Any bank that's remotely sane with regards to website security (probably rather few of them) doesn't do this at all and uses standard forms of 2FA. This one doesn't even protect against keyloggers, because they can combine the characters from multiple logins to get the full password (guessing the remaining ones if necessary) and because the password might be reused somewhere else, and they try this at the expense of user convenience (counting characters is annoying) and security in the event of a leak involving password hashes (if they hashed them at all).