Requiring regular password change but storing previous passwords?
The bank keeps your previous passwords (or hashes thereof) to force you to change your password, but it does not mean that they would accept an old password as valid authentication. The important point is: the bank wants to protect access, but it has no interest in protecting your older passwords per se. For the bank, the old password is no longer sensitive data, since it does not grant access to the bank.
Well, actually, old passwords are somewhat sensitive because users are users, and thus they:
- reuse passwords for other sites;
- "generate" successive passwords with "witty" procedures, as opposed to what they should do, i.e. random procedures. If an attacker learns that your two previous passwords are "sleepy" and "sneezy", he may try "grumpy" and "happy" as potential passwords).
So a bank which keeps traces of old passwords around should protect them adequately, i.e. as if they were still active passwords (hence store only hashes, with a slow hash and a lot of salt). But that's indirect. By itself, learning an old password does not give any special power to the attacker, at least from the point of view of the bank.
Forcing password changes on users is, at best, a procedure of dubious value. It may enhance security only if we assume that the previous password was indeed stolen at some point. In other words, it has security benefits only if a constant, non-null amount of fraudulent accesses is occurring and the server has learned to tolerate it, and just wants to keep it low. This is not very reassuring, for a bank. In all other cases, forcing a password update just antagonizes users, and that's never a good thing. See this previous question for more opinions on the subject.
Most places where passwords must be changed regularly do so mostly because it is technically possible, and out of respect for a fuzzy tradition which is never uttered with clarity. At my work place, passwords must be changed every 42 days, must be distinct from the last 24 passwords, and, last but not least, when I change my password I am not allowed to change it again for the next three days (I have never understood what reasoning may have gone through the mind of the people who established such a rule; I find no benefit for it in any situation, even far-fetched; it is just irksome, and I must assume it was meant to keep me angry).
But, if the bank nevertheless wishes to force password updates, then keeping around old password hashes makes sense: it does not weaken the security of the bank's site and it is the only way to enforce a policy of distinct passwords.
Those stored passwords are only used to check if you new password would match any of them and restrict such use. They're never used to allow you authenticate, so it doesn't impact security of using new password and defeats possible attempt to just bruteforce it in time.
The only downside in this scheme is that if this storage of old passwords is compromised, it may give more information about real "in-the-wild" passwords to be included in dictionaries and tried somewhere else, than just storing current password. That, of course, providing hacker would spend time bruteforcing it too or if hashing used in storage is weak.