FFIEC supplemental guidance establishes a minimum expectation regarding enhanced controls for system administration.  See section P6 for further details.  Administrative controls are of such extremely high risk that if a bank chooses to permit a customer to make administrative changes such as adding new general users, adding administrative users, changing transaction and approval limits, changing passwords, changing customer contact number or method, and disabling notification options, the changes should not be implemented without verification by the bank or at least without notification to the customer (preferable by an out-of-band method) that a change has been made.