Far wider issues here, which I don't want to go into but need some techy info.

How is it possible?

His mum says that he stole £150 the other night using her First Direct app on her phone.

She claims that he used the face ID on her whilst she was asleep.

I thought that to send money to a new account you also needed the security code?

Last night he took £100 by setting up a PayPal account connected to her bank card.

Is it really that easy to do?

I only ask as I'm incredulous and wonder if she is the one making things up.

Although saying that, ages ago, the older boy found a way of charging PlayStation stuff to the long number of the SIM card on her boyfriend's phone

Not sure about First Direct, but with other banks you can certainly send small amounts (ie, sub £1000) from the apps to new payees without going through lots of additional security (my main account is with NatWest and I recently had to do a transfer that need the card reader to generate a code, but the battery was flat so I just did in in two transactions over two days).

If you had access to the physical bank card then I can't see why you couldn't setup paypal against it. The card holder would find out fairly quickly, as sounds like is the case here.

Well it sounds like he's sneaking into her bedroom so where is she supposed to put her phone.

I've no Idea, but having read quite a few posts from you about her before, I'd be approaching with a large dose of skepticism. Especially if she's asking you to help with the funds.

I would actually be inclined to:

1) Change the passcode(s)
2) Remove FaceID completely and then re-set it up - he may have added his own face to the security system (this is easily done under the "Alternative Appearance" functionality
3) Make sure that "Require Attention" is activated so its not just eyes open, but eyes open looking at the FaceID sensor(s)

I would also stop access to all items when locked (control centre / widgets / Siri / etc.)

I tested just now and struggled to get the iphone to unlock without having my eyes open. However you can unlock it with the code anyway, so maybe he just knows the code. Kids can be very quick to learn things and guess them - my kids worked out the code for ScreenTime on their ipads and it was a while before we really noticed they were still using them beyond the officially allowed time limits.

Regarding the sending of money from her account to his, surely the most likely explanation is that she already has his account saved in her FirstDirect app? If FaceID is not configured to 'require attention' then to unlock the phone and open the app might well only take a few seconds, and because he's already in there as an existing payee, not require further codes after that. I just sent a £1 payment to our joint account from my personal one, the only time it needed FaceID or a code was when first opening the banking app for my personal account.

My best guess is that either FaceID isn't configured correctly, or he knows the code. And it's probably the same code for the banking app and PayPal as to unlock the phone, which is dumb but extremely common. Either way, as already mentioned, if it's happening at all then you need two long chats, one with his mum about security, and another with him about more serious matters.

OP didn't say it was an iphone, plenty of android phones have face unlock, and they may sacrifice security (eyes open / attentive) for speed of unlock.

I don't like the idea of having a banking app that gives instant access to my finances to anyone who gets into my phone. So I don't use apps for banking (or Paypal or Amazon). I use online banking through the browser, which is set to not remember my password and 16-digit username, so anyone would have to know these and manually type them in.

Having said that, as others have said, the main issue here is not cybersecurity but more fundamental concerns of honesty, trust and ethics within a family.

Aye, I'd question that. My face ID only works with my whole face, eyes open. I've only ever seen the unlocking an unconscious persons phone with face id thing on TV.

Make sure to ensure that the phone is set NOT to show notification contents when locked as it will display one-time security codes etc otherwise.. FaceID should require eyes to be open to work.