Intesa Sanpaolo Fined $17.6 Million Over Isybank Client Data Transfer. Here's What Happened

You know how they say there's no such thing as a free lunch? They weren't kidding, especially when it comes to banks and those "offers" that pop up in your app. The kind that seem like a favour, but before you know it, your IBAN has changed and your local branch has vanished into thin air. The talk of the town right now is the massive €17.6 million fine slapped on Intesa Sanpaolo. It's a staggering amount, and Italy's Data Protection Authority (the Garante) has dropped the hammer to put a stop to the whole messy business of automatically shuffling customers over to Isybank.

So, what exactly went down? The story behind the Intesa Sanpaolo Isybank fine

Grab a coffee, because this is a story that could have happened to any of us. It all kicked off between late 2023 and early 2024. Intesa Sanpaolo decided to go all-in on digital and launched Isybank, its new online-only bank. No physical branches, just an app. Sounds modern and sleek, right? The problem wasn't the idea itself, but the way they went about populating it.

They took roughly 2.4 million account holders and transferred them to Isybank without asking. And how did they choose who to move? They did some pretty detailed profiling, like they were picking the best apples at the market: under 65, no investment products (like mutual funds or stocks), a balance under a certain amount (reportedly under €100,000), and frequent users of online banking. In other words, the "digital natives" were deemed ready to be ushered into this new branch-free promised land.

The heart of the issue: unlawful data processing and communications that went unnoticed

And here's where things get sticky. To make this selection, Intesa Sanpaolo used its customers' personal data, citing "legitimate interest." Now, you might think, "Legitimate interest sounds pretty serious, isn't that a valid reason?" It can be, but the Garante ruled that in this case, it wasn't enough. For a change that fundamentally alters your banking life—a new IBAN to update for your paycheque, losing access to a physical branch, and having your data handled by a new entity—they needed your explicit consent. And that consent was never asked for. The result? A ruling of unlawful data processing and a record fine.

And then there's the cherry on top that really gets people going: how did they communicate this so-called revolution? Not with a clear push notification or an SMS. They tucked the notice away in the "archive" section of the Intesa Sanpaolo app. And guess when they did it? Right in the middle of summer. A time when most people's minds are on vacation. A perfect strategy, it seems, to make sure no one noticed in time to object. The Garante found the communications to be "inadequate," failing to give proper prominence to such a major change.

What does this mean for customers? A practical guide on what to do next

So, the big question everyone's asking is: "I was caught up in this mess, what am I supposed to do now?" The fine has been issued, and the bank pays it (it's not pocket change), but you have rights. Here's a quick rundown of the situation and how to navigate it:

• Is the damage already done? For many, yes. If you were transferred, you've already experienced the change in terms and conditions. The Garante acknowledges this as a significant "inconvenience."
• Can I go back? This is the key point. You need to check if, at the time of the transfer, you were given a clear and straightforward way to opt-out. Given how the communications were handled, it's highly likely many customers couldn't make an informed choice. In principle, this kind of change should be based on your conscious decision.
• What should I do now? If you're one of the 2.4 million people affected, keep your eyes peeled. Consumer protection associations are already looking into it. You might be entitled to compensation, or at the very least, you could request to be moved back to the original terms with Intesa Sanpaolo (the parent company).

Isybank: A million customers and an uncertain future

Despite this controversy, Isybank is a real entity. By early 2026, it had already surpassed one million customers and aims to double that by 2029. It's a "cloud-native" bank, a product of its time, built to compete with fintech companies. But this €17.6 million fine is a serious blow to its reputation. While the financial penalty is a one-off, rebuilding trust is a whole different ball game. And trust, as they say, is like glass—once it's cracked, it's hard to make it whole again.

When determining the amount, the Garante considered the enormous number of customers affected and the severity of the violation. They also took into account that the bank cooperated and that the conduct was deemed "negligent" rather than "willful" (meaning they didn't set out to break the law, but they acted with considerable carelessness). It's a bit like saying, "You made a huge blunder, and it's going to cost you."

Ultimately, this story isn't over yet. The bank can appeal the decision to Italy's Regional Administrative Court (TAR). As for you, dear account holders, the best thing to do is stay informed and vigilant. The lesson here is simple: when you get a message from your bank, even if it's buried in some virtual folder in the app, read it. And if something doesn't feel right, now you know the Garante just might be on your side.