I'm in the UK, so our implementation of the PSD2 regulation may be a bit different (in came in while the UK was leaving the EU), but I get SMS 2FA codes from American Express all the time in the 3D Secure process.
Some banks do still allow SMS by itself as the only authentication factor (presumably because they haven't got around to updating their solution or maybe think they've found a workaround), but it's not compliant with the PSD2 regulation in the EU at least. The solutions I've seen usually use a password or security question as the other factor.
