The credit union I use does have SMS 2FA as an option, but has other options via Entrust. Specifically there's a "soft token" that's a phone app which implements their own brand of not-TOTP, and a "hard token" that's a fob that generates their own brand of not-TOTPs.
What operations does it require the OTPs for? Generally anyone can do an ACH withdrawal from your account and the bank won’t ask you about it until afterwards. This is dealt with by other legal frameworks but you could certainly call it insecure even if they need 4 factors to let you see your account balance.
