I agree with AnonRegulator and murphysgirl. I would most definitely pass along all the info you have (the exact nature of the phone call your customer received, exact words used, and the phone number from your customer's caller ID) to the FBI, the FTC, and the Attorney General's office of the state the call originated from and the AG's office of the state in which your customer lives. I'd also warn your bank's customers in some manner with which management is comfortable.
I would make an immediate phone call to your core software provider and discuss this situation with them - brainstorm how this may/could have happened - and how you can lock down security a bit tighter.
Aggregate losses to U.S. businesses and consumers from this sort of fraud (which directly violates the Gramm-Leach-Bliley Act) are expected to near 2.8 Billion dollars for 2006.
Just replacing the debit card and closing the file on it doesn't do a thing to prevent this from happening in future. Sure, the authorities MIGHT choose not to investigate it, but they will definitely not investigate if nobody reports this stuff to them!
As to the SAR, I am not knowledgeable enough on that process and those regulations to give any advice.
_________________________
"Gratitude makes sense of our past, brings peace for today, and creates a vision for tomorrow." - Melody Beattie