US regulators don't normally specify down to 'require SIM-based authn'. Instead they give vague directives that companies have to determine their own implementation for meeting. And the implementation needs to be blessed by corporate AND insurance company lawyers, which too often ends up meaning those lawyers dictate the implementation.
