> In the EU, banks are AFAIK banned from using SMS 2FA

That's not the case, but SMS-OTP only counts as one "possession" factor, leaving only "knowledge" or "inherence" for the second one, and both are awkward to ask for in a payments flow. (You don't want to train users to enter their bank's password at a merchant site, and biometry/inherence isn't easily possible from an untrusted device.)

By contrast, doing biometry on a linked device provides two factors (possession of the device and inherence), and is significantly cheaper than SMS too. SMS in Europe can be pricey!

As a tangent, they are in fact banned from using email as a factor, which I find infuriating – my mailbox seems much better protected than my SIM card or phone number, which is one successful attempt at social engineering away from being swapped out or ported away. The SMS industry must be pretty good at lobbying.