Some users on HN "clarify" that it's Google's filter enabled by app developers on the store. Bitwarden is flagged by the level HSBC devs specified in their filter settings. So that's a question for Google.

It's not because it's Bitwarden, it's because an app has been installed from a source other than the Play Store, and thus hasn't been audited by Google and installed with the verification of Play Protect. HSBC doesn't want apps that aren't Play Protect-certified installed on the device. Android is merely showing the user a list of all such apps, so that they know what to uninstall if they wish to comply with HSBC's mandate. The HSBC app doesn't know what the offending apps are, merely that at least one offending apps is installed. Install Bitwarden directly from the Play Store rather than another source, and the HSBC app won't complain. Yes, it's still utterly stupid, especially when you consider the fact that the same banks are willing to let customers access and manage their accounts in any web browser, which is much less secure. No, the UK banks won't budge on this, they've been doing it for over 10 years in various forms, it's a continuous cat-and-mouse game. The extra (nominal) security guarantee afforded by Play Protect is not a requirement for EU PSD2 SCA authenticator app compliance, but I wouldn't be surprised if someone in HSBC's liability/cybersecurity department advised them to implement this for some misguided reason. That said, I'm running Android 14 on a non-rooted device with several apps installed from sources other than the Play Store (including Bitwarden from F-Droid), and all of my UK banking apps (of which I have 12, as I have accounts with almost every bank that operates in the UK, though HSBC is notably not one of them) function just fine. Suffice it to say that if First Direct (an online-only subsidiary of HSBC UK that is routinely ranked as the top bank nationally for customer service) implements this and refuses to revert, I'm closing my accounts with them.