I agree with Reads Regs, this is probably part of your Information Security Program - and, while the FFIEC guidance does not specify the time interval before the lockout, most institutions put the time at 15 min. or less (depending on exposure and risk) - also, it is good to note the Visa PCI/DSS standards require a lockout after no more than 15 minutes (PCI 8.5.15 - see quote below) - while not all banks or bank systems may fall under these requirements, they are a good standard to follow...
"PCI 8.5.15 - If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session."
I hope this helps some.
Thanks,
Russ