What about e-statements?
Currently, our customer uses a password to open an e-statement we've e-mailed to them. Would this be considered an "Internet-based product or service" subject to the multi-factor authentication requirements?
Obviously, no transactions are being initiated, but a sizeable amount of customer information resides in the statement info and imaged checks.