Actually, rather than being rude to the programmer, point out that the Acceptable Use Policy and Security Policy disallow users from that kind of activity. They would have agreed to those things when they signed on and if your company, a bank, doesn't have one, you have something that has to be created before doing anything else.