Ok.. so I'm not done!
Regarding the delivery side of things.
1) Use a web based delivery with email notification. I don't believe consumers or banks are served well by using email attachments. The cryptographic side of things is historically weak and it adds complexity.
2) Be very carefull about the look and feel of the email. A large bank (with ~10% of the US depository - go figure that one out) got hit by criminals who emailed their customers with something that looked like email from them... It's incredibly easy to send email that is from someone other than the apparent sender. The email pushed them to a website that 'looked' like the bank. The users then logged in and were 'pushed' to the 'real' bank site. With their login information captured in the process.
Dangerous stuff...
I'd be very carefull about keeping emails you send them uncluttered and clear as to their origination and where you are linking them to. A link to
www.yourbank.com is much less likely to be easily confused than a link to
http://www.notreallyyourbank.com/blah/blah/yourbank/%blah/%blah/%%%Imtryingtohackyou.htmlsee what I mean.
On the same note - the same institution I referenced above sent out emails of a marketing nature but used a 3rd party. The emails went out from: Bank Name <BankName#1.8722.92873456173829.1@email.bankname1.com>
Not very clear is it? This is BAD FORM. Not only was it very unclear as to who the email was really from, but the domain name wasn't even that of the banks. In short - the bank didn't learn the lessons of the activity that took place earlier in the year. They were (are) TEACHING their customers not to pay attention.