The VPN endpoint may or may not be overseas.
Almost all VPN service providers give you a choice of VPN endpoint. So a workaround for @pljudd may be to change VPN endpoint to an Australian endpoint right before using the banking app.
In other words, is RAB blocking all overseas IP addresses or is RAB blocking traffic that originates from a VPN (whether Australian or not)? [The latter might be incompletely implemented by blacklisting all known IP addresses of all VPN service providers.] Or they might be doing both?
This is of course misguided security (depending on exactly what is happening) because any criminal worth his salt can route traffic through an Australian IP address (including potentially through the service of the victim from which the credentials were originally copied i.e. if that computer was completely compromised).
You can never have too many layers in your defences 
but that seems excessive to me. Providing that all your communication is using TLS (“SSL”) … even with an open WiFi, or an untrusted WiFi, or a dodgy VPN provider, or with a timing problem with getting the VPN going … your exposure is limited to revealing the fact that you connected to a certain hostname.
So if you bookmarked your bank’s web site then just make sure you bookmarked it as https: and make sure you see the lock icon in the browser. Without those, the entire internet is like an open WiFi (including when you are at home).
“Gaps in timing”, if they concern you, can be plugged by using firewall software on the device and blocking unprotected outbound traffic.
Regardless, everyone has to adopt only those measures that they personally find acceptable.
I would assume that your local manager will have NFI. So please allow enough time for the manager to escalate to the network security team within the bank and get a response from that team.
Regardless though, moving your custom elsewhere is sometimes the only language that a business understands. In that case, you would ideally tell them explicitly why you left, once you have done so.
I think there are some web sites that actively attempt to defeat autofill i.e. where the password manager is integrated within the browser.
It may still work just to copy-and-paste the password from the password manager to the web site login form, just not as convenient.
