It's understandable; I would maybe expect to undergo an extra step in verification for a sensitive app like, "we noticed this is the first time you are using this system that is not locked down; please type in the token we have mailed you".

But locking users out (which may not directly be the bank's fault for relying on OS's security APIs) seems anti-competitive.