Here in the US, in theory, the physical servers (and their SAN backends) should be blanked, but if not and the data passes through to another party, that party holding the servers owns that data free and clear. A bank's private records could be available as a torrent,
If the bank is adhering to regulations and standards; all the sensitive data such as account numbers should be encrypted at rest.
Preferably; all data in the vault should be stored with a storage layer encryption on top of that, such that only the legitimate client can operate on the data.
For anything that needs to be processed onsite --- hardware security modules should be used to decrypt data on the fly.
The bank should have legal ownership of the authorization tokens required to operate the hardware security modules, and perform decryption tasks on the bank's data.
There should be a third party required to supervise administration of the hardware tokens required to authenticate to the HSM, and ensure that the tokens and HSM units remain secure at all times, and are operated only with continuing approval of the tenants.