Email remains the primary channel through which advisers, platforms, and providers communicate with clients - yet it is also the channel most exposed to human error, interception, and compliance risk.
With FCA PS25/13 now making electronic communication the default mode for relevant MiFID-derived retail-client disclosures, and with increasing scrutiny under Consumer Duty, financial organisations need secure email processes that protect client data and deliver reliable evidence of delivery and access.
This guide brings together research, regulation, and practical implementation advice to help regulated firms choose, configure, and operate secure email with compliance considerations in mind.
Financial services professionals handle some of the most sensitive categories of personal data: financial history, investment behaviour, medical details for protection products, identity documents, and regulatory disclosures.
Email is still the channel most often used to send this information - yet it was never designed to be secure.
And at global scale, volume alone increases exposure - with email volumes reaching into the hundreds of billions per day.
The Risk Landscape Is Expanding
Cyber threats continue to evolve.
Phishing and social engineering remain among the most common routes into organisations, and the wider cost of breaches continues to rise in breach reporting.
Interception also remains a credible risk wherever data travels without encryption.
But the most frequent problem is still everyday human error - a mis-typed email address, the wrong file attached, or a message forwarded to a personal mailbox.
In our research on UK consumers, one in four people reported sending personal data to the wrong recipient.
"Most regulated organisations don’t struggle with a lack of policy. They struggle with day-to-day misdelivery risk - the human moments where the wrong email address or attachment becomes a reportable incident."
Carole Howard, Head of Networks, Beyond Encryption (Mailock)
Those day-to-day risks are why secure email needs to work at the point of send, not only in policy documents.
What Secure Email Is - and What It Isn’t
Adding Protection to a Vulnerable Channel
A secure email service adds layers of security to email infrastructure you already use.
These layers typically include:
Encryption - protecting content at rest and in transit
Recipient authentication - making sure only the intended person can open it
Audit trails - recording access for compliance
Revoke - removing access to mis-sent messages
Security alerts - prompting secure send when sensitive content is detected
Many of these protections support compliance expectations under GDPR and relevant FCA and MiFID requirements, particularly where organisations follow ICO guidance on applying encryption as a safeguard.
Email interception occurs when a third party gains access to a message in transit or on a mail server.
Without encryption, intercepted content can be read in plain text, exposing personal and financial information.
Phishing
Phishing remains one of the most reported cyber attack methods worldwide.
It involves deceptive emails or messages that appear to come from trusted organisations, tricking recipients into clicking malicious links or sharing confidential information.
Attackers impersonate banks, insurers, and pension providers to harvest logins or payment details.
Human Error
The ICO consistently reports misdelivery as one of the top causes of reportable data breaches in the UK, with enforcement activity regularly referencing the consequences of sending personal data to the wrong recipient.
Errors are predictable - which is why secure email systems must:
GDPR requires organisations to implement “appropriate technical and organisational measures” to protect personal data.
Encryption is explicitly recognised as an appropriate safeguard in ICO guidance.
FCA COBS & SYSC: Record Keeping
For relevant record-keeping requirements, firms may need to keep records of communications - including electronic communications - in a durable medium.
They must be retrievable, tamper-resistant, and accessible to the regulator.
The FCA’s own durable medium definition is a useful reference point for what this means in practice.
MiFID II & ESMA Guidance
MiFID organisational requirements place expectations on firms to secure communications, authenticate information transfers, and prevent unauthorised access.
Together, these obligations create a practical principle:
If an email contains personal data, financial data, or a regulated disclosure, encryption and access controls are often appropriate - and should be applied based on risk.
Since 12 January 2026, the FCA has made electronic communication the default mode for relevant MiFID-derived retail-client disclosures.
This change, outlined in PS25/13 and summarised in our guide to the durable-medium reform, applies where electronic delivery meets durable-medium criteria and firms tell retail clients about their right to request paper.
A durable medium must enable clients to:
Receive information personally addressed to them
Store it for future reference
Reproduce it unchanged
Encrypted delivery can support these conditions, provided the chosen approach includes appropriate controls such as:
Encryption suited to the risk
Identity verification or equivalent access controls
Reliable audit records
"Financial services firms are being asked to treat digital delivery as the default durable medium. That only works when the email path is encrypted, access-controlled, and auditable."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
Gateways are one layer in that stack. The comparison below covers inbound and outbound options.
Secure Email Gateways: Inbound vs Outbound
Secure email gateways (SEGs) protect email traffic at scale.
Inbound Gateways
Inbound SEGs block threats before they reach users.
Phishing and spoof detection
Malware and attachment scanning
Spam filtering
AI-driven behaviour analysis
Outbound Gateways
Outbound SEGs secure information leaving the organisation.
Here is a condensed overview of the options for financial services secure emailing:
Summary Comparison
Mailock - AES-256 encryption, recipient authentication, secure replies, revoke, tracking, Outlook integration. Purpose-built for regulated sectors.
Microsoft Purview Message Encryption - Microsoft-native encrypted email for eligible Microsoft 365 plans, with behaviour depending on licence, tenant configuration, recipient client, and policy settings.
Gmail (Workspace CSE) - Enterprise-grade encryption but no native identity checks.
Egress - Outbound-focused with machine-learning prompts and authentication.
Zivver - Large file transfer and AI prompts, SMS codes.
Mimecast / Proofpoint - Enterprise-scale gateways with inbound threat filtering and policy controls.
For firms handling sensitive documents daily, verification combined with encryption is often the decisive factor - especially where firms need stronger assurance than email-address-only access provides.
What Counts as PII - and When to Encrypt It
Our full guide, What Counts as PII and Why?, breaks down the categories of information that require protection.
The Puzzle Model of Identity
PII includes:
Direct identifiers - name, address, ID numbers
Indirect identifiers - DOB, job title, postcode
Special category data - health, ethnicity, biometric data
A single data point may be low-risk.
Combined data points can reveal a great deal.
Securing Client Communications In Financial Services?
Learn how Mailock supports regulated financial firms that need to protect client information while keeping email practical for everyday use.
The rule of thumb: If you wouldn’t write it on a postcard, encrypt it.
Best Practice for Advisers and Providers
1. Use a Secure Channel for High-Risk Personal Data
Anything containing customer data should be protected in a way that matches the risk.
For many regulated use cases, that means encryption plus access control, aligned with ICO guidance.
2. Authenticate Recipients
Email-address-based security is not always enough for regulated documents.
Where the content is sensitive, a second factor (SMS or a question and answer) provides stronger assurance.
3. Revoke Mis-Sent Emails
Revoke should function as a safeguard after a message has been sent.
Where possible, it should also work after a message has been opened.
4. Maintain Audit Trails
Record what was sent, when, and who accessed it.
This supports oversight, incident response, and regulatory evidence needs.
5. Integrate with Archiving
Where communications are subject to durable-medium or record-keeping requirements, firms should check that content remains accessible and reproducible unchanged for the required period.
How to Choose a Secure Email Solution
Checklist
Does it support end-to-end AES-256 encryption?
Does it offer recipient authentication beyond email address?
Can clients reply securely for free?
Does it include revoke after opening?
Does it maintain detailed audit logs?
Does it integrate into workflows (e.g., Outlook add-in, API, gateway)?
Is it aligned with relevant GDPR, FCA, and MiFID expectations?
Mailock secure email is designed around these needs and is already in use across the UK’s financial services sector.
FAQs
Why Does Secure Email Matter in Financial Services?
Financial services email often contains personal data, account information, advice documents, and other sensitive customer material.
What Is the Difference Between Inbound and Outbound Email Security?
Inbound controls focus on threats arriving by email, while outbound controls protect sensitive information being sent out.
What Should Firms Compare When Choosing Secure Email?
Review encryption, recipient authentication, secure replies, audit evidence, usability, integration, and support for regulatory communication needs.
Sam Kendall works on digital marketing at Beyond Encryption, helping build B2B marketing activity around research, first principles, and sustainable growth. He writes about marketing effectiveness, positioning, customer communications, and digital culture, with longer-form work published at ATNL.
.png?)
Sam Kendall
.svg)
Previous post