@MerakiDave is correct we don't use fully standard IPSec, that's because phase one in IPSec is about mutual authentication creating a secure channel to negotiate how you are going to encrypt. We do that via the dashboard as ever devices connection to the dashboard is mutually authenticated, it's actually more similar to the standard Cisco Zero Trust model (expect to see a blog on the Meraki blog soon about this).
That means that we can jump straight into, essentially, phase 2 when we connect peer-to-peer, that's an oversimplification though as we carry over some elements that are traditionally in phase 1 to phase 2. Meaning that if you capture the packets you will see IKEv2, DH19 and the AES128-CBC and SHA256 for the encrypted session. If I quote the (recently updated) Meraki AutoVPN White Paper:
"The VPN tunnel is established. The Cisco Meraki cloud already knows VLAN and subnet information for each MX, and now, the IP addresses to use for tunnel creation. The dashboard and MXs establish two 16-character pre-shared keys (one per direction) and create a 128- bit AES-CBC tunnel. Meraki Auto VPN leverages elements of modern IPSec (IKEv2, DiffeHellman and SHA256) to ensure tunnel confidentiality and integrity. Local subnets specified in the dashboard by admins are exported across the VPN."
That is how it works, with respect to answering your question, how to prove that in a bank, that is typically done by engaging the Meraki SE to provide a version of this explanation along with some additional information once an NDA is in place.