To be precise, I don't think the FFIEC has a "mandate" for two-factor auth, and I'm not sure how toothy any such mandate would be. But the bank is required by the UCC to exercise commercially reasonable controls, and I don't think you can consider "commercially reasonable" controls that are:
(a) Specifically called out by the FFIEC as inadequate to the task of protecting ACH transfers
(b) Roundly decried as inadequate by practically every large regional bank in the country
(c) The technical focus of massive deployments of reputational and two-factor systems at banks around the country.
(a) Specifically called out by the FFIEC as inadequate to the task of protecting ACH transfers
(b) Roundly decried as inadequate by practically every large regional bank in the country
(c) The technical focus of massive deployments of reputational and two-factor systems at banks around the country.