This whole issue is pretty confusing, especially when banks want to be on the up and up as Jan 1 approaches. The gov can't really enforce something that is so vague on paper can it... The technology part of it is simple in theory, stick it on the front-end and challenge customers that meet certain metrics( geolocational IPs or $$ limits). You can set your metrics very very low so as to challenge/ inconvenience the least number of customers. The hard part is the impact on service levels in your call centers and the extra call volume generated by this extra MA security layer, even with metrics set low. Do you implement all at once or try to do it on a state by state or branch by branch approach as your phone lines will be clogged with people who are learning and locked themselves out( maybe set-up a special 1800# for MA questions to limit impact on other callers. Also, will your MA be implemented the same for business customers and regular consumers? Gov isn't clear on this. Will you expect a business CFO to tell the MA answers he/she selects or the picture passcode to all the bookkeepers and managers that log-in to check the business accounts and does that really make it any safer then ?
I'd say as long as you are doing something internally you will be fine. The longer you wait to pick a vendor the more the vendors will have learned by other banks being their guinea pigs for these new methods of security