The banks are borderline criminally negligent because they exclusively use SMS for 2FA.
Simply, it is insufficient.
I get that they want the SMS information on file, and that's understandable, but give people another option at least, Holy hell. It gives my inner IT secops brain an aneurysm.