[pmjordan]

And the penalty for typing in the wrong PIN at an ATM is presumably a lot higher than providing the wrong PIN on their website, which means the feasibility of a brute force attack (which is what password complexity is all about) is entirely different.

[ldite]

No; 3 incorrect PIN entries on their website locks you out, and you have to get a reset. DoS of other people is made harder by also needing a customer number to login.