So how could a bank employee steal $29 million over three years without someone noticing?

That's the question bank authorities and security consultants were asking Tuesday after a KeyCorp executive was charged with fraud and embezzlement.

The case is the largest bank embezzlement case in local history, according to the U.S. attorney's office.

The KeyCorp executive, David Verhotz, 56, remained in the custody of federal marshals Tuesday, pending a bond and probable cause hearing on Thursday. He is accused of embezzling in his role as the senior vice president who ran KeyCorp's global trade services unit and provided loans to foreign banks.

Meanwhile, court records from Verhotz's August divorce reveal he earned $110,000 a year and that his wife asserted he regularly visited a girlfriend in New York City while they were still married. According to the FBI, Verhotz used some of the money he allegedly stole to buy a $5.7 million home on Long Island in New York.

A bank employee should never be able to pull off a scam for three years without detection, said security expert John Christman of Security Management Consultants in California.

"All I can say is, the bank must have a lousy accounting system," Christman said.

Banks are supposed to have "a system of checks and balances and periodic audits when you have those sums of money involved," he said.

Further, banks should periodically run background checks on employees who have access to large amounts of money, Christman said. "You can run checks to see whether people are living beyond their means," he said. Certainly, a credit check would have revealed large credit-card bills that were being paid off mysteriously, and property records would have shown the $5.7 million New York home, he said.

Bank security expert Bill Hawthorne of Maine agreed that banks should have mechanisms to find out whether a modestly paid employee "is suddenly living in the style of a person making a million a year."

Even more elementary, Hawthorne said, banks must comply with numerous security procedures mandated by federal regulators. "These are not voluntary," he said.

Some types of bank transactions are supposed to be authorized by more than one person; other types are supposed to be audited or checked by another person.

Even a high-level executive shouldn't have totally free rein over millions of dollars - or even $10, Hawthorne said.