I mean, they could do that because, with few hard legal obligations to you, their own internal assessment that implementing TOTP has a good chance of cutting support load and probably won't cause too many problems is Good Enough to move forward with it.
Banks have to price in the risk that, if something does go wrong, they could have regulators on their back. And uh, have poor incentive structure wrt being perfectly allowed to do everything by the book and slipping responsibility if the book is just wrong.
Banks have to price in the risk that, if something does go wrong, they could have regulators on their back. And uh, have poor incentive structure wrt being perfectly allowed to do everything by the book and slipping responsibility if the book is just wrong.