If you've ever done an international wire, you know there's the form question "What intermediate bank to use". So at least the same if not less middlemen apply.
Everyone saying "muh GDPR" has no clue none of it applies to financial transactions.
To get a PSD2 "Open Banking" license one needs to KYC every user and keep every transaction that passes through the system, for 5 years, including the KYC data.
Being PSD2 licensed doesn't even make you a bank. Just imagine what an actual bank has to keep around...
Also every business has to keep invoices and transaction data around for tax audits, usually 7 years. So you can GDPR delete request all you want, but the shop where you bought that thing still has to legally know you've bought it.