I don’t see how authentication without otp is a bug and not a feature.
A lot of banks implement this otp auth and because of that, all recurring charges like Netflix. iTunes etc will simply fail to go through and require a manual intervention which is very annoying.
The simple way to secure it is to limit the transaction amount to let’s say 2k.
The way this “insecure” system works in US is that the onus for fraud detection lies with the bank, and you can get fraudulent charges reversed no question asked.
One amazing way this could be handled is virtual cards like this https://privacy.com/
The best way to implement would be ask OTP for the first time, and consider that as mandate for recurring charges, though not sure about the technical and regulatory issues @Jiten