If someone tries to hack a bank account, or any system at all through the website login system, then it is due to they at least have partial information about the account.
There is no one who would try to brute force something unless you know you have at least one valid entity. I.e. username, bank account number etc. Else you just don't know which one is throwing the failure.
If you stop for a second, and think about how you explained the password phrase work, you will see that there is no way it can be stored hashed, as that is a one way encryption. I.e. you would need to enter the entire password phrase each time, instead of a section of it.
The major issue with this one is that they protect the account with the "password phrase characters", this is so your information is not captured and allowing someone else to login to your account. But the problem is that if someone is able to capture the information once, they just need to wait for you to access the bank account several times and the chance for them to be able to successfully login is quite large.
Today, there is trojan horses which help criminals to even do money transfers from banks which use RSA keys for protection, which is a much more delicate process, since the lifespan of the RSA keys.
Personally, I would not even use online banking unless they use a RSA key system, or at least onetime key based system (i.e. codes on a paper) which is applied both when you login, but also to approve every transaction.
This can be a good idea, assuming that your member group has access to a mobile phone that support the app. Though you can be using normal RSA key generators, they have actually became quite inexpensive the last few years.
Though, for a normal membership website, it might be overkill due to the extra steps the users need to take to login.
Also keep in mind, if the database is breached and they get the RSA ids (which is used to know what key is generated per user) then this security layer is broken, due to that its best to encrypt the id stored on the server side per user.