The bank could easily record whether or not they are in contact with the customer over the phone when they initiate outreach. Then standard practice would be “visit Barclays and enter your phone number to check the call is legitimate and get the name of the agent “ or more realistically even a push notification in app. Asking people to call back is a canonical example of bad UX in the name of security that weakens overall security (like stupid password requirements, rotation requirements, etc).

It can take ages to get through back to an agent and it may not even be the same one or even in the same department.