Yes, I see a lot of banks doing this, and I highly recommend it. There isn't any specific "regulation" that requires it though. It is just a good practice. Some banks will review it and if they see repeated attempts - usually double digits and the customer hasn't called it to get reset-the bank gives a courtesy call to make sure it is the customer trying and not someone else.
You should also monitor the administrators activity too, including those who reset the passwords.
_________________________
Susan Orr, CISA CRP CISM
susan@susanorrconsulting.com
630.499.0276