There's a point, and a non-point to it.
Banks are big on this "due diligence" thing. That's understandable, but at the same time a vivid illustration of both how poorly they understand technology and how ineffective the resulting use of "IT security" services is. The latter itself is the art and science of filling holes in swiss cheese with easy cheez and declare the result "better". Yeah, well, no. It's not very scientific nor is it very systematic, so overall use is low and ROI is necessarily low.
So why are banks doing it? Because they don't know better and because there's little else on the market. Shame on them, but moreso shame on us the IT crowd. We're not doing our homework. Can't really blame the banks for that. We can't say we didn't know as it's been pointed out repeatedly, like by the late Edsger W. Dijkstra when he was still alive and he's been dead for a while. Should've paid attention before he died, we should have.
The other thing that banks are big on is to back their guarantees with money. That's how CCs work: The _only_ security feature that means anything at all in the entire system is that the customer gets money back guaranteed, at the cost of the merchant. No skin off the card company's nose. I think that's rather skewed. But banks understand money and they can calculate the tradeoff to the nearest cent, so they can build a business on it. Too bad that's all they can, as they're leaving a lot of efficiency on the table.
I don't think banks will really mind two-factor auth. They wouldn't mind three factor auth. It's just another calculation for them. For everyone else, however, it gets more and more troublesome. So this is actually quite the short-sighted thing to propose. And it doesn't do much to prevent other holes in banking websites. I think there are better ways to improve security than mandating more money go to the likes of RSA. Have they figured out whether their two-factor dongles did or did not get compromised yet, by the by?
So I'm not very inclined to think that these MPs managed to think through their criticism very well, actually. Personally I'm much more inclined to approach the whole thing a different way. You can't really blame banks for the software running on the client's computer, or even on the shoddy OS it runs that might be infected to boot. Of course, the demarc being inside the browser makes this an... interesting excercise. So instead we might try and come up with a demarc like imap or smtp offer. You know, an open protocol, allowing anyone to write banking apps, putting the responsibility with the writer. There are numerous avenues to do this and you don't have to restrict yourself to just one. And yes, I'd be interested to work on that. The bottom line, however, is that just bleating "all y'all hafta do better now y'hear?!?" to a bunch you already know don't really know better as their money couldn't buy it, isn't going to help much. So someone else will have to supply the clue. Who you gonna call?