They can manipulate traffic, but so can the bank's operations division. The fact that Cloudflare is a different organization makes contractual agreements much more important, but as long as they are in proper order the difference shouldn't be of importance to the end user.
The difference to the end user is that while the bank's operations division can only do this for a single website, Cloudflare can do so for 2 million of them.
That is indeed a difference, but perhaps not directly relevant to the bank's security.
For large scale traffic manipulation, Google is even better suited. They have arbitrary access to the DOM tree of over 10 million websites via Google Analytics, including several banks.
Well for that matter so is the assurance that only you can purchase a valid SSL certificate for a domain you own. At some point, you gotta trust some people!