The FFIEC issues the GUIDANCE STANDARDS then the Governing body enforces those standards with IT Compliance audits, at the FED and state level.
Thats why I pulled the quote straight from SFOR Fins, because SFOR even acknowledges that the FFIEC sets the standards, and their standards are guidance. That is what was being argued before, now the spin has started. go back and read the posts
It was being stated that "now that oob/mfa will be industry standard SFOR to da moon" or something to that effect. I just pointed out that MFA and oob/mfa have been around for a while, there were many forms of each, and it has been a industry standard MFA since 2001 and oob/mfa since 2012.