In this page, we present the compliance of EU and non-EU banks with the best practices extracted from several guidelines: NIST - Digital Identity Guidelines, Centrify - Best Practices for Multi-factor Authentication, PCI Security Standards Council - Information Supplement - Multi- Factor Authentication,, Gemalto - Authentication BestPractices: Put control where it belongs, PingIdentity - Multi-Factor Authentication: Best Practices for Securing the Modern Digital Enterprise.

Best Practices definition

BP Number	Definition
BP1	A software authenticator should be integrated in the mobile banking application (if any)
BP2	MFA protocols should rely on standard solutions
BP3	Step-up authentication should be adopted
BP4	MFA protocols should limit SMS reception as much as possible
BP5	Identity proofing should be executed with high level of confidence
BP6	The binding procedure should be executed in a secure manner
BP7	Two authenticators attesting ownership factors should be bound after the enrollment
BP8	The user should be offered with multiple authenticators of different types

---

EU Banks

Bank Name	Country	BP1	BP2	BP3	BP4	BP5	BP6	BP7	BP8
Deutsche Bank	DE
VR Bank	DE
Commerzbank	DE
HSBC	UK
Barclays	UK
LLoyds	UK
BNP Paribas	FR
Credit Agricole	FR	--
Societè Generale	FR
Unicredit	IT
Banca Intesa	IT
Banco BPM	IT
Banco Santander	ES	--
BBVA	ES	--
La Caixa	ES
ING	NL
Rabobank	NL	--
ABN AMRO	NL	--
Nordea	SW
Svenska Handelsbanken	SW
SEB	SW
Legend: best practices can be fulfilled, partially violated or violated.

Non-EU Banks

Bank Name	Country	BP1	BP2	BP3	BP4	BP5	BP6	BP7	BP8
ICBC	CN	--
CCB	CN	--
ABC	CN	--
Chase	US	--
Bank Of America	US	--
Wells Fargo	US	--
UBS	CH
Credit Suisse	CH
Raiffeisen	CH
Legend: best practices can be fulfilled, partially violated or violated.

Back to survey table