Sorry but that’s completely wrong.
You never give TrueLayer your online banking password or actual access details (with which they could be able to login on your behalf).
What happens when you try to setup an instant transfer via the T212 app is (simplified):
1- T212 takes you to the TrueLayer website
2- On the TrueLayer website you select the bank of the account you want to link, amongst the “compatible” banks
3- You get taken to the bank’s own website or mobile app, where you’ll login to your account via the online banking/app bank own’s infrastructure
4- On the bank’s online banking website or app, you grant access to TrueLayer by giving them a “token” (which you can revoke anytime via your bank’s online banking interface or mobile app), not by sharing to them your login credentials
5- Then you get redirected back to TrueLayer
6- TrueLayer thanks to this token gets access to read-only details about what’s in your account (i.e. they don’t get details about how you login to your account) and will be able to act as speedy middleman between T212 and your bank
And now, your bank account is linked, via TrueLayer, to T212.
Then, whenever you need to make an instant transfer, what happens is that T212 will seamlessly take you to your own bank’s online banking or app via TrueLayer (which means you won’t have to deal with TrueLayer again, they’ll literally just be a half-a-second redirect between T212 and your bank own’s login page).
The “via TrueLayer” part (that again, once you’ve set-up your account for the first time then becomes completely transparent to you) is what allows T212 to have the exact deposit amount (that you previously chose within the T212 interface) and T212 “receiving account” details showing up, pre-filled, in your bank’s own online banking site or mobile app (to which you’ll get access via logging in to your bank’s app or online banking as normal, not on TrueLayer domain). So then (after finding yourself in your online banking/app) you can just authorise the transaction (again: YOU need to authorise it, or it won’t go through) using your usual means of authentication that your bank has set-up on their own website/app.
Hope this makes it a bit clearer, and sorry for the broken English
I will add, but that’s just a personal consideration, that the fact your IT security professional of reference doesn’t know what TrueLayer is how how it works, is a bit concerning.