The guidelines apply to high risk transactions (which you and SarahH have already mentioned) as well as access to any non-public, personal customer information, which as you know includes account numbers, SSN's, birthdays, etc. Also, keep in mind that the guidelines do not require multi-factor authentication, they state that when these tranascations or information are available, single-factor authentication is not sufficient. There may be other ways to reduce the risk other than multi-factor authentication, although it looks like most FIs including mine will adopt MFA.
_________________________
The cannons don't thunder there's nothin' to plunder.