The technical fix to this exact issue is remove or SRI and review third party code. None of these features are a must have requirement for online banking.

However, the breadth of this problem indicates the fix is bigger, else this will just pop up again without being noticed and should be tackled from two directions.

Technically: in the context of non-repudiation, web browsers are insecure for users. Significant user requests (make a payment, consent to terms, etc) are not stored client side, not signed and were a user to discover an audit log feature there is no distinction between what JS did and what a user did. This should and must change for the web to evolve to protect users.

Business: the failure across most of the banking sector suggests that all who should be holding the banks to account (share holders, creditors, regulators, customers, etc) are failing to monitor the banks and given there has been prior warning of this for some (regulators) failing to act. If a third party uses their remote access to hack customers, then I'm sure they will react but that may be too late. When we want security in our physical environment we have watchdogs whose responsibility is not just to react, but to proactively monitor the environment: spot the river has chemicals in it. Banking is significant enough that it probably needs a watchdog tasked with specific objectives regarding information security.