HSBC did this to me as well. The battery had died in my old token so I had to jump through so many hoops as the default assumption seemed to be that the customer would have a working token to set up the 2FA.