> There’s no excuse anymore.

Implementing "modern" auth flows is challenging with old core systems.

From a risk management and compliance standpoint, this new auth infrastructure would represent a non-trivial expansion in the bank's audit scope.

Until a regulator makes it a requirement to use whatever new auth flow, it is not going to happen at scale.