this suggests the compromise may not be exploitation of his equipment, a firmware exploit may be a possibility, but i would put my bets on the banking infrastructure being exploited
"Wipes it every few weeks" probably means he has his data on a flash drive or external hard drive that he plugs in everytime. Of course it's probably far simpler than that~insider threat at the bank committing Wells Fargo style upsell fraud or simply password reuse.