Santander in the UK does this too. You can tell because they only ask for 3 characters out of your password whenever you log in. What's ironic is that whoever did that propably thought they were being super clever.
There is nothing in UK law that says banks have to store your passwords "securely".
Issues like this have been raised in the past, and authorities like the ICO have said no law is being broken. GDPR, for example, does not specify technical mechanisms required to store any form of data.
Unfortunately, they are still non-committal on what is required. They advise that passwords should be hashed, but there is nothing that makes that a binding requirement.
The gist is still "do what you think is appropriate".
The ICO talks about balancing risks and convenience, and the banks will argue that their systems are secure overall, and don't make the consumer liable anyway.
Under the ICO's guidance, an organisation could argue that plain text (or reversibly encrypted) passwords allow them to do things like password reminders.
You or I might think that's terrible, but they can argue that it's a better user experience.
If you store an individual character hashed then it is trivial to brute force it. I don't think there is a bcrypt work factor that you could use that would prevent brute forcing but would allow the individual character to be used for authentication.