Better n'th character and m'th character handling. It's bad having to show pwd in big text.

Excellent to see this advice being actively promoted.

When you write your next letter, it would be marvellous if you could also encourage them to OFFER at least (if mandating is too intrusive), then to at least OFFER support for MFA via FIDO2 / WebAuthn hardware tokens such as Yubikey.

Far too many banks have decided to meet EU security legislation by implementing the weakest form of MFA, i.e. by sending texts, which as you know, are not even remotely secure. It would be laughable if the subject was in any way funny.

I find it staggering that these large institutions with vast IT resources are so completely hopeless when it comes to implementing modern security frameworks. One of my banking customers in a former life had 1000's of user licenses for their analytical risk management software, so they seem to take that seriously. But when it comes to retail banking and the need to keep their customers secure, they relying on SMS messages for 2FA??? Bizzare.