Hi there John 
As other users have mentioned, this is neither a bug nor a misconfiguration. It’s an intended design / UX choice.
Our app is designed in such a way that you would need to know the PIN to actually take any notable action within the app. However, if the user would like to enable additional security for their own peace of mind, we have the option to enable fingerprint unlock or FaceID.
It’s perhaps worth pointing out that in an investigative report, the BBC considered our security to be above all other banks in the UK.