
This statement amongst many demonstrates that UN "Experts" have zero credibility in the statements they make.
We know for as close to a fact that we can get that gazan hospitals were used as cover. (bbc, nytimes et al reported from under hospitals in places that Hamas used for shelter and stored weapons and equipment)
But what is especially evil, is accusing people wrongly when you knowingly accuse them when you know you have no ability to validate your accusation. Which is clearly the case with the accusations launched against Israel in regards to the Al-Ahli Arab Hospital explosion.
But to many people it doesn't matter, to paraphrase the word they made about on the Colbert Report, it's all about "truthiness", one doesn't really care if this thing is true or not, the fact that it feels true and fits with one's general perception of what's true or not and good or not, is all that matters.
I even might go a step further, those who accuse someone knowingly that they don't know the truth, bare moral culpability for bad thing the person they accuse does is the future.
It's human nature for someone accused of bad things falsely to simply not care in the future. "I tried my best to do right, but they falsely accused me, I am simply not going to put as much effort into doing right in the future, as it doesn't matter".
Personally, I disagree with that sentiment, and is very much part of my internal criticism at somethings that have occurred, but I also think its a very human reaction and therefore while it doesn't excuse those who do wrong because they simply don't care anymore and doesn't reduce their blame, it also places moral culpability on those who made the knowingly false accusations. Much like if I would falsely tell someone that "So and So killed your kid" knowing that it would make them go crazy and take revenge.
Life is complicated, and human reactions to the complications of life are complicated. But when an outsider inserts themselves into a complicated situation and presents lies about it in the name of "doing good", they might very much be evil.
Or to put it a bit differently, if one believes that that Bush Administration members were evil for spreading lies that led to the Iraq Invasion, why is Francesa Albanese and her cohort fundamentally different. Why are their lies better and more justified?
Calling the UN special rapporteur for the Palestinian territories a "vile antisemite" sounds a lot like trolling, though.
Second of all, what happened to free speech? In fact I can list several actual antisemites currently operating freely in the US political discourse who are gathering larger and larger audiences. Why aren't they being sanctioned?
You might want to find another outlet for that, why kick up the blood pressure this much?
Is Google implementing a rule which blockes any 3rd party app which wants access to things like the keystore (which could be reasonable), or are they deliberately blocking Bitwarden?
Given there is a choice, and given HSBC is on the hook if you get hacked in most jurisdictions, it seems fair to chalk this one up as a stupid move by HSBC that's nevertheless within their rights.
This is both good and bad. It's good because fraud is rife and the banks had little incentive to do anything about it. It took them absolutely years of foot-dragging to add a system that verifies the name of the destination account holder when you transfer money between accounts. It's bad because the reason fraud is rampant is that the police do nothing about it. It's the crime you can get away with. The government saw the easy way out: rather than organizing and funding the police sufficiently, let the banks deal with it.
Even if they are not on the hook, there is still the hassle/overhead of dealing with the fraud (e.g., opening an investigation), and/or the bad press when a customer gets hacked and you refuse to refund money per the terms of service:
* https://old.reddit.com/r/PersonalFinanceCanada/comments/1pwh...
A good few years ago now (when it was possible to get something in good condition for such a measly sum) I was buying a car from a private individual. The transaction was in cash. You can't take £1500 out from an ATM, unless you spread it over multiple days, and probably doing that would also get you flagged. So I went to my bank (also HSBC coincidentally) and they required me to tell them what I was buying with that money.
Now I could have lied, of course. But they could also have just told me that I can't take cash out if they didn't believe me.
If you look around, there are news stories of people being denied access to their own money because the bank decided it was too risky.
You can get kicked out of a bank for being too risky. And there's not even any legal requirement in the UK for a bank to offer you an account. Or well, there _is_ but like with all UK regulations which protect the individual, it's full of caveats. You are entitled to a Basic Bank Account (BBA) if you can't get any other account except if you can't verify your identity/residency, or you have a history of financial misbehaviour, or if you are too closely associated with terrorism. So I guess homeless people or pro-palestine protesters aren't allowed bank accounts.
There is no other way for us mortals than to go back to cash... Or start using Bitcoin. Be your own bank. Vote with your money.
By design, it made its first users stupidly rich, which is not a good characteristic.
More importantly, it's a technical solution for a societal issue (aka, it's not at all a solution).
Not sure how this is the top post on this thread, no links nothing but misinformation and FUD.
What happens in Switzerland to non US citizens is not a free speech issue no matter how you want to twist it.
The best part is that the Current Account Switching Service makes it very easy to make the jump from a legacy bank like HSBC.
Chip contacted me at one point via their live assistant randomly without my doing and told me to stop using the app because they would soon be enforcing that rooted devices would no longer work. I continued to use the app rooted and nothing came of it.
Barclaycard, Nationwide and others don't let you use the app or require some circumvention of their detection to allow access.
Sure there are plenty of other apps, but those apps and banks have a worse product I found.
TSB still works for now, but even for a bank they're technologically incompetent so I'm going to just assume they're behind the curve rather than willingly not using SafetyNet.
The only one I would bank on still working in the future is Monzo, since, like you say, they detect it and just give you scary warning and let you continue.
Of course, asking POSB for help has lead to nothing being done. By and large the biggest threat to people finance wise in singapore isn't malware but are scams (what is called "pig butchering" in America is rampant here) whilst malware is always a threat sometimes I feel like just refusing to function is problem due to overzealous viligiance to a low probability threat.
1. manifest.json: a JSON file that defines the app's name, icons, theme colors, and how it should launch when installed.
2. Service worker: a JS file that controls things like resource caching for offline usage
Unfortunately PWAs don't receive first class support compared to native apps. Still, I still hope to see wider adoption. I think for many not-too-complex apps, they can significantly lower the cost of development, and the development experience could be as simple as
- Building with HTML + JS + CSS. No clunky SDKs, reduced need to test on painfully slow emulators or expensive physical devices
- Installable from a browser. No need to maintain a listing in the Playstore/App Store, avoiding policy headaches, rent, etc.
https://developer.mozilla.org/en-US/docs/Web/Progressive_web...
But HSBC app declares "<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES"/>" permission, which requires an explicit approval (https://support.google.com/googleplay/android-developer/answ...) but
> Apps that have a verifiable core purpose facilitating financial-transactions involving financially regulated instruments (for example, dedicated banking, dedicated digital wallets) may obtain broad visibility into installed apps solely for security-based purposes.
https://support.google.com/googleplay/android-developer/answ...
which is then subject to Google reviewing and approving it.
I assume HSBC are using the "antivirus" use case.
> Real-money gambling apps where the core purpose of the app is real money gambling and where the app requires broad package visibility in order to comply with technical standards mandated by applicable geofencing regulations.
I presume that's to allow the gambling apps to make sure you don't have a location spoofing app installed?
There's an exception for banking apps
> Apps that have a verifiable core purpose facilitating financial-transactions involving financially regulated instruments (for example, dedicated banking, dedicated digital wallets) may obtain broad visibility into installed apps solely for security-based purposes.
https://peabee.substack.com/p/everyone-knows-what-apps-you-u...
Discussion: https://news.ycombinator.com/item?id=43518866
Their app also likes to prompt me periodically for the password instead of the phone's biometrics, which would be good, except it always happens in a public place like the subway, which is the last place I'd want to enter a 6 digit code to my bank account on a scrambled visual keyboard which slows down typing to a point it's trivial to write down (instead of letting muscle memory do its job). Also, it seems like those apps did not get the ATM memo of giving visual/audio feedback on a random delay to user input, to y'know, not letting glancers know what you actually type.
AFAIK this trend of visual scrambled keyboard on the desktop started when keyloggers were rampant. They quickly adapted to screenshot the 20px around the mouse on click when on a bank website. The banks never adapted.
These things HSBC app does, I think it's overreaching
I'm a developer and use adb and some dev settings daily. Annoying af to have to disable developer mode constantly.
Any security system that relies on any form of client-side security is going to have other problems as well, since its designers haven't grasped this basic principle.
Many other banking apps in Singapore have this ridiculous restriction too, including Citibank.
The third-party "security framework" most of them use to pass audits is ridiculous.
The more people who continue to use this, the better. It sends a clear signal that customers prefer the open web over restrictive and inconvenient mobile apps.
I’m also hanging on to my bank’s physical RSA fob as my 2FA, instead of using their app based version.
One I repeatedly got back in the day was hilarious: "After uninstalling the app credentials stay present in the keychain". Yes thanks genius, I don't get to run code on uninstall.
Their top 3 priorities:
1. Apple's ban of third party browsers on iOS is deeply anti-competitive
2. Web Apps need to become just Apps. Apps built with the free and open web need equal treatment and integration. Closed and heavily taxed proprietary ecosystems should not receive any preference.
3. All artificial barriers placed by gatekeepers must be removed. Web Apps if allowed can offer equivalent functionality with greater privacy and security for demanding use-cases.
Website: https://open-web-advocacy.org/en/
second phone never leaves home
Apparently using an open source keyboard runs the risk of my keypresses being shared with a 3rd party. Unlike Googles keyboard?
Apps are a tool of control and surveillance and it is time we stopped tying ourselves to them. Dumb phones or degoogled operating systems (like e/OS/) are probably the answer here.
It does seem like Starling has gone out of their way twice to exempt GrapheneOS from their checks, but only after users complained: https://github.com/PrivSec-dev/banking-apps-compat-report/is...
Loss of control of devices is undeniably part of the scam lifecycle. Faking and intercepting messages from banks is a large part of that. An antivirus needs global permissions.
All of that being true, you don't have to be a contortionist to understand why they might want to lock down client devices as far as they can. Google happens to offer them an easy method.
Next up banks will start requiring out MDM enrollment? Is that equally understandable? Where do you draw the line?
It's unnecessary and intrusive to apply these methods unconditionally and on everyone.
I'll deliberately answer early: because they're on the hook for your mistakes.
Your bank dictates security terms. This isn't new. They can demand you appear in person with multiple forms of identification. They can (and have) demand you use 2f hardware they provide. They can withdraw service if they think you're a risk to their business.
If I suddenly found myself with billions in potential liabilities, I'd do absolutely everything to ban footguns. Apps with system access installed from insecure sources. Yeah, no thanks.
We've introduced additional checks to protect your
account. The following apps have been downloaded
from unofficial app stores.
Your access to the HSBC UK Mobile Banking app
has been suspended on this device until you've taken
action to restore it.
Identified apps:
- Bitwarden
How do I restore access?
- Uninstall the identified apps from your device
and download again from the default device
app store, eg Google Play or Galaxy Store.
For further assistance, please visit
https://www.hsbc.co.uk/contact/But yes, this seems like the best possible option - also it enables the extra security through clean separation, as long as the phone is dedicated for that use case only.
They don’t. It’s a security theatre.
My only solution is to have multiple accounts, spread the risk, and rely on legal protections and bailouts when they inevitably screw up.
Having a dedicated "banking device" is a good solution for power users, though I'd probably just switch banks if my bank tries to pull that bullshit on me.
I have stopped using the HSBC app and asked for a security device (which they will send you if asked) instead and use the web site instead.
EDIT: there's also Android Protected Confirmation that works in the TrustZone so apps can't display over that. It was made exactly for apps like banking apps, so they should use it.
Using overlay permissions, it's relatively simple to trick someone into transferring money by overlaying a different UI that the malicious app makes the user type or paste into. I believe blocking access to the app while such an overlay is present makes a lot of sense. Trusting apps from Google Play to do this while blocking other install sources would be an obvious mistake, though.
I'd argue this feature shouldn't exist (because of things like the API you mention) but having a user override doesn't make sense here.
Accessibility settings are a tricky one since that's a separate law. I wonder if they whitelist screen reader apps from the official app store. Anyway that's not the case in the original article.
Number of people using F-Droid + a banking app is approximately zero in comparison.
There is not the slightest chance in hell that taking on the legal risk from F-Droid users is a sensible use of the bank's resources.
Sources: https://www.nationalcrimeagency.gov.uk/what-we-do/crime-thre... https://www.nationalcrimeagency.gov.uk/threats-2025/nsa-frau...
※ I'm aware expecting HSBC to follow the law would be extremely naive given their track record.
Google is an asshole for making this. When Microsoft first proposed a scheme like that for PCs under the name Palladium, everyone knew it was a corporate power grab. Somehow, it got normalized.
https://www.consilium.europa.eu/en/press/press-releases/2025...
https://www.ecb.europa.eu/press/key/date/2025/html/ecb.sp251...
i hope it will be part of the digital wallet initiative: https://github.com/eu-digital-identity-wallet
there is an active discussion there on NOT integrating play integrity API or any other US-dependent remote attestation: https://github.com/eu-digital-identity-wallet/av-doc-technic...
I've worked with digital and smart tachographs and seen their security implementation. Its not pretty, mirrors EU bureaucracy. If Franz Kafka wrote specs, those would be it.