OpenID Connect Core Spec states:
"If the acr Claim is requested as an Essential Claim for the ID Token with a values parameter requesting specific Authentication Context Class Reference values and the implementation supports the claims parameter, the Authorization Server MUST return an acr Claim Value that matches one of the requested values. The Authorization Server MAY ask the End-User to re-authenticate with additional factors to meet this requirement. If this is an Essential Claim and the requirement cannot be met, then the Authorization Server MUST treat that outcome as a failed authentication attempt.“
The spec does not state what treating this as an failed authentication attempt means. In a discussion on the list the consensus was the OP should return a generic authentication failed error code to the RP and let it decide how to proceed.
The proposal is to use a new "authentication_failed" error code.