Im suggesting no storage of private keys. So nobody has the private key - they are regenerated from the seed phrase which the user provides when they want to withdraw. Is this a terrible idea?
If the user provides the seed phrase, then the user has is and can simply use it with another wallet. They also can get from that wallet of theirs the private keys too. So there's no "nobody has the private key". I think that you should get better understanding of all this before you implement anything.
With number 1, I think of my online banking - I need to have my phone, user id and password to get in. If you think of user id + password as the same as a seed phrase, cant something similar be used here (eg 3d secure by sending an OTP to the user's phone)?
Wow. No. You're wrong. The bank has the money in their custody until you go to an ATM.
If the user have the seed phrase, the bitcoins are in
their (self) custody. Way different.
Plus, as said, if the use loses his phone number or whatever, he will get new login info from the bank; if they do the same with you, the bitcoins are lost forever. Plus the scam scenarios I already wrote.
With 2, this isnt really a problem unique to a Bitcoin exchange though - people try this all the time purchasing stuff with stolen cards. Most acquirers have really good fraud detection. Or am I not considering something here?
While banks may be considering reimbursing this or that in the case of reputed stores selling physical goods, they may not be that nice with bitcoin related businesses. Just look at the history of PayPal vs Bitcoin and how many chargebacks did happen in P2P exchanging simply because bitcoin is digital and PayPal never cared to research deeper.