First Scenario: Possibly not. Had the customer previously given the login information to her ex? If so, had she notified you that he was no longer authorized to use it?
Second Scenario: I don't think you have an out on this one. Additionally, assuming the ex had to enter personal information (name, SSN, etc) belonging to your customer in order to apply for online banking, that's identity theft, and should be prosecuted as such.