It seems very reasonable to me, and it is hardly a "loophole." This type of action kicks in only in regards to online transactions, and only if the fraud is the result of the real user's information being used and was obtained via the user's PC.
A real world analogy is that of insurance companie refusing to pay for a vehicle theft claim if the victim leaves the keys in the car's ignition lock, and the doors unlocked. In the same way, it requires the user of the service (banking or insurance) to be slightly proactive in regards to the assets (online account or car) being covered. In other words, "We don't pay for the victim being a damned fool."