What is the best protocol for an organisation to make phone calls to clients, where the client is required to verify their identity?

The best way is to make it trivially easy for a customer to get to the right place through the number on their card, on their statement, on your website; more, to make it impossible for a bank department to have a number not listed on the bank website.

You can do this via a reference number, a code word, (eg, "please call us back on the number on your card, and say "fraud" as soon as our messages start.") You need to ensure that when the customer calls in this way, they get to the right place.

You also need to train customer service reps to respect the customer's choice to call back. Far too often, CSRs will denigrate or undercut the desire to return a call. They might suggest that caller ID is trustworthy or even tricky to spoof. It is not.

When I was at Microsoft, we studied this pattern, which is where an organization acts the same way a fraudster does, and results in people being unable to form a model of secure behavior. We called this pattern "scammicry" for the mimicry of a scam.

There are additional tools you can use, including biometric voice authentication, asking questions which don't expose the answerer to identity theft, such as knowledge of recent transactions, so that calls from the bank are not so worrisome. (Note that if there are a small number of recent transactions, then a scammer who calls can get those, and then authenticate to the bank.)