I personnally don't really understand why a risk assessment is necessary (other than because the regulators say so, obviously), since the guidance has been pretty clear about what conditions will require you to have multi-factor authentication or not. My impression has been that if a customer can even *look* at his account on internet banking, without being able to do anything else, it's still considered a "high risk" account, and will require multi-factor authentication.
At least that's our standpoint, and I'd be interested to hear if any other bank came up with something different. Our customers are pretty limited in what they can do on our internet banking product. They can look at their statements, individual check images, and make transfers between accounts they have with us. If they've signed up for bill-payment, they can do that as well. That's it. No new accounts can be opened, no loan applications, no wire transfer requests, etc. I envision our risk assessment looking something like a grid that lists all the transactions that can be made on online banking on the left side, and the words "high risk" written next to every single one.
I realize I may sound a bit flippant about this whole thing, but honestly, it's pretty clear to me that the regulators want *all* banks, without exception, to go to a multi-factor method of authentication. Why make us jump through a hundred hoops with a "risk assessment"? Just put out a statement that says it will be required, end of story.
_________________________
My opinions are my own and do not necessarily reflect the opinions of my employer.