We have several online solutions for customers where they do not have the ability to move funds outside our organization. Therefore, they are not high risk based on that criteria. I am trying to get a handle on what type of customer information displayed through the system would constitute a high risk rating according to the examiners. Would having addresses, account numbers, SSN's, birth dates, or any combination of these items make the online solution high risk? Does anyone have experience with discussing this topic with regulators?

Any internet banking option that would allow customers to transfer funds outside of your bank (ACH, wire transfers, and bill pay for example) are considered high risk. Certainly I think if you have the customers social security numbers out there that would be high risk as well. Is all that information available via your online banking?

The guidelines apply to high risk transactions (which you and SarahH have already mentioned) as well as access to any non-public, personal customer information, which as you know includes account numbers, SSN's, birthdays, etc. Also, keep in mind that the guidelines do not require multi-factor authentication, they state that when these tranascations or information are available, single-factor authentication is not sufficient. There may be other ways to reduce the risk other than multi-factor authentication, although it looks like most FIs including mine will adopt MFA.

Does a customer have the right to opt-out of multifactor authentication on their accounts?

Only by opting-out of online banking totally.