H.R.7704 amends 38 U.S.C. §5722(b)(3) to require the Department of Veterans Affairs’ call centers to use multi-factor authentication (MFA) to verify callers when they engage in "high-impact" veteran or beneficiary actions. The statutory insertion defines high-impact actions as those where an impersonator could cause real, durable harm — examples include diverting funds, manipulating account access, or disclosing sensitive information.
The change tightens identity controls for voice-channel interactions, which have historically been a vector for benefit fraud and account takeover. But the bill leaves technology, standards, timelines, and funding unspecified, creating immediate implementation and equity questions for VA operations, call-center vendors, representatives who act on veterans’ behalf, and veterans with limited access to second-factor methods.
At a Glance
What It Does
The bill requires VA call centers to implement multi-factor authentication for caller identity verification when the requested action meets a statutory "high-impact" threshold. It also directs call takers to confirm that the caller’s participation in the action is appropriate, tying identity proofing to a suitability check.
Who It Affects
Directly affected parties include VA call-center staff and contractors, VA IT and security teams, beneficiaries and veterans who use phone support, and third-party representatives (power of attorney agents, attorneys, caregivers) who access benefits by phone. Agencies responsible for fraud prevention and program integrity will also see operational effects.
Why It Matters
The bill elevates phone-channel authentication to a statutory standard, likely reducing impersonation fraud if implemented well. Because it omits technical standards and funding, it could produce inconsistent practices, increased call friction, and access problems for veterans without reliable second-factor options — making choices about implementation consequential for fraud rates and service equity alike.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill inserts a single sentence into 38 U.S.C. §5722(b)(3) requiring that the VA’s internal controls include multi-factor authentication by Department call centers for "high-impact" actions. That means the statutory baseline for identity assurance on phone calls changes from discretionary controls to a mandatory MFA requirement whenever the agency determines promised actions could cause real, durable harm if the caller is an impersonator.
The text lists examples of harm—diverting funds, manipulating account access, or disclosing sensitive information—but does not prescribe specific authentication methods or performance standards.
Operationally, applying MFA to phone interactions can take multiple forms: one-time passcodes sent by SMS or voice, push notifications to an authenticator app, knowledge-based verification augmented by device-based signals, or biometric voice matching. The bill requires MFA but leaves the VA to choose how to integrate those techniques with existing systems and with veteran-facing identity platforms.
That gap will force the VA to make rapid policy choices about technology procurement, vendor integration, and how to authenticate callers who cannot use common second factors.The statute’s requirement to "confirm that the participation of the caller in connection with the action is in fact appropriate" introduces an additional procedural check. VA will need rules for verifying authorized representatives, trustees, and fiduciaries over the phone, including how to record consent, apply proxy privileges, and handle emergency or time‑sensitive requests.
Because the text targets "Department call centers," it is primarily about live-voice support but could be read to cover related telephony channels (automated voice systems, interactive voice response) unless the VA narrows the scope in regulation or guidance.Finally, the bill is silent on implementation timing, funding, exception processes, and enforcement mechanism. That silence means the practical outcomes will depend on how the VA translates the mandate into policy: whether it issues narrow risk-based rules that limit MFA to a defined list of transactions, whether it requires particular assurance levels, and how it accommodates veterans with accessibility needs or limited device access.
Those implementation choices will determine whether MFA becomes a powerful deterrent to fraud or an access barrier that shifts demand to other channels.
The Five Things You Need to Know
The bill amends 38 U.S.C. §5722(b)(3) to require that VA call centers use multi-factor authentication for "high-impact" veteran or beneficiary actions.
It defines "high-impact" by risk of real, durable harm from impersonation and provides examples: diverting funds, manipulating account access, or disclosing sensitive information.
The requirement includes an explicit obligation to confirm that a caller’s participation in the action is appropriate (i.e.
verify authorization or consent).
The statutory text does not specify technologies, assurance levels, implementation timelines, or funding for deploying MFA on phone channels.
The mandate targets Department call centers (live voice/telephony) but does not explicitly cover non‑call-center channels or detail exceptions for emergencies or accessibility.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Declares the statute’s short name, "VA Call Center Multi‑Factor Authentication Act," which has no legal effect beyond identifying the act. For implementers, the short title signals the statute’s focus and may be used in internal policy references, procurement solicitations, and communications but imposes no operational requirement itself.
Require MFA for high‑impact call-center actions
Adds a sentence to the existing controls clause directing VA call centers to use multi-factor authentication where an impersonator could cause 'real, durable harm.' Practically, this converts a best-practices control into a statutory duty for specified transactions. The provision obliges the VA to adopt MFA in its telephony workflows and to layer an appropriateness check on top of technical authentication—an element that blends identity verification with authorization policy.
What counts as 'high‑impact' and scope of caller confirmation
The amendment supplies a short, consequence‑based test for 'high‑impact' actions and three illustrative harms. That language gives VA discretion to identify covered transactions but anchors decisions to potential durable harm, which invites a risk-based implementation. The 'confirm participation is appropriate' phrase raises operational questions about verifying representatives, fiduciaries, and consent over the phone and how to document those checks in case of disputes or audits.
This bill is one of many.
Codify tracks hundreds of bills on Veterans across all five countries.
Explore Veterans in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Veterans and beneficiaries at risk of impersonation fraud — MFA reduces the chance an attacker can reroute benefits, access accounts, or obtain sensitive records via phone social engineering.
- VA program integrity and fraud-investigation teams — stronger authentication on the phone should lower incidence of phone-based account takeovers, reducing investigative caseloads and recovery costs over time.
- Caregivers and legitimate third-party representatives — clearer authentication protocols, if well-designed, can provide predictable procedures for establishing authorized access and stop unauthorized actors from exploiting informal processes.
- Financial and fiduciary partners (e.g., institutions receiving benefit transfers) — fewer successful impersonation attempts can lower downstream disputes and the administrative burden of correcting diverted payments.
Who Bears the Cost
- VA call centers and IT operations — they must design, deploy, and operate MFA-capable telephony systems, update workflows, train staff, and revise policies without a funding mechanism in the text.
- Call-center contractors and vendors — existing contracts may require renegotiation or technical upgrades to support MFA, voice biometrics, or integration with veteran identity platforms.
- Veterans with limited technology or in low-connectivity areas — individuals without smartphones or reliable SMS/ data service may face extra friction or need alternative accommodations.
- Third-party representatives and advocates — lawyers, agents, and family members who rely on phone access may need additional credentials or enrollment steps, creating transitional costs and potential delays in service.
- Taxpayers/appropriators if VA requires additional funding — absent specified funding, implementation costs will likely be pushed into VA budgets and future appropriation requests.
Key Issues
The Core Tension
The bill trades greater protection against impersonation for increased operational friction and potential access barriers: strengthening identity assurance on phone calls will reduce fraud but risks excluding or delaying service for veterans who lack common second-factor methods or for authorized representatives without pre-enrollment — and the statute gives VA responsibility without prescribing how to balance those competing priorities.
The statute creates a clear security requirement but leaves key implementation choices unspecified. It does not name acceptable factor types, define required assurance levels, set a compliance timeline, or create an enforcement mechanism or penalty for noncompliance.
Those gaps force the VA to make technical and policy judgments that will determine both effectiveness and fairness.
Accessibility and representative access are unresolved. Phone authentication interacts poorly with standard second factors (smartphone apps, SMS) for veterans who lack devices or connectivity; the amendment provides no alternative verification pathways.
The "confirm participation is appropriate" requirement addresses authorization in principle but does not resolve how to authenticate power-of-attorney agents, fiduciaries, or emergency contacts without imposing burdensome enrollment processes. Finally, a foreseeable side effect is displacement: fraudsters may pivot to channels not covered or to social-engineering techniques that exploit the enrollment process itself, meaning MFA on calls is necessary but not sufficient to eliminate harm.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.