Maybe? You'd hope, but who knows. Still easy to just replace the image with plain text in the HTML, or a data URL (if allowed). Or put an iframe in there. Point is, if they control the HTML they can do pretty much anything.
Edit: Just tried it with Chase, Merrill Lynch, Citibank, Bank of America, and Wells Fargo. Only Wells Fargo had a CSP in place to prevent this. But even Walls Fargo let you just inject a data URL image.
Systems that these banks have provided are provided for feasible access to your account.
They are not in any way interested inn tightening of fortgaurding their portal's rendering, until it ends up causing them to give more money i.e. bad for business.
Edit: Just tried it with Chase, Merrill Lynch, Citibank, Bank of America, and Wells Fargo. Only Wells Fargo had a CSP in place to prevent this. But even Walls Fargo let you just inject a data URL image.