FFIEC guidance tells you your password needs to change periodically, 90 days, but there is no such requirement for your customers. You may opt to impose one.
Two schools of thought are that it may prompt the sticky note on the monitor with the password, and it may upset your customer, BUT it certainly makes it safer for online banking. Educating your customer as to why this is so may make it more palatable. I also think it will force them to have a different IB password than they use for Facebook. I used to be against such a requirement. After helping write Tech Talk and seeing more breach stories, my opinion has changed. The threat environment is greater than it was a few years ago.
http://www.bankersonline.com/technology/techtalk.html (You can see the current copy here, link to Archives, and the free subscription.)