Tracking from bank or both? Anyways, in Latvia we have similar system and it is a convenient way to authenticate within services where you MUST prove you are person X.Y.Z.

For example, some electric company, if you auth via this method, will provide you with contracts, electricity usage graphics for all the sites you own and and other info you must access as a customer. Same goes for recycling company. These usually provide a way to register using email matching whatever email you had in contract (thus linking to real person anyway)

And then for other services where you request some data electronically that they must "register" each request. For example request some extended data on land/house ownership. You can't have that with non-real-life identifiable entity.

So usually login via bank is an login option with companies you either have juridical relationships or you must provide real life identity where you would otherwise have to show passport in real life.

We have GDPR and consumer focused regulators in the EU. Our governments are actually out to protect citizens from corporate malfeasances, as opposed to either ignoring it, or out right enabling it.

If a company abuses this data, you have strong forms of recourse available to you as a citizen, and banks are incentivised to remove bad actors, to ensure they don't become embroiled in enforcement action triggered by a 3rd party.