From the customer's perspective everything has been supplied to them.
However, from the bank's perspective, of their supply chain, the component shown to a customer has not been handled by them: they never received it, to supply it.
At best they can order a copy of it for quality assurance purposes and hope it is identical to what the customer will receive.
Instead, their web page sends an order to the third party for delivery (script src tag refers to a foreign location) and crosses their finger that all will be good.
There are mechanisms to reduce delivery chain risks, such as SRI, but they were not used.
However, from the bank's perspective, of their supply chain, the component shown to a customer has not been handled by them: they never received it, to supply it.
At best they can order a copy of it for quality assurance purposes and hope it is identical to what the customer will receive.
Instead, their web page sends an order to the third party for delivery (script src tag refers to a foreign location) and crosses their finger that all will be good.
There are mechanisms to reduce delivery chain risks, such as SRI, but they were not used.