When the bank or (associated) credit card purveyor advises that they set cookies or Web beacons, they can do so only with respect to their own websites.
That may be the case currently.
However, the questions I ask are:
1. If the bank already has rules that allow them to do the only spying they purport to want, why bother to insert anything into the fine print?
2. If they do think they should have something in the fine print, why are the words much broader than the current rules allow?
I think the answer is simple. Like other large corporations they think long range and, should technology or the rules in future facilitate something different, they already have the client's agreement.
(And remember: this is coming from the inveterate privacy/security paranoid.)
Perhaps not paranoid enough.