They should’ve given at least 3 month notice in advance for such a drastic change that could potentially get someone locked out.

Absolutely. Their Lawyer/Risk/Compliance person probably just noticed and went “oh fuck”. With the short timeline they gave vs. compliance effect date, I hope it means they will have all hands on deck to support and work around the inevitable lockouts next month.

This is likely timed to meet the new PCI requirements, since they are designed to store your credit card info if you want to, and MFA will be a requirement as of April 1st this year. Everyone should be using MFA for this kind of information anyway, I know people hate inconvenience in the name of security, but if safety wasn’t forced on people we wouldn’t have things like seat belts, hand rails, and factory safety lockouts.