According to the guidelines the FI cannot give a customer the option to opt-out. If tokens is the only form of MFA the FI will offer for IB access, then yes, the customer will not be able to access without a token. The key here is that single-factor authentication is no longer sufficient for online banking (unless your online banking product is so basic it does not allow any risky transactions like bill pay, ACH, wires, etc. and does not reveal any non-public personal information). Maybe your MFA solution will allow customers to logon with single factor, assuming account numbers and other non-public infor is masked. Then only customers that use bill pay need a token to get into that area. Again, I would really question the business decision to use tokens for your retail customers. Business customers, sure, but a Passmark solution for retail made much more sense for us, from a cost perspective and a user friendly envoronment perspective.
_________________________
The cannons don't thunder there's nothin' to plunder.