It should be noted that by also storing a hash of your password in keypad-compatible format (if you're right about this) is that it significantly reduces the search space for a potential brute force attack. It also seems they don't allow special characters, which is a further reduction. I'm not sure that a robo-caller is the most efficient way to steal a bank password, but it is certainly possible.
Of course, the cynic in me says that they are storing an encrypted, as opposed to hashed version of your password. But one can hope!
These two rules seem to further support my theory of what they are doing:
* Must not contain more than 4 sequential digits (ex: 1234, 76543)
* May contain the following special characters: "%'()+,-/:;<=>?\ ^_|
For a 12-character password, a computer with 2 decent GPUs (16000M hash/sec for MD5) can crack the numeric password in just over a minute. Once that's known, the real password can be recovered in around 25ms.
If you try to log into your bank with PASSWORD instead of password, does it work? They could be converting your password to numeric as a first step to using it for anything.
They could be using some kind of format-preserving encryption, but then they would have needed an unhashed version of the password to generate this "phone input" field.
Of course, the cynic in me says that they are storing an encrypted, as opposed to hashed version of your password. But one can hope!