If a customer reports a stolen access device, a financial institution should:

When a customer reports a stolen access device, the financial institution has a responsibility to protect the customer's account and mitigate any potential fraud. By canceling the existing device and issuing a new one, the institution effectively prevents any unauthorized transactions that could occur if the thief still has access to the account.

The rationale behind this approach is grounded in maintaining the security of customer accounts and adhering to best practices in fraud prevention. It ensures that the old access device, which could be in the hands of someone who might use it fraudulently, is promptly deactivated to safeguard the customer's financial assets.

This proactive measure not only serves to protect the bank’s interests but also reinforces customer trust by demonstrating a commitment to security. It helps avoid potential liability for unauthorized transactions, as financial institutions are often liable for losses incurred due to fraud if they fail to take appropriate action upon notification of suspected fraud.

In contrast to the other choices, which suggest a more passive or conditional response, issuing a new device while canceling the old one is the most comprehensive strategy for managing the risk posed by a reported stolen access device.