This does sound kind of smoke-and-mirrors (you’ll find that all over the place in infosec, sadly). They could have been adding some meaningful security if the app couldn’t decrypt user data without the user logging in – that would mean somebody walking off with the whole system still would have had no access; they’d need to do an online attack against each user as the sign in, which takes longer, risks detection, and doesn’t work if you do something like steal a backup.
Mind you, the “steal a backup” case – which does happen – is an example where encrypting the data using a key that the server (much less the DB) doesn’t store does help. But as you point out, adding per-user encryption really doesn’t add much there; if the attacker can get any key out of the HSM, they can presumably get them all. I guess one possible advantage of per-user keys is that, if an attacker gets write access to the DB, they can’t overwrite data in one part with data from another part (depending on the cipher and the way it uses IVs/nonces, and how granular or holistic the integrity checks are, this might otherwise be possible).
EDIT: I suppose it could be useful as a second layer of authorization check. If somebody finds an authz bypass in the app then normal access controls wouldn’t stop them from accessing another user’s data. However, if each user’s data is encrypted with per-user keys, then an authz bypass might not actually let you access somebody else’s data anyhow. So yeah, it might be a defense-in-depth thing.
Tech companies in general, and especially fintech companies, love to make extravagant claims about their security. Most of them are meaningless, though, or at best are addressing some tiny threat when the most likely attack vector by far is simply spearphishing or similar. I think this is likely to be one of them. But… hey, at least they use encryption at rest and store the keys in an HSM? That’s better than a shocking number of companies (though those facts alone don’t guarantee any added security, depending on how those systems are used).