All true, but if the third party receives a delete request from you, they have to oblige (and may notify the bank). Otherwise it would be very easy to circumvent the law by saying "oh we're just keeping it for another customer, we're going to send it to them next year maybe". And that customer will say they need it for another customer etc.

Privacy law (in your case GDPR) does not concern with who's customer. If a company processes PII -- they are subject to the privacy laws.