At the time we were required to complete our MFA risk assessment we were only offering consumer internet banking. We implemented the appropriate multi-factor authentication methods at that time. Now we are getting ready to implement business internet banking for commercial customers. We know we are going to use the same multi-factor authentication methods for business customers as we currently do for consumer customers. Are we required to do a new MFA risk assessment or update it to include business internet banking services/customers? MFA is already in place, so is there really any reason/requirement to create a new or update the existing MFA risk assessment? Any input on this would be appreciated.

With any risk assessment you should keep it current. Add the business internet banking services and customers and the MFA methods you will be using. Over time, other changes could be required and a review of the risk assessment would be warranted at those times.

It really should be a part of your planning process. When anyone (like an examiner) asks how you determined what you would do, you have your risk assessment as part of the documentation to back up the actions taken.