It is the banks fault if they allow non-reversible, weird or large transactions without a secondary authorization capability.
The bank’s bad processes are not an end device fault.