Gwyn looked at a three-month period in 2016/17, including 13 requests to banks for voluntary disclosure.
"Very intrusive requests were at times made when the SIS should have tried to obtain a warrant to require the banks to provide the information," Gwyn said.
"Many of the letters sent to banks should have been clearer that they were requests for 'voluntary' disclosure. Some of the past collection by the SIS would have constituted unreasonable searches contrary to the Bill of Rights."
Since then the Intelligence and Security Act (ISA) has been enacted, and Gwyn said the new law had resolved some of the issues identified in the report.
The ISA has three mechanisms for obtaining information: voluntary requests under clear requirements, warrants, and Business Records Directions, which can compel banks and telecommunications companies to provide information for security purposes.
Gwyn made three recommendations, including a requirement for the SIS to develop a coherent framework for how the three mechanisms interrelate.
In a statement, the SIS accepted the recommendations and said they had all either been implemented, or are being implemented.
The Minister responsible for the SIS, Andrew Little, said he was satisfied that the ISA had now cleared up the process.
He said there had been some dispute over the legality of the historical cases, because the Privacy Commissioner had said that the SIS was exempt from many parts of the Privacy Act.
SIS Director-General of Security Rebecca Kitteridge gave assurances that the historical requests were for information relevant to national security matters.
"An example of when this type of information could be useful would be if we were tipped off that an individual could be looking to travel to join ISIL.
"We could look at their bank account and [see] if they have the funds for an airline ticket, if a ticket has been bought, or if for example they are selling off assets in a way which would suggest they were preparing to leave the country.
"Another example could be if we were concerned that an individual would be planning a terrorist attack. We could look at their account to see if they are in fact buying items of concern."
Kitteridge said the SIS existed to keep New Zealand and New Zealanders safe.
"To achieve our mission we are legally allowed to exercise some intrusive powers – but we don't do this lightly. Everything the SIS does needs to be proportionate and in accordance with New Zealand's laws and human rights obligations."
She said the 2018 annual report will include the number of Business Record Directions the SIS has sought.
"Our work must often be carried out in secret, but I am a big believer in transparency where possible."
The disclosure of personal information from banks has been an ongoing issue.
Banks handed information to police when it investigated journalist Nicky Hager and his Dirty Politics book, for which police apologised and paid Hager "substantial damages" after the unlawful search of Hager's home.
Police had wrongly used an exception in the Privacy Act to access 10 months of Hager's banking data from Westpac.
Gwyn also recently released a review of the first nine months of warrants granted under the new ISA, and Raised questions about the legal basis relied on by the GCSB to carry out electronic surveillance operations.
