Keyloggers would be considered a form of fraud, right? Customers can be protected by not allowing rooted phones which may contain malware and steal credentials, but then again Windows is a nightmare for security and nobody is banning banking from Windows.

Right, but you don't need a rooted phone to keylog someone. You can just ask their password over the phone, and people do, and it works. Or, you can install a plethora of perfectly legitimate remote access apps available on the play store.