I work for a company that sells medical instruments internationally - the biggest driver for being secure, and having a strict quality process isn't the threat of fines, it's the threat of losing their certification - and therefore unable to sell instruments in various regions. To keep these certifications we have regular audits.
So rather than just giving these banks big fines when a breach happens - set up audits, make banks stick to minimum (but high) levels by setting data protection standards for user information and secure systems. Those standards should lay out minimum levels of protection (2fa, salted hash encryption for passwords etc) for accessing accounts through apps and storage of user data internally. If companies are audited and their mobile/websites/internal systems don't live up to these user protection standards then take away their ability to do business within the UK/EU.
If a company screws up, then it's not just a fine that'll be passed on to the victims of said bread (the customers) - it's the companies ability to make money that's put on the line.
I'm not in the finance industry - so no idea if they already do this... seems like they don't, since barclaycard also do the "first, third letter of your password" style of login. Not to mention the laughable verified by visa system.
Biting the hand that feeds IT
