Maybe, if their IT is terrible.
But encrypting the laptop with something like Bitlocker and forcing all traffic over a corporate VPN is more than enough security really, and it’s fairly simple to set up. DirectAccess force tunnelling would be even better, as it would auto-connect at boot.
You can also fairly easily use Group Policy to disable USB ports, etc so that nobody can copy any data off the company laptop.
You can never quite protect against somebody writing the information down, but that’s why one bank employee never receives a whole password (only characters of it).
Most queries on the chat function would be the sort of thing that would take pressure off the phone service, non-urgent but fairly routine things where it makes sense not to call. You would think they’d want that!
And Bank of Scotland is the only brand where it’s still available?
It’s all very weird.