Banks are always facing a trade-off between security and regulatory accessibility requirements. A former employer offered ~10 different ways to perform step-up authentication for high risk activities to avoid getting slapped with fines.
Then again "regulatory accessibility" has little to do with usability. You can have an 11 step process which works with a screen reader and is still hell.
