Do You Need an Email Policy?

| Heather Lewis, SVP, eMarketing and Ray Parenteau, President |

So, you have an email program. Congratulations! ?

Given the implications around data privacy and security, as well as emerging regulations governing email usage, should you also have an Email Policy? Probably. But what should that include?

Once an email program has moved beyond infancy and into growth/maturity, it’s a good idea to establish some practical guidelines around email policies and protocols specific to your institution/organization. This is especially important as the email program gains traction and begins to involve multiple departments and various parties. An Email Policy is a helpful document for setting internal expectations and helps to satisfy compliance/audit functions.

While there is currently no specific template for crafting an Email Policy, below are some of the topics and considerations to address. Note that these apply to customer marketing communications programs, including promotions and onboarding, as well as non-marketing operational messages such as alerts and “official” notifications.

Privacy Policy: First and foremost, your Email Policy should conform to the terms of your Privacy Policy. Areas that should be checked include data sharing, GLBA compliance, and opt-out processes. Any changes between the two should be cross-referenced for conflicts or ambiguity.
Roles and Responsibilities. It should establish various roles and responsibilities of those internally, and externally, involved in the email program (e.g. Marketing, Compliance, business lines, marketing partners, vendors, etc.), and include internal workflow procedures and approvals, from initial request to deployment.
Process. How does a new email campaign begin? Who requests/decides? Is the process for that formal or informal? Is it centralized or de-centralized? Who determines and produces content? Who needs to sign-off/approve? What are the typical checkpoints from start to finish? How will the rest of the institution, specifically the front line and call center, be kept informed of the email efforts/campaigns? How will frequency be managed to prevent over or under emailing? If a staff change impacts the email program, how is that communicated and adjusted? Having processes in places reduces breakdowns in execution and institutional memory.
List sources – Allowable vs. Nonallowable.
Audit all the locations where email addresses are collected – what customer expectations, if any, are set at those points? What other list sources may exist? Be sure to check what is permitted by your ESP (email service provider) as most do not permit purchased or rented lists. Consider defining usage restrictions or guidelines for specific list segments.
Email Message Definitions. Definitions of various types of emails may be helpful to include – commercial, operational/transactional and how those are treated differently. How is urgency and timing of messages defined and handled? If a customer communication is required by regulation, what’s the fallback method of making contact if the message fails to be delivered or opened (direct mail, phone, online messaging with acknowledgement, etc.?)

What are the types of messages that are planned and how will those be categorized from a customer-facing standpoint? How are branding standards implemented in various email templates? What information must be present in every message (generally the footer area) for CAN-SPAM compliance along with institution requirements (such as EHL and FDIC)?

For operational messages, the decision to include an unsubscribe link or not can be vexing. If the nature/content of an email falls in a gray area, who will ultimately determine whether it’s treated as commercial or operational? If you need to reach customers that have unsubscribed from marketing messages, are you able to confidently include these in an operational message deployment?
Maintaining Opt-outs and Undeliverables. This is an important part of remaining compliant and protecting your sender reputation. In addition to your unsubscribe link, unsubscribe requests can arrive via other methods (phone, direct mail, front line, etc.) They all need to be honored and processed to prevent inadvertent usage. Some opt-outs arrive via spam complaints from the inbox provider, and it’s important to have a reliable process for these. Likewise, undeliverable emails need to be scrubbed and/or re-verified to ensure proper communication and to avoid being penalized in the inbox by repeatedly sending to known invalid addresses. This might require an ongoing outreach effort by your call center or customer service team, or perhaps re-validating at various touch points such as in-branch visits, logins in Online Banking, etc.
Synchronizing multiple email senders. Many Institutions use multiple email vendors for their various business lines. Managing opt-outs and bounces from these different points of origin requires a synchronization process or a system-of-record to maintain compliance.
Handling replies. Don’t overlook management/handling of the inevitable replies from deployed emails. For the “sending / reply-to” email addresses, these need to be live mailbox(es) capable of receiving replies. One option is to use an autoreply to let respondents know that they should contact the institution via another method. Or assign a person or department to actively monitor and triage incoming replies.
Ensure Proper Sender Authentication. Be sure that partners sending on your behalf are part of your sender authentication protocol. This includes SPF and DKIM records. These protocols add legitimacy to the messages sent and improve delivery to the inbox. If DMARC is implemented, making sure your email partners are part of your SPF/DKIM is imperative. This usually brings IT into the mix and gets them aware and, generally, onboard with your efforts.

Ultimately, your Email Policy is a living document that will evolve over time and should be reviewed, at minimum, annually.

Need a printed version of this document? Get It Here.