If a customer loses the phone, and then ports the number instead of replacing it, and also forgets their password at the same time... yeah, I think it's fair to give them a bit of a hard time before letting them in.
Video verification sounds reasonable, as would some wait time. What's not reasonable in that situation is a self-service fully automated account recovery via SMS and e-mail verification followed by allowing withdrawals.
What happens if a legitimate customer's phone gets lost and they quickly transfer the number and reset their accounts?
I think they should do a video call verification.