BMO, Bank of Montreal uses these along with a security phrase. Its absolutely ridiculous that this is mandated by some standard, but there is no guidance on password strength itself. BMO has a strict only 6 characters (no more, no less) policy. Oh yeah, before anyone asks: No numbers, no special characters. Choosable by the customer when opening the account.
I find password restrictions often prohibit good but unconventional password models, like the "actual phrase for a passphrase" crowd. I think the possibility of an online brute force should already be near-zero for banking apps, and if an offline brute force attack can be conducted, it's likely that a) your password isn't going to matter much anymore and b) the typically arbitrary password requirements set up by the site aren't going to do much to stop any significant GPU-based hash attack.
The issue is that most people rely on memory to store passwords. Any term that is memorable and meets most online password "standards" is short enough for an offline brute force to break pretty quickly, especially if the attacker has some decent resources. The answer to this is "real phrase" passphrases, but many sites with password rules won't allow these.
Also, per xkcd, et. al., rate limiting login attempts on a per-user and global basis significantly increases the difficulty of brute-forcing access even given password frequency lists.
My bank (BNP Paribas in France) has an even worse policy: 6 digits. No more, no less. They try to prevent phishing attempts with mouse-based PIN entry, require you to change the password every so many logins, but the fact remains: there are only one million possible combinations.
IIRC, most of these banks have insurance to cover that case, so in theory you shouldn't lose any money provided you notify them in a timely manner of unauthorized transactions.
This is an absolutely critical point that often gets missed in discussions of online banking.
It is extremely rare that customer money is at stake when it comes to banking website security. If someone guesses your password and empties your account, the bank will cover the loss--same as if someone held up the teller with a gun.
Online banking security measures--and the regulations that govern them--are more about helping/forcing banks to mitigate the financial risk to themselves, not to their customers.
