Only problem: if a user (A) signs up for signal and then uninstalls, the phone number is still tied to the signal app. This means that a signal user (B) now can't get messages to user A. The messages gets delivered to a dead signal account. User A must manually deactivate her account, which she is not even informed about when deleting. Also: if user A has her number trabsferred too somebody else (which is often the case with e g work phones) her account is now owned by a random person.
Gdpr demands more of bigger organisations. Because those organizations have the capability and thus responsibility to make sure gdpr is followed. The same could be asked in this case. The big bank is better equipped to catch dirty transactions. Thus they should maybe be penalised according to size.