Email may be the oldest direct-to-consumers digital channel still around, but it’s not going away any time soon. In fact, The Financial Brand found that 70% of all consumers (and 72.1% of older Millennials) think email will still be around in a decade, more than any communication channel they were asked about, including cable TV and social media.
Given email’s continued longevity, we’re highlighting three important trends in financial services emails that institutions should pay attention to as they continue to engage consumers through their inboxes.
Protecting users’ data privacy: then and now
Consumers have become increasingly vigilant about ensuring that all businesses protect their data, particularly in the financial services vertical. A Harris Poll survey conducted in seven countries found that 75% of adults will not buy a product from a company – no matter how great its products are – if they don’t trust that company to protect their data.
The European Union has long been strict about how companies handle its citizens’ private data. The Data Protection Directive (DPD) adopted in 1995 outlined seven principles that regulated the collection and processing of personal data, including names, addresses, government-issued ID numbers, credit card numbers, and bank statements. It affected all companies that handled data within the EU, including businesses physically located outside the EU that conduct transactions within its borders.
However, enforcement of the directive was difficult and expensive, due to the differing privacy laws in the EU member states, which led to the development of the General Data Protection Regulation (GDPR). The GDPR went into effect in May 2018 across the EU, ensuring that companies would no longer have to take different laws into account. Like the DPD, companies must comply with it when handling EU citizens’ data, even if those businesses are headquartered outside the EU.
Data privacy rights under today’s GDPR
The GDPR offers EU citizens several rights, including:
- An explicit consent requirement for the collection of personal data
- A 72-hour deadline for breach notifications
- The ability to request a copy of personal data and know how it’s processed
- A data erasure option (“right to be forgotten”)
- Control over moving data from one company to another
In addition, the GDPR requires companies to include data privacy in the foundation of all systems designs and to appoint Data Protection Officers who have specific duties.
The GDPR doesn’t affect sending email, as long as the company has the consent of EU citizens. There’s no specific data retention requirement, including email storage, but the “right to be forgotten” may be superseded if the company needs to retain user data to comply with a legal obligation, such as financial regulations. There are other exceptions too.
Email as a vector for cyber attacks: then and now
Cybercrime in the financial services community is sharply rising. According to IntSights Cyber Intelligence, the average number of cyber attacks per US bank was 520 during the first half of 2018, more than double the 207 recorded in the first half of 2017. Many of those assaults happen through increasingly sophisticated phishing, spear phishing, and spoofing efforts that trick email recipients into clicking malicious links.
Part of the reason for email being a popular vehicle for cyber attacks is its use of SMTP (Simple Mail Transfer Protocol), which was developed in 1982 and has no authentication mechanisms. In the early 2000s, two standards were developed that layered authentication controls onto SMTP:
- SPF (Sender Policy Framework): This standard defines a way to validate that an email was sent from an authorized email server.
- DKIM (DomainKeys Identified Mail): This authentication method adds a digital signature to an email header. An inbound mail server validates it against a public cryptographic key in the sending organization’s public DNS records.
Wrapping SPF and DKIM into today’s DMARC security protocol
While SPF and DKIM are useful for reducing malicious email, neither of them allow domain owners to specify how unauthorized emails should be handled by inbound mail servers. DMARC (Domain-based Message Authentication, Reporting, and Conformance) does that by allowing companies to publish policies that define their email authentication practices and provide instructions for enforcing them.
With DMARC in place, an inbound mail server uses that policy to determine whether to accept, reject, or quarantine a message. Email senders can use DMARC to receive aggregate reports that show how many emails were rejected and quarantined, as well as forensic reports that help administrators troubleshoot authentication issues and identify malicious domains and websites.
SPF, DKIM, and DMARC are free to implement and aren’t difficult to use. While the five largest banks in the U.S. have deployed DMARC, only 11 of the top 50 banks in the U.S., and 9 of the 50 largest banks in Europe, are using it, according to the Global Cyber Alliance.
Email design: then and now
In 2011, mobile device users accounted for just 8% of email opens, according to Litmus. Back then, designers had a larger canvas to work with because they could assume that most people were opening emails on their computers.
However, Litmus saw email opens on mobile devices leap to 46% in June 2018, and the company believes that percentage could actually be 67% when accounting for the fact that Gmail counts email opens the same whether they happen in a web browser or in a mobile app. Litmus made the adjustment because Google says 75% of Gmail users access email on mobile devices.
3 characteristics of modern financial services emails
Given how many people open email on mobile devices today, it’s imperative that financial services companies adopt a “mobile first” mindset. There are three key ways they can do that:
- Make emails mobile responsive: Like the way responsive websites automatically adapt to the user’s device, responsive emails adjust their layouts on mobile so recipients can read them without zooming in and scrolling around.
- Use the highest resolution images possible: Many people own mobile devices with high-definition displays, so senders should ensure logos and photos don’t look pixelated when they open emails.
- Take advantage of preheader text: Also known as preview text, this is a short snippet that appears below the subject line. It’s valuable for prompting people to open emails – if the preheader text isn’t specified, the mobile email client will default to something like, “Click here to view this email online with images.”
Financial services companies should consider those three trends when creating emails and sending them to consumers, so they help protect users’ privacy, fend off the bad guys, and keep engagement rates high.