I'm not saying it is a valid reason, just pointing out that it's more of a tick box exercise to get a "get out of jail free" card for the enforcer¹ that is actually likely to decrease security.

¹As the enforcer will say "I've enforced a specific security, therefore if someone has breached security using your credentials, it must be your fault"².

²One of the banks I use asks me every time a make a transfer³ to click "I agree to take the risk as I don't think it is a scam".  This is ridiculous as I regularly pay bills that way, and it becomes an automatic click-without-read Pavlovian response, just like the hated Vista User Account Control requiring far too much click-to-allow before anything much could be done.

³Another of the banks I use came up with a "Are you sure this isn't a scan" warning when paying council tax, despite the bank in question actually giving me the council's bank details when I set up the payee; perhaps they knew more than the rest of us seeing as that council is now in financial troubles...

Nice spot, did not see that one but surely saying that people may white them down is not a valid reason to not implement the feature if it's a regulatory requirement?

See also:

• Posted 08/10/2021 09:51 with 2 votes (at time of writing) password enforcement policy