Answer by Michael Guard:
I think posting the additional notice is an excellent idea. In fact, unless you can take steps to independently verify the customer's identity, you may want to remove email links from your site altogether. The only true safe way to respond to such a request (i.e., a request that would involve sensitive or confidential information) would be to require the customers to adopt some form of secure encryption for their email and utilize digital signatures to authenticate themselves to the bank.
Answer by Andy Zavoina:
While I totally agree that you should do everything to tell customers that they should not send confidential information through an unsecured medium such as e-mail, you may not be able to ignore these.Fraud notifications via e-mail, once sent and received, have placed upon the bank some liabiliy for losses after that.
As an example, Reg. E, under 205.6(b)(5), states "Notice to a financial institution is given when a consumer takes steps reasonably necessary to provide the institution with the pertinent information, whether or not a particular employee or agent of the institution actually receives the information.
(ii) The consumer may notify the institution in person, by telephone, or in writing.
(iii) Written notice is considered given at the time the consumer mails the notice or delivers it for transmission to the institution by any other usual means. Notice may be considered constructively given when the institution becomes aware of circumstances leading to the reasonable belief that an unauthorized transfer to or from the consumer's account has been or may be made."
Additionally, The Federal Financial Institutions Examination Council Guidance On Electronic Financial Services And Consumer Compliance dated July 15, 1998 states: "Pursuant to Section 205.6, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required."
(This is also in FIL 79-98, OCC 98-31, OTS CA 370)
Clearly there is some burden on the bank. While you may require additional verifications, it is only prudent to take some steps upon notification of facts. That is, discourage the tramsmission of confidential information in a non-confidential medium, but don't ignore it if you get it.
First published on BankersOnline.com 8/6/01