Ta. That's more or less what I'd guessed would probably be the case. :/
On the whole, I think I'd much rather they asked me for the full password, so they can compare the hashes - but I run a very clean computer (food in the keyboard aside), and I have to accept that this may not be the case for Joe Public, meaning a risk of key-logging malware. I suppose as long as they use 2FA, though, the flaws with both methods are mitigated.
"Either that, or HSBC has decided to hash each letter of your password individually for extra security. ;) :D"
Actually, thinking about those systems that limit your password to n characters, perhaps that's why... ;)
Joking aside, I'm not talking about HSBC at that point. I haven't yet logged in and created a new password - so I don't know yet if they require the whole password when logging in after, or specific characters from it.
OTTOMH, a couple that do are Natwest (for Bankline) and Barclaycard. Bankline also uses a pin (for which three digits are required to log in - same as the password), and they do use 2FA via a dedicated security device, but not for the initial log in.