This is in part driven in turn by regulations like PSD2 in the EU requiring "Strong Customer Authentication". Most banks seem to have decided that a TOTP-style challenge does not meet the requirements of the regulation (this may even be an explicit ruling, I don't know).