[garethm]

That is kind of true - ING do call it a PIN. The thing is that all I can do with the PIN is to log on to their online banking site. That makes it a password in my opinion.

If I want to use my card at an ATM say, they require me to use a different PIN.

[pmjordan]

And the penalty for typing in the wrong PIN at an ATM is presumably a lot higher than providing the wrong PIN on their website, which means the feasibility of a brute force attack (which is what password complexity is all about) is entirely different.

[ldite]

No; 3 incorrect PIN entries on their website locks you out, and you have to get a reset. DoS of other people is made harder by also needing a customer number to login.