Banks in the UK take partial liability for their customers succumbing to scams, and refund lost funds unless customers go out of their way to ignore warnings.
Loss of control of devices is undeniably part of the scam lifecycle. Faking and intercepting messages from banks is a large part of that. An antivirus needs global permissions.
All of that being true, you don't have to be a contortionist to understand why they might want to lock down client devices as far as they can. Google happens to offer them an easy method.
Why should a bank be ever able to dictate what the user does with their device legitimately? They can't do so on the web through browsers, that is fine, why are we excusing this on phones?
Next up banks will start requiring out MDM enrollment? Is that equally understandable? Where do you draw the line?
It's unnecessary and intrusive to apply these methods unconditionally and on everyone.
> Why should a bank be ever able to dictate what the user does..
I'll deliberately answer early: because they're on the hook for your mistakes.
Your bank dictates security terms. This isn't new. They can demand you appear in person with multiple forms of identification. They can (and have) demand you use 2f hardware they provide. They can withdraw service if they think you're a risk to their business.
If I suddenly found myself with billions in potential liabilities, I'd do absolutely everything to ban footguns. Apps with system access installed from insecure sources. Yeah, no thanks.
Loss of control of devices is undeniably part of the scam lifecycle. Faking and intercepting messages from banks is a large part of that. An antivirus needs global permissions.
All of that being true, you don't have to be a contortionist to understand why they might want to lock down client devices as far as they can. Google happens to offer them an easy method.