Blog

Your customers are already sharing their financial data. Here’s how to make it more secure

Banking Tue 14 Oct 2025

Email is still the default for sharing sensitive data, but should it be?

*By Josephine Robinson, Information Security Director*

Have you ever sent an email and immediately wished you could take it back? Maybe it had the wrong attachment. Maybe it went to the wrong “Alex”.

It’s an all too common and costly mistake. Research reveals a staggering 94% of organizations have experienced email security incidents in the past year, including data loss or exfiltration, and 95% of data breaches involve some form of human error, like sending the wrong file or accidentally forwarding sensitive documents.

In banking, those small, easy to make mistakes can carry massive consequences, especially when what’s attached is a customer’s full financial picture. And yet, email remains one of the most common ways businesses share sensitive data with their bank.

In fact, a recent Codat study found that 46% of businesses send sensitive financial data to their banks via email. Even more surprising: 36% still walk paper files into branches and 34% use physical mail.

The hidden dangers of ‘business as usual’

When banks ask, “Is connecting to customer data via an API like Codat secure?” they’re often missing important context: how it compares to what they’re doing today.

If your bank operates a commercial card program of any kind, you’re already collecting Personally Identifiable Information (PII) on your customers and their suppliers. And more often than not, that data is exchanged through email attachments.

So, yes it’s fair to question whether new technology introduces risk. But you should also consider whether your current methods are exposing you to more than you realize.

Here’s what those old methods mean in practice:

High error risk from manual processes and human handling
No audit trail to track who accessed what, when, or why
No control once the data leaves the customer’s hands
Potentially no encryption at rest for email attachments

Security and privacy aside, the process can also meaningfully damage credibility. Asking customers to dig through spreadsheets, email files back and forth, or print out sensitive documents adds friction at the moments when you should be building trust: onboarding new customers, helping them grow, and showing them you’re ahead of their needs, not behind them.

So… is Codat more secure than email? Absolutely. Click here to see why.

Your customers are ready for change

There’s a prevailing myth in banking that customers aren’t ready for a new way data sharing. But our research tells a very different story.

99% of businesses are familiar with digital data sharing. Nearly four in five mid-market firms (those with $100 million to $500 million in revenue) say they’re very familiar. 42% already use direct data connections with at least one of their banks.

And they’re willing to share more. Our research found that over half (53%) of businesses are willing to provide their bank with access to their financial data, either on an ongoing basis or for the full duration of their facility. A further 37% would be happy to do so on a one-off or occasional basis.

The organizational side of innovation

If your customers are already comfortable with digital data sharing (and they are), what’s actually holding banks back? Often, it’s not the technology but the transformation.

Yes, API-based connections like Codat’s are significantly more secure than email, but recognizing that isn’t the same as operationalizing it. That’s where change management matters.

For this kind of project, it means:

Building consensus among risk, compliance, legal, product, and sales teams
Equipping frontline staff with the training and confidence to use new tools and communicate their value to customers
Establishing trust, both internally and externally, that the new process is not only more secure, but easier and better for everyone involved

That’s why Codat doesn’t just hand you the product. We work with you through every step. From onboarding to technical setup, we help your teams get aligned, tailor workflows, and train staff based on your bank’s goals and your customers’ needs.

And we’ve seen how impactful this approach can be. Banks that invest in thoughtful, well-supported change management ultimately unlock a more secure, scalable, and client-friendly means of data sharing. And the payoff is measurable:

Reduced operational and compliance risk
Faster onboarding and product decision-making
Higher adoption rates for commercial card programs
Improved client satisfaction, driven by frictionless interactions

How Codat bridges the security gap

Codat was built from the ground up for secure, read-only API access to business financial systems. We work with top-tier banks to transform their data-sharing experience, making it safer, faster, and more scalable.

Here’s how:

Enterprise-grade security

Always-on encryption through Microsoft Azure, ensuring data is protected in transit and at rest
Security-hardened APIs, actively patched and monitored to minimize vulnerabilities
Bug bounty program incentivizes finding and fixing issues before bad actors do

Full data control

Direct data transfer, avoiding the risks of data sitting in unsecured inboxes
Revocable access, so customers can remove permissions anytime
Customers authenticate securely, no passwords are shared or stored
Granular permissions via SSO, allowing internal sharing without forwarding files
Proxies and filters to prevent ingestion of sensitive data like financial health or payment card information

Minimized operational risk

Reduced attack surface, thanks to limited access scopes and strict authentication protocols
Full audit logs track who accessed what and when
Right-to-be-forgotten support helps banks manage data retention

The bottom line

Your customers already share sensitive financial data. The real risk isn’t in switching to API connections. It’s in sticking with processes that may be exposing you to more issues than you realize.

Codat helps your teams make the shift with confidence. We start by making sure everyone at your bank understands why API connections are safer, more reliable, and easier than email. Then we work with you to go live, without the internal friction, so you can start connecting customers and make it part of how your bank operates day-to-day.

If you’re already in touch with us, now’s the time to see what that support could look like in practice.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
lpv887333	30 minutes	No description
visitor_id887333	10 years	No description
visitor_id887333-hash	10 years	No description

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_89798244_1	1 minute	Google Analytics cookies are used to collect information about how Visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of Visitors to the site, where Visitors have come to the site from, and the pages they visited.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	This cookie is set to let Hotjar know whether that visitor is included in the data sampling defined by your site's pageview limit.
_hjTLDTest	session	When the Hotjar script executes we try to determine the most generic cookie path we should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
_lfa	2 years	This cookie is set by the provider Leadfeeder. This cookie is used for identifying the IP address of devices visiting the website. The cookie collects information such as IP addresses, time spent on website and page requests for the visits.This collected information is used for retargeting of multiple users routing from the same IP address.
pardot	past	The cookie is set when the visitor is logged in as a Pardot user.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.