Powerless, that's exactly it. I pushed back when asked to implement email-based "2FA" on a website account (nothing like as important as a bank though). I pointed out that the username is the email address, and password recovery works by emailing a reset link, therefore emailing a login code wouldn't be two-factor, it would be the same factor. Of course the response was: doesn't matter, the client's asked for it. I didn't have the authority to push back any more, but luckily in this case it was just a simple website login that had no real need for 2FA anyway.
Are you me? I am an SE in a bank and I had this exact experience this week - though it relates to authing with the online banking system.
As I see it, it's an unfortunate combination of an extremely risk-averse environment, a total lack of trust in their IT staff, and - if I can be pointed - unqualified product teams. I can explain the the inadvertent drop from 2FA to 1FA, I can back it up with NIST, OWASP and Gov references explaining why it's a bad idea, but I am simply ignored because they are bent on execution of their 'vision'. At this point, I raise my concerns just to have my biases confirmed.
It's really frustrating and obviously as a banking customer I want sensible security features too, but if I can generalise, we devs are not driving the bus. We're stuffed in the luggage compartment, wheeled out as necessary.
