authentication – What are the security implications of the password policy for this bank?

Rule 1 is typical for character set interoperability – Unicode characters may be encoded in UTF-8, Latin-1, or any other unspecified encoding.

The minimum value for rule 2 is obviously for providing minimum password strength, whereas the maximum is to ensure server processing speed (service availability).

Rule 3 is unwarranted. My wild guess would be that their server is still using string concatenation for constructing database queries, or that their mobile app has special keyboard that just doesn’t support special characters.

Rule 4 is close to reasonable, but not fully.

A reasonable person would deem rule 5 necessary with the maximum 14 character limit.