Evo, don't know which bank your friend was with, but mine has a two stage login process.
The first is the normal username/password sequence, the second stage asks me to supply specific characters from a previously chosen phrase - eg something like the 2nd 4th and last characters of an n character long word or phrase.
My wife's bank - a different one - also has a very similar system.

This means the details cannot be captured by a keylogger unless it observes at least 9 or maybe more logons.

Maybe your friends bank is negligent in not providing a more secure logon, or maybe the thief got the data some other way?