That carries with it the requirement of SCA:
In practice (here in Italy) you have a client number (secret) a password/PIN (also secret) AND either a SMS to your mobile with a one time code or a Smartphone app (yikes!), there used to be hardware tokens generating one time authorization codes that have now been retired.
If you only need "a code" whether it's to send $40 to a close friend or your entire account balance to an account you've never heard of that was created yesterday in a foreign country - then the scammers only have to trick you into trying to do the former, even though what they want to achieve is the latter, so that you'll give them a code which is what they need.
The bank can do a good or bad job of communicating what's going on and actually preventing the fraud, depending on whether the understanding of what they're trying to achieve was pushed down all the way from regulators to the engineers building the system.
The best systems here don't give you (and thus the attackers manipulating you) a lot of opportunity to manipulate things, but they do present you with information that should be raising red flags if you're being tricked. For example if the app says "Enter the six digits shown on the web page" and you just mindlessly copy those digits, an ordinary customer may not know why it's those six digits, bad guys with a fake web page can tell them to put whatever they want. Whereas if the _app_ says "Enter the whole dollar amount to send" then bad guys may struggle to explain why they want you to type 5839, your entire account balance, when you wanted to send $40 to the supposed friend in need and your suspicions might be raised enough for the scam to fail.