Survey on MFA implementations for online banking services

In this page, we present the compliance of EU and non-EU banks with the requirements extracted from the European regulations (the Payments Service Directive 2 and the related Regulatory Technical Standard).

Requirements definition

Req. Number Definition
RL1 If a software authenticator or an authentication code is used through a multi-purpose device, the integrity of the device must be checked
RL2 MFA protocols must be always employed when the user performs risky operations
RL3 Every MFA protocol must employ at least two different types of Authentication Factors
RL4 Every MFA protocol must employ at least two independent Authentication Factors
RL5 Every MFA protocol must result in the generation of an authentication code that is unique, dynamically linked to a specific operation and accepted only once.
RL6 Every MFA protocol must make the user aware of crucial information on the operation she is going to authorize
RL7 Identity proofing must be performed with a high level of confidence
RL8 The binding procedure for every authenticator must be executed in a secure manner
RL9 Every remotely delivered authenticator must be activated before its usage

EU Banks

Bank Name Country RL1 RL2 RL3 RL4 RL5 RL6 RL7 RL8 RL9
Deutsche Bank DE
VR Bank DE
Commerzbank DE
HSBC UK
Barclays UK
LLoyds UK
BNP Paribas FR
Credit Agricole FR
Societè Generale FR
Unicredit IT
Banca Intesa IT
Banco BPM IT
Banco Santander ES
BBVA ES
La Caixa ES
ING NL
Rabobank NL
ABN AMRO NL
Nordea SW
Svenska Handelsbanken SW
SEB SW
Legend: requirements can be fulfilled, partially violated or violated.

Non-EU Banks

Bank Name Country RL1 RL2 RL3 RL4 RL5 RL6 RL7 RL8 RL9
ICBC CN
CCB CN
ABC CN
Chase US
Bank Of America US
Wells Fargo US
UBS CH
Credit Suisse CH
Raiffeisen CH
Legend: requirements can be fulfilled, partially violated or violated.
Back to survey table