OWASP

1) in the WEB in the authorization form, is it possible to put a birdie "remember login and password"
2) in the WEB in the authorization form, is it possible to put a birdie "remember login"

no, if he wants, then chrome/fox will ask the user

3) whether it is necessary to store IP addresses from which authorizations were made

costs. If you work with money - definitely. Try not to work with money without a sensible TL, from whom you can clarify the details

4) Is it necessary to set an expiration time for Tokens that are issued for authorization in iOS and Android mobile applications?

costs. But you can disrupt the business process with such security. It is better to use an additional request for a password - token for individual operations

5) if a client does a "LOGOUT" on the mobile app, kill ALL tokens for that client?

it is better to ask the client separately. Default setting to be agreed with the customer

6) Show issued tokens, time of issue and date of last use in the user's account?

costs. If you operate with money - definitely

If we are talking about Internet banking, then first of all we need to start from PCI DSS.

You can start with ISO 2700 *, and then according to circumstances.

First - see the regulatory documents of the Central Bank. Directly open the site cbr.ru (which I found in 5 minutes of searching).
Further, the long-suffering 152-FZ "On Personal Data"
Also, do not forget about the RD SVT and RD AS (if you write the code)
, PCI DSS is the standard for Visa / MasterCard payment systems. If your bank does not work with cards (for example, you only work with settlement accounts of legal entities), then you do not need it.

owasp
short, clear and tasteful
https://www.owasp.org/index.php/REST_Security_Chea...