Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-migrate-db domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /srv/app/gotoiba-dev/htdocs/web/wp-includes/functions.php on line 6121
We are implementing a new online loan application system. When we send a confirmation email to online applicants, do we have to send that through a secure email program? – IBA Compliance Connection

We are implementing a new online loan application system. When we send a confirmation email to online applicants, do we have to send that through a secure email program?

by

We believe that the automatic email sent to online loan applicants should be sent through the bank’s secure, encrypted email system. In our view, the emails would contain enough information about the customer to justify the added protection; even the fact that someone applied for a loan for the bank would be considered “personally identifiable financial information” subject to protection as “nonpublic personal information” under Regulation P. 12 CFR 40.3(o)(2)(d).

For example, if such an email were to fall into the wrong hands, someone could use that information to impersonate the customer and induce bank employees to reveal further confidential information about the account (a process known as “pretext calling” or “social engineering”). See FFIEC IT Examination Handbook, Information Security, Security Controls Implementation, Authentication; OCC 2000-14, Infrastructure Threats — Intrusion Risks: Message to Bankers and Examiners (May 15, 2000).

Also, note that the Interagency Guidelines Establishing Information Security Standards recommend the “[e]ncryption of electronic customer information, including while in transit.” And, if the bank chooses to encrypt any electronic information, then it might be exempted from the data breach requirements of the Personal Information Protection Act. 815 ILCS 530/5.