But of course there is multilayered security
Layer 1: whatever login security the bank has used
Layer 2: denying a problem exists
Layer 3: the ability to blame whoever they bought their systems off
Layer 4: the ability to offload risk and/or costs to the bank customer
How many more layers do you need? I'm sure they feel pretty safe under that lot.