My first question would be, what is the multi-factor authentication method used in conjunction with the user ID and password? If it's dealt with separately, and is robust, it might not be as big of a issue.
Yes, they are using Cyota for their MFA. Behavior based.
Secondly, I wonder what sort of written risk assessment there is on the subject. That may offer some clues to why they are doubling up on the uer ID and PIN. If there is no formal risk assessment, then that's a significant finding right there. You can refer to a number of things for that one.
There in lies another problem, no RA for internet banking. So, there are several concerns.
Thanks.