I interpreted this the same way you did. The FFIEC guidance indicates that IPA location can be used as another authentication method. The guidance, however, provides appropriate warnings about this method (e.g., spoofing IPA's, non-static IPA's, wireless access, etc.). But if your institution's risk assessment on electronic banking services and products adequately supports the IPA location method ... then it appears the method should be appropriate (in theory) ... (I just haven't seen this signed-off in practice yet ... maybe someone out there has?)