In Turkey, 2FA tokens for banks generated by app or sent by SMS all contain a message about never giving the token or your password to a bank employee...
so if Norwegian banks did the same as Turkish banks, the customer is now fully liable for doing the exact opposite of what they've been explicitly told never to do by the warning clause accompanying each 2FA message
Not how the law works here - you're always liable in either case, but it is hoped that the message might prevent some cases of fraud.
It's difficult to secure people against social engineering...