Here’s what NCUA letter 05-CU-18 says:
“You should identify and evaluate the risks associated with the Internet related services you provide for your members...
“Where the risk assessment indicates that the use of single-factor authentication is inadequate for the types of services period [sic], you should employ multifactor authentication, layered security, or other controls.”
So yes, if your risk assessment says that bill pay and moving money to other accounts are high-risk transactions, then you have to implement an additional authentication method. That means multifactor, or layered, or other controls.