Re: Banks, Stop Ignoring The Obvious....
Disclosure: I have worked at a bank during the last five years.
The "you can't revoke your fingerprint" argument is valid up to a point. You need to take into account that it's much more difficult to replay an intercepted bankend tokenised version of, say, a fingerprint, because the attacker needs to already be in the bank's internal auth network - in which case fingerprint replay is the least of their problems. Yes I know, gummi bears, but those attacks are implementation details.
As far as regulation goes, then as a security grunt down in the trenches I say bring it on. The levels of compliance monitoring in banks is, well, from my experience it's what you'd want it to be: stringent, independent, comprehensive. People still do bad things, no doubt, but the cost is much higher (because the of the need to evad compliance) and anyone doing it should be under no illusion that they're in serious trouble if/when caught. If the FCA or PRA regulated for mandatory security controls (even just Cyber Essentials compliance, for instance, that's a lot less noddy than you might expect - have a look at the requirements) -- banks would moan and groan, but they'd do it. or, at any rate, more of THEM would do more of IT, if such regulations were introduced.