Customer Email Policy

Answered by:

Question:

We have a message posted on our Web site that tells customers not to submit emails that contain sensitive or confidential information and that tells them not to use email for specific transaction-related requests. Our system gives us the capability of doing auto-responders to any email submitted. We have drafted an auto-responder that thanks the sender for their message, acknowledges that it was received, but basically reiterates our policy about how they shouldn't be sending confidential or sensitive information or anything about a specific transaction or account. It has been suggested that we might want to add something to it to say something like "We will not act upon email requests for funds transfers, stop payments, account closings, or fraud notifications. These must be done either in person, or by calling such and such number." I'd like to know whether you think this is a good approach or whether there's a better way to handle this. We almost considered not even posting an email address on our site at all to just stop the email.

Answer:

Answer by Michael Guard:

I think posting the additional notice is an excellent idea. In fact, unless you can take steps to independently verify the customer's identity, you may want to remove email links from your site altogether. The only true safe way to respond to such a request (i.e., a request that would involve sensitive or confidential information) would be to require the customers to adopt some form of secure encryption for their email and utilize digital signatures to authenticate themselves to the bank.

Answer:

Answer by Andy Zavoina:

While I totally agree that you should do everything to tell customers that they should not send confidential information through an unsecured medium such as e-mail, you may not be able to ignore these.Fraud notifications via e-mail, once sent and received, have placed upon the bank some liabiliy for losses after that.

As an example, Reg. E, under 205.6(b)(5), states "Notice to a financial institution is given when a consumer takes steps reasonably necessary to provide the institution with the pertinent information, whether or not a particular employee or agent of the institution actually receives the information.

(ii) The consumer may notify the institution in person, by telephone, or in writing.

(iii) Written notice is considered given at the time the consumer mails the notice or delivers it for transmission to the institution by any other usual means. Notice may be considered constructively given when the institution becomes aware of circumstances leading to the reasonable belief that an unauthorized transfer to or from the consumer's account has been or may be made."

Additionally, The Federal Financial Institutions Examination Council Guidance On Electronic Financial Services And Consumer Compliance dated July 15, 1998 states: "Pursuant to Section 205.6, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required."

(This is also in FIL 79-98, OCC 98-31, OTS CA 370)

Clearly there is some burden on the bank. While you may require additional verifications, it is only prudent to take some steps upon notification of facts. That is, discourage the tramsmission of confidential information in a non-confidential medium, but don't ignore it if you get it.

First published on BankersOnline.com 8/6/01