This is what I thought too, tried to told them, but they said it's was enough, because if someone tried to brute force the password, they only have 3 times attempts, after that, the app will be blocked.
i believe that beyond 2FA and rate limiting anything else is snake oil.
Most of personal banking apps allow me to access and authorize movements with my fingerprint. only when migrating to another phone they send me OTPs to my phone and mail.
Security should have no cost to the comfort of the user, if it is costly then the user will try to circumvent your measures and then be counter productive.
The best security measure a bank must have is to have an insurance for when something bad happens. if you bank doesnt have that, then is worth changing.
This is what I thought too, tried to told them, but they said it's was enough, because if someone tried to brute force the password, they only have 3 times attempts, after that, the app will be blocked.
In fairness, they might even believe they are right. To me it sounds like a naive solution from the nineties. Then again, I don't know what country you're in, perhaps the national identity solutions are so exceptionally far behind other countries, this is the best they can do.