This is a fascinating area. I think your point about banks needing to think about their reputational capital is well made - there’s a potential temptation for banks to use the new technologies to transfer the risk of fraud from themselves onto their customers - e.g. the old cases of phantom withdrawals where some banks actually brought prosecutions against their customers rather than believe their systems could be at fault.

Or to take a more topical issue - the concept of identity theft itself a way of framing discussions about risk. If someone uses my personal details to login to my online account then saying that I’m a victim of identity theft neatly shifts the problem onto my plate in terms of proving I didn’t spend the money. From the consumer’s point of view it would be better to say that the bank has been defrauded by an impersonator and that they need to tighten their authentication.
(Bruce Schneier has written quite a bit about the idea that liability for a problem should follow the party that has the ability to reduce or remove the vulnerability to that problem).

At the moment I’m not sure (as an online banking user) where my liability begins and ends - particularly as my current bank doesn’t have any further validation of transactions once you’ve logged in. More here on two factor vs two channel authentication - as you say, it’s not clear why this sort of thing is taking so long to implement (lots of other good things on that site - it’s the The Cambridge University Computer Lab Security Group’s blog).

I also recommend the personal site of Prof Ross Anderson who leads that group - he used to work in banking, and he has lots of interesting research into what he calls information security economics - ie trying to model the security of a system from the incentives of the principals who use or abuse it.