Tuesday, July 7, 2026

We've opened a secure channel. Please email us the password.

Consumer · Field notes REF / SECURITY — FOLLOW-UP

A follow-up. Of the two banks that asked me to email my identity and income documents, one has now run its full course — a refusal, a threat, a climbdown, an apology, and then, at the very last step, a request to email the one thing that should never be emailed.

A while ago I wrote about two banks that, in the same stretch of weeks, asked me to send proof of identity and proof of income by email — the one channel they spend a fortune warning me never to trust. This is what happened when I stopped complying with one of them and started pushing back. It has, I’m pleased to report, a sort of happy ending. It also has a punchline neither of us should be proud of.

Where we left off

The secure upload portal they pointed me to returned a dead link. The mobile app I authenticate into with my face offered no way to upload a document. And when I pointed both of these out, the answer came back that email was, regrettably, the only way.

Exhibit — the only solution

“We kindly ask you to send the requested documents by email, as we do not have any other solution to proceed with and complete this case.”

“No other solution” is doing a lot of work there. It describes a gap in their own systems — a portal that doesn’t load, an app that can’t upload — and reaches for the insecure channel as though it were a law of nature rather than a thing they hadn’t finished building.

The refusal

I declined to send a complete identity-and-income bundle as an unencrypted attachment, and proposed the method the national data-protection regulator itself recommends: an encrypted file, with the password shared separately, by telephone. I cited the law — the provision that requires appropriate technical measures, including encryption where appropriate, for personal data of this kind — and the regulator’s own guidance that email is rarely a safe way to move it. I mentioned, for good measure, that the same regulator had already fined a company precisely for asking its customers to email personal data.

The threat

The reply engaged with none of that. Instead it recast my position — a “decision not to provide the required information” — which was simply untrue; I’d offered to provide everything, securely. And it attached a list of consequences.

Exhibit — the consequences

Rejection of certain banking transactions. Inability to access certain services. Blocking of payment methods. And, “possibly, termination of the business relationship.”

Nothing quite concentrates the mind like being told your account is on the line over the question of which envelope you use. I could have folded there, and I suspect most people do — which is rather the point of putting the sentence in.

The climbdown

So I escalated, and copied in the data protection officer. That changed everything. Within a few days: an apology, an explicit acknowledgement of the security concern, a note that the relevant teams had been reminded of good practice, confirmation that the portal fault was being investigated, and — the thing I’d been asking for the whole time — a secure workspace, opened for thirty days, for me to upload the documents into.

This is the part where the system worked. The desk whose actual job is data protection understood the problem in a sentence. The people who’d been demanding the data hadn’t understood it at all.

The one person whose job was data protection got it at once. The people asking for the data never did.

The last step

And then, having built the secure channel, they asked me to send the password to it — by email.

Exhibit — the last step

Upload the documents to the secure workspace; then “send the password separately” by email. And — this is the part that stings — “please note that any text entered in comment or message fields is not encrypted during transmission… do not include the password or any sensitive information.”

Read that twice. They understood channel security well enough to warn me off the unencrypted comment box — and in the very same breath, asked me to put the password in an email. The link to the secure workspace had also arrived by email. So both halves — the way in, and the key that opens it — would end up sitting in the same inbox, one compromise away from being lifted together.

The entire point of sharing a password “separately” is that it travels by a different channel, so that no single breach hands over both the lock and the key. A password by email, when the link came by email too, is not a different channel. It’s the same envelope, posted twice.

The oldest secure channel

By this point I was, as it happened, in the country where the bank lives. So I did the one thing in this entire saga that turns out to have no security holes at all: I put copies of the documents in a folder, walked into a branch, and handed them across the counter against a dated receipt.

No transport encryption to argue about. No attachment left decrypted in anyone’s sent folder. No password to send by any channel, secure or otherwise. Just paper, a human, and a stamp. The oldest method in banking quietly outperformed every digital channel the institution owns — not because those channels are bad ideas, but because not one of them had been finished to the point where it actually worked from end to end.

That’s the whole story, in the end. The security was never missing. It was there in pieces — a portal, an app, a secure workspace, a data protection officer who understood all of it — and it stopped, every single time, one step short of the place I actually needed it.

The security was never missing. It just stopped, every time, one step short of where I needed it.

That’s one of the two closed out. The other bank — the one that assured me its email was “securely encrypted,” then admitted it had no portal at all — is still, at the time of writing, thinking about it. That’s a story for when it ends.

Ends

We've opened a secure channel. Please email us the password.

Consumer · Field notes REF / SECURITY — FOLLOW-UP A follow-up. Of the two banks that asked me to email my identity and income document...