I think it’s a bit less nuanced? If someone holds a knife to my throat and says “give me your pin” then they use it, I think that that is (in the Uk regulator’s view) the banks’ responsibility because they defined the security standard that was used - I can’t tell my bank that I only want payments to be made when my mum is there or when I have called up the day before to pre-authorise the transaction - I just have to use whatever they offer. Ultimately leaving the bank on the hook aligns incentives to improve security with the organisation who actually can. Banks in the US are much slower to deal with this sort of stuff at least in part because they don’t carry the cost of inaction.

This is a similar case - giving your pin or biometrics under duress pushes the responsibility to the bank as the people who define that standard. The question I think is whether or not to to redraw the line. Today, we see biometrics as “super duper strong”, and we all know of ways to discover pins - but that’s just because the pin has been around for longer?