It should be noted that by also storing a hash of your password in keypad-compatible format (if you're right about this) is that it significantly reduces the search space for a potential brute force attack. It also seems they don't allow special characters, which is a further reduction. I'm not sure that a robo-caller is the most efficient way to steal a bank password, but it is certainly possible.<p>Of course, the cynic in me says that they are storing an encrypted, as opposed to hashed version of your password. But one can hope!
If you try to log into your bank with <i>PASSWORD</i> instead of <i>password</i>, does it work? They could be converting your password to numeric as a first step to using it for anything.
They could be using some kind of format-preserving encryption, but then they would have needed an unhashed version of the password to generate this "phone input" field.