Is your bank using encrypted email to communicate with you – the customer?

It occurred to me in November that I have been using basic email to communicate with my (wonderful) banking representative for years. The topics sent back and forth on email could not be more sensitive in nature. The information included requests to transfer funds, bank account numbers, mortgage renewals, line of credit requests, social security numbers, passwords, credit card information – and gulp! -> income information and income tax statements by way of file attachments. Not once did the Senior banking representative alert me that we should not be transferring this type of information when corresponding by unsecured basic email.  Nor did he provide me with an alternative secure email solution. He tends to be very customer-service oriented and understands and respects that my preference by far is to use the asynchronous communication method of email.  This way I can email him at midnight when it’s convenient for me, and he can respond when it’s good for him. However, convenience and customer preference should never override the fundamental right to privacy or securing my ultra-sensitive information.  It’s also important to note that I bank with one of the 2 largest (and most profitable) banks in the country.  It is unequivocally the banking institution’s responsibility to 1) ensure that my confidential and private information is only seen by intended recipients and 2) accommodate my preference for email communication.  In that order, but preferably both. When this uneducated and naive customer (me) finally understood that my emails were not secure and could easily be intercepted once it leaves my computer and travels through various nodes in the world ‘wild’ web en route to its final destination, I brought the subject matter up with my rep.  My aha occurred after 313 emails were sent to my banking rep - yes, I counted them – which does not include emails received. After my inquiry, my banking rep advised in November of last year that he ‘did’ have access to an encrypted email solution, but did not seem to be that familiar with it.  He would get back to me.  I reminded him about this again the following January - after sending him 10 additional confidential emails during the 2 month lag. He finally sent me a link to a web page for accessing their secure banking email. It was a one-page badly laid out and confusing user interface. It looked like a school project from a comp sci first year student. And that student would have undoubtedly received a ‘C’ for that project.  But the worst part of this experience is that the password for accessing the secure email site was created and sent to me by my banking rep using basic email! I tried to respond to his encrypted email, but the ‘solution’ sent me a canned email requesting my ‘encryption certificate’ and to include my ‘digital ID’.  It read: “The easiest way to do this is to apply a digital signature to your reply using your e-mail software.”  Huh? The comp sci first year student who developed this tool clearly did not speak my language, which is English.   I emailed my banking rep to find out what this meant, and he replied that he may not have followed the process correctly. And that was the end of that. (true story) I came up with 3 conclusions as a result of this experience.

1.  Lack of Confidence that Humongous Bank cares about securing my Confidential Information

I have very little confidence that my humongous and well-established bank cares about securing my private and confidential banking, personal or financial information. It has not trained its staff to understand the importance of securing customer communication and passwords.  Does encrypted email only become a recommended option when a customer inquires about security?  I’ll also clarify that my banking rep has been with the bank for at least 20 years and is not a junior account rep.

2.  Banking & Financial Services 101: User-Friendly Email Encryption Solutions that work

Providing me with a secure and user-friendly email encryption solution without requiring a technology dictionary and a 10-page instruction manual to use it, is NOT a difficult task for an extremely profitable banking institution.  After all, they have figured out the technology and user-interface for Internet banking? The email encryption solution that I was provided has to be an embarrassment to any successful or progressive organization – but particularly one that provides financial services. And let’s not forget about policies regarding basic email.  If financial services organizations are permitting their staff to communicate with customers using an unsecured email system, at minimum, data leak prevention policies and tools must be in place to ensure that if/when confidential information is included in a basic email such as bank account numbers, passwords or credit card numbers, then the sender would be alerted – if not prevented from sending the email. It appears as though even humongous bank does not have to adhere to basic and fundamental principles in securing customer information and privacy.

3.  Banking & Financial Services Customers are Unaware that Basic Email is not Secure

My banking rep does not often use his email encryption solution and doesn’t seem to be familiar with it.  I am left to conclude that his hundreds of other banking customers are clearly not clamoring for their private information to remain secure, likely because most have no clue that email is not secure and that straightforward alternatives do exist. To all banking or financial services customers, or any customer of an organization where your confidential information is exchanged:  Using unsecured email or fax is like shouting something across a crowded room.  If you are willing to take the chance that your private, confidential or financial information is intercepted and seen by the occupiers of a crowded room, then by all means, carry on with the status quo.  How about a nice order of identity theft with that email?   Ariane Laird works with Email2.