On the last day of each month, a bank selects a new key K to be
entered into its most secure and important server (The key K is used
for various security-related functions of the server).  The reason K
is changed each month to make it less likely for a cryptanalyst to
eventually figure it out.  The key K is entered manually, but it not
given to any employee: Rather, K is split into two random-looking keys
K1 and K2 such that K1 # K2 = K (# is used for a function such as
addition, multiplication, division and etc.), and the employee who
enters K1 into the server is different from the employee who enters K2
into the server (the server obtains K by doing the XOR of K1 and K2). 
Of course the server verifies the credentials of each employee before
letting them enter their K1 or K2 (e.g., password combined with some
biometric like fingerprint).  The two employees can enter their K1 or
K2 at different times of the day, it does not matter: The server waits
until it has the two entered inputs before it XORs them to get K.  The
server does not do anything other than stated above (credentials
checking before accepting K1 and K2, followed by XOR of K1 and K2).

This scheme works as long as the two employees do not conspire against
the bank:  If they conspire then they can illegally figure out K, or
even trick the server into computing a K' that they choose (instead of
the K chosen by the bank).  One day, the bank decides that this
"collusion risk" is high enough that they should do something to
prevent it.  So they modify the mechanism for entering a new K in the
following way:  Rather than being given K1 and (respectively) K2, the
emplloyees are instead given Ebank(K1) and Ebank(K2), where Ebank
denotes encryption with a symmetric (i.e., single-key) cryptosystem
using a key that lives permanently in a physically tamperproofed
co-processor within the server (so that neither employee has acccess
to that key).  Of course, before it can obtain K as the XOR of K1 and
K2, the server must now first decrypt (i.e. do a Dbank(.)) the items
entered by the two employees.

Is the new scheme really safe against collusion by the two employees? 
Justifiy your answer, i.e., argue why it is safe if your answer is
"yes", give a specific attack scenario if your answer is "no".

The lock is still dependent upon the keys entered by two specific
individuals.  This will always allow for collusion.  If 2 people are
given 2 metal keys, there is no difference than if you gave the same 2
people 2 passwords.  Unless the 2 individuals don't actually get
access to the "vault" say perhaps if a manager becomes involved as a
third party.

Very simply, if the safety net is bypassable by collusion, then the
only way around it is to prevent the collusion.  No amount of
technical gadgetry will suffice if 2 people knowing the needed keys
are all it takes to "open the vault".  Possibly by instilling a 3
person random rotation roster to be implemented at random times the
ability to bypass the gadgetry may be significantly downgraded.  Say 3
groups of a small number of trusted people are given each of one part
of a three part key.  Then depending on the computer's random number
generator generated by a list of the names of people currently in the
vincinity, 2 people of 2 of the 3 separate groups would then enter a
key into the computer which would generate a 3rd key which would be
used by the people in security to access the actual funds.

-LokiSon