At a time when branch employees at many large banks are feeling more pressure to sell their customers products, the Wells Fargo scandal shows that the front-line workers who handle customer accounts present a threat that is often overlooked, some security and privacy experts say.

The scheme at the nation’s largest retail bank hits closer to home for some consumers in part because it wasn’t executed by sophisticated cybercriminals, but by everyday branch-level workers. Employees opened sham credit card and deposit accounts to meet sales quotas. In some cases they moved customers’ money without permission, leading those customers to face fees and other charges.

“The banks are working very hard to try and protect their accounts from outside,” says Steve Weisman, a professor at Bentley University who studies white-collar crime. He also is the author of the Scamicide blog. But internal problems are “happening more and more often,” he said, adding that employees have access to sensitive customer data.

Federal rules guide what bank workers are supposed to do. Bank employees need to make sure that customers’ information is stored safely, and they are required to sign confidentiality agreements, says Ed Mierzwinski, consumer program director at the U.S. Public Interest Research Group. Workers must also have a legitimate business reason for accessing a customer’s personal information and should not open accounts without permission, he said.

But as the Wells Fargo scenario and other fraudulent schemes show, some banks and regulators may not be doing enough to keep track of what employees actually do with customers’ personal information.

New York Attorney General Eric Schneiderman drew attention to the issue last year when he wrote a letter to the country’s big banks, including Wells Fargo, JPMorgan Chase and Bank of America, highlighting “security weaknesses” at the banks that he said allowed schemes to go “largely undetected.” Schneiderman included a list of changes that banks could make to better track how employees access and use customer information, such as adding daily reports on the accounts accessed by tellers and other employees. JPMorgan Chase and Bank of America declined to comment on their procedures for identifying unethical behavior.

At a Senate panel on Tuesday, lawmakers grilled Wells Fargo chief executive John Stumpf and regulators on when they learned about the questionable practices and why it was able to go on for years.

Stumpf outlined the changes the bank has made to protect customer data and catch the problematic behavior of employees opening more than 2 million accounts without permission. For instance, consumers now receive alerts within an hour if an account is opened in their name. Bank employees are also required to go through additional training and must do more to confirm a customer’s authorization before an account can be opened, according to a company spokeswoman. The bank has added staffers who are in charge of implementing these changes and has eliminated the sales goals that it said led to the fake accounts.

Still, Stumpf also apologized for not stopping the behavior sooner. “We now know those steps were not enough,” he said.

Thomas Curry, the U.S. comptroller of the currency, who heads one of the agencies responsible for examining and auditing financial institutions, testified that his office could have done more to stop the scheme and said the agency would be searching for similar practices at other banks.

“The actions against Wells Fargo highlight that we must continue our efforts to improve and refine the agency’s supervisory program, to sharpen our early warning processes, and to enhance our supervisory capabilities, particularly with respect to our largest, most complex banks,” Curry said. Richard Cordray, the director of the Consumer Financial Protection Bureau, also said the agency will be looking into whether employees at other banks have engaged in similar behavior.

Lawmakers called on Stumpf to be better about spotting warning signs from consumers, regulators and the bank’s employees. Sen. Robert Menendez (D-N.J.), told the story of a former Wells Fargo branch manager in New Jersey who said that she emailed Stumpf in 2011 to let him know that employees were moving customers’ money to fund new accounts. Menendez said the woman was later warned for not meeting her sales goals and eventually fired.

Stumpf said he did not remember reading her email.