For banks, why not just rely on HTTPS, which all medium to large banks now use? As long as you're not accepting any unknown certificates provided by man in the middle attacks, what's a likely public WiFi attack vector? Shoulder surfing? And VPN is overkill here. After all, do you follow your waiter into the back room to make sure she doesn't write down your name / credit card number?