I just want to wrap up my thoughts on this. This is not going to stop every type of attack, there are a few ways to get around this type of authentication method. The first one that comes to mind is using the authenticated session that the user has created for you already and not waiting to try and log in later. While saying that, something is better then nothing. This may not work against a determined targeted attack but at least you wont be low hanging fruit.
I tried to find a few FI’s that I could point you to that had OTP listed as a two factor method, but I just turned up a bunch of old white papers. I did find mention of FI’s in Germany that used paper for the OTP and various ones using SMS.