As I recall the FFIEC has guidance for the banks (your staff) but not customers. You have guidance on multifactor authentication for them, but that is all I am aware of. Prudent guidelines on your part would address this as to passwords, length, words, frequency of change, etc. I don't think they have found enough problems to require banks to do more than multifactor.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell