Yeah I have a feeling that this would break some laws depending on where the user is. I'm pretty sure a company just being given personal banking info without direct consent or permission would be a big issue here. Purely speculating as I've never had or heard of it happening but considering these days we have to open our banking apps and verify its use on the app to simply pay for stuff on websites here now, I have to assume it wouldn't be something that would be allowed.
Pretty fucked up, especially as I've had cards expire and not updated them purely because of fuckery with details being stolen and not trusting the company with them again.
Edit: In fact earlier this year I had an alert one of my credit cards paid for something at near midnight. A credit card I rarely used and only had online at a few places in the past. I immediately called the company and had it cancelled and a new card sent to me. That card arrived 3 days later, entirely new credit card number (in the UK credit card numbers don't always change when a replacement is sent after one expires as that's what your account number is, you just get a different expire date and security code on the back).
2 days after that, on a card at that point I'd never even used a single time, I got a fraud alert asking if I tried to buy something. Again I called my company who were so confused how they would have gotten the brand new number considering I hadn't used the card a single time anywhere. They were so confused that they not only sent me another new card, they outright sent it with a new pin number separate in the post like a brand new customer has and it needed to be activated again like a new customer for them. I don't think they'd be open to just handing details over like that to a company based on how confused they were when the first replacement got used again.