The question is what generated that TOTP code. The banks must ensure that they "are independent, in that the breach of one does not compromise the reliability of the others," as article 4(30) states. That text is vague as hell, but published opinion of the European Banking Authority on the matter[0] is:

"a device could be used as evidence of possession, provided that there is a ‘reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device’"

So in essence the TOTP has to be bound to the device in a way that prevents users from just extracting the secret and putting in in their password manager. Hypothetically that would still allow Yubikeys and other security keys that provide attestation from the factory, but in practise banks probably don't want to deal with the support headache and just provide their own, like the TAN generator mentioned by other commentors.

Two other highlights from the interpretation of the EBA:

"App installed on the device" -> not sufficient/compliant

"In the case of an SMS, and as highlighted in Q&A 4039, the possession element ‘would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number’."

"SIM-card associated with the mobile number" - is that even technically possible? Do mobile carriers provide a API for banks to verify that a number still corresponds to the same SIM card? If so I've never heard of it.

[0] https://web.archive.org/web/20191207213213/https://eba.europ...