Answer:
From the FFIEC FAQ:
Q-1- May an institution permit customers to “opt-out” of additional authentication controls?
A-1- No, the Agencies believe that permitting customers to opt-out is not an effective risk mitigation strategy and would undermine the effectiveness of the control. In addition, this would not address reputation risk to the institution. However, an institution may permit customers to choose between different authentication options provided the options offered are consistent with the guidance.
The complete document can be found here.
First published on BankersOnline.com 3/12/07