The FFIEC's
authentication guidance document says
Financial institutions have made, and should continue to make, efforts to educate their customers. Because customer awareness is a key defense against fraud and identity theft, financial institutions should evaluate their consumer education efforts to determine if additional steps are necessary. Management should implement a customer awareness program and periodically evaluate its effectiveness. Methods to evaluate a program's effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials (e.g., ID/password), the number of clicks on information security links on Web sites, the number of statement stuffers or other direct mail communications, the dollar amount of losses relating to identity theft, etc.
Regulators are pretty insistent that "should" is the past tense of "shall," and not equivalent to "may." That said, the entire document is guidance.
You're in an institution where the CEO is pushing for spending a buck in the name of compliance and customer awareness. Count yourself lucky! I'd recommend you review what the vendors offer, check out the federal regulators' sites for any freebies, and then get the best of what's available out to your customers.