The first call is authenticated as being the bank by calling the correct phone number the bank has on the website.

The second call is authorized via a password given on the first phone call:

> (with the agreed password for when the bank calls me)

Now the stringency of the verification of the caller being OP is unknown.