It might be tempting to treat an employee's email or phone request differently because, well, they're an employee. But, It's too easy to "spoof" Caller ID and sending email addresses, and in a big bank with lots of branches, you may not know your employees all that well. So, for the reasons listed above, it's smarter to apply the same security measures you use when the request is from "just a customer." Your employee may be slightly inconvenienced (nowhere near as inconvenienced as they would be if the email or call turns out to be a scam), but they should be glad for the security measure.
John S. Burnett
Fighting for Compliance since 1976
Bankers' Threads User #8