We're in the process of looking at "commercially reasonable security procedures". I thought I remember someone telling me that when you're offering security procedures that you must offer the commercial accountholder a choice between 2 different procedures in order to be compliant. Is this true and if so, what section of the code applies?

There is no requirement to offer multiple options. What you may remember is the FFIEC recommendation that a bank use more than one security check (more than a user name/password combo) to authenticate its customer's identity, depending on the risk involved.