I have a credit card that requires you to answer a security question just to make a payment, with an existing linked account. I can't fathom what scenario they think they are protecting against here.
My former bank sends an SMS OTP every time I make a transaction. Not TOTP support. If it's the same security question, password managers can easily fill it out, no?
This SMS annoyance is a major reason why I left them.