banks can't legally do it. at least not here in the US.
DDOS attacks are illegal regardless of who does it (perhaps besides the actual government who can do anything)
so average joe can't DDOS nor can any bank with ties to the US.
if there is proof that it came from a bank under US jurisdiction those people can go to jail for this

the law shouldn't be selective as to who gets punished for these kind of crimes