They are _only_ used for security, and now that it's "memorable name", it's not false information anyway. If the bank were using it for any other purpose, such as a credit check, that would be a different matter, and quite well might not be legal.