I came across an interesting article yesterday from BankersOnline. Seems like if your identity is going to be stolen, it's best stolen from a bank since we're regulated and must inform the customer and the media in the event of a large breach.
"Breached Identity Misuse Lower Than Anticipated
In its first-ever study of national data breach figures, identity risk firm ID Analytics found there have been few instances of fraudulent use of breached identities. The findings, based on detailed analysis of four major data breaches, noted the highest rate of misuse was one in 1,000 for identity-level breaches, which pose the greater risk than account-level breaches that contain less personal identifiable information. The study also found that consumer risk falls if the data loss is part of a large-scale data breach, since fraudsters do not have the capacity or resources to capitalize on such large amounts of data. Another key finding showed that customer notification efforts might have a deterrent effect on identity thieves, who slowed their use of stolen data after public notices were issued."
As for the 10-day rule, that is true, but only when the claim is made in writing to the bank as an initial contact, of shortly thereafter. The bank in question believes that it did everything that it could in investigating the initial verbal complaint, even though, IMO, it did so half-heartedly.
I think the OP is taking the right steps now to fix the problem with the bank, and I hope that she and her ex have taken their accounts to another institution. (Truthfully, I hope to read about this incident in one of the trade journals that I receive saying that the bank was levied a heavy fine from its regulator because of the way they handled the situation.)