Hello,

My bank recently informed the staff that we are no longer able to conduct business with customers via email due to security concerns. This affects me because I often email known business customers balances and transfer requests daily (account numbers or social security numbers are never included). The bank would prefer us to fax this information instead. This seems counter-productive to me, because faxes are just as insecure as emails. The staff has voiced opposition to the new rule and of course, we have been delegated to find out how other banks handle emails with customers and if there is any regulation regarding emailing customer information. Can anyone provide any insight? Thank you very much.

Rule #1 - No customer information is sent in an e-mail that is not through some sort of encryption.

That is pretty standard information security practice industry wide.

Do you not have on-line banking? Maybe it is time to look into that if your customers need this sort of information on a daily basis.

We normally would direct these types of inquiries toward our online or telephone banking systems. When we need to send the data out by other means we use faxes, online banking messages, or an encrypted email service. The encrypted email service (run by our firewall provider) is really just a secure website. When an employee sends a secure email the customer receives a message asking them to setup a password for their email address on the site. Then when they receive future messages saying they have an encrypted email, they just log in to the secure site with the password they setup. We haven't had an customer complaints about the system since we started using it.

On the security of faxes vs. email... While its true that most faxes aren't encrypted, they do provide some security by the means they are transmitted. Someone would have to tap a fax receiver into that specific line in order to intercept it. As for faxes being picked up off the machine by someone other than the person intended - that is the recipient's responsibility to have proper fax machine security practices on their end. Emails can have a similar risk if the recipient leaves their email client logged in (but not locked) when they are away from their desk (or phone, laptop, etc.) Where the biggest danger lies is in the fact that unencrypted emails are like the postcards of the internet. Anyone with access to the dozens of machines between you and your recipient can read the message. It could be an ISP employee, government agency, or hackers. It's a risk you shouldn't take with a customer's non-public information.

The risk to your bank is extreme if any non-public customer information is ever used fraudulently and could be traced back to your institution due to an unencrypted e-mail. Plenty of case law exists which puts the financial institution in a position of liability in these cases.
In this day and age, with all the fraud out there, and in this regulatory environment, sending anything to a customer via e-mail that contains any of their account information or other information about their relationship with your bank, should not occur.
That's what online banking systems and encrypted e-mail services are for.
Even faxes are much more secure than Internet e-mail. Faxes involve point-to-point connections and the recipient is responsible for the handling of the fax on their end (we put a disclaimer on the cover page of our faxes that directs the recipient not to use the fax if they are not the addressee).

"encrypted email service"

^^^ Ditto

encrypted email (although many of our bankers don't employ this, and we have terminated in the past for failure to use it...)

Encrypted has been the way for us for years. Can't harp on this enough, esp. with the commercial lenders.

YES!! Not sure why they think the Privacy laws don't apply to commercial customers...........................

we are in the process of updating our email servers to automatically encrypt every email, takes the decision out of the bankers hands...they no longer need ot "rememebr" to do it

Those of you that use secure or encrypted email, do you mind me asking who you use and perhaps the cost of using it?

I will say that when someone has a question of me, that is they are looking for my help and assistance - generally free of charge - and they send me an encrypted email I hate it. The questions don't include names or confidential info, just ""A" gave "B" a debit card to withdraw $100 and $200 was taken before the card was returned..."

When I have to open the email, follow a link and register my contact information before I know what the question is - well let's say I'm not a happy camper. Personal correspondence like that falls to the bottom as it it is time consuming. And if I have to allow anything to be installed on my PC, I'm very apprehensive and it may not get opened at all.