“And as your bank, we keep a record of your PIN so we can check you’ve entered it correctly. We store them in a particularly secure part of our systems, and tightly control who at Monzo can access them.”
What? They store device PINs? I worked on several mobile banking apps and although not directly on the crypto part - I know that the PIN never left the device and the bank didn’t know the PIN. It was just a part for generating/signing operations. I think an SRP (secure remote password) protocol was used in this case - where the password is never transferred over the wire.