The GDPR says no such thing. I can guarantee you that if the bank or any institution that has any financial dealings with you suspects you’re doing something illegal based on an automated system. They are going to lock you out first and then investigate.

Article 15 and article 22. Look it up if you're interested. They can automatically lock you out, but they are obligated to send you all the data they have about you, including whatever data caused their automated system to lock you out, and they are obligated to manually review automated lockouts.

Edit: Here's the intro to article 22:

> The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.