It started when he signed up at a new bank, giving them his phone number. Somehow the bank enrolled his in their online banking system, which notified Samsung, who remotely initiated the "let's give your phone a pin" flow, presumably to protect him during online banking.
Do you have a proof that this actually a thing? I don't see what mechanism exists to do this and I don't see why Samsung would even bother to do this.
Perhaps cooincidence and Samsung pushed an update that now required a PIN, but there was an untested failure mode (rebooting the device after the PIN setting process had been initiated but not completed).