There are new PCI-DSS guidelines. Whilst they relate to payment processors, I don't think it's unreasonable for us to expect that a Bank's account login page would observe the relevant ones as a matter of best practice https://twitter.com/bentasker/status/1514278968882610191/photo/1