I haven't been on this particular forum in quite awhile, so I apologize for the late response.
The main issue that I see is that the last 4 SSN is a really poor safeguard. The only saving grace would be IF the system forced the customer (or member) to change the password the first time he or she accesses it.
Otherwise, the account is wide open for ID Theft takeover. I like to use the example of a receptionist at your dentist or doctor. You write a check for your co-payment and hand it to the receptionist. Between the information on your check and the information in your medical file, he or she has everything needed to takeover the account.
_________________________
CRCM,CAMS
Regulations are a poor substitute for ethics.
Just sayin'