I wholeheartedly agree! Even the format of the request is all wrong. I posted something along these very lines earlier today, you would expect to see better from a regulated financial institution. to reply to a generic info@… email or even to submit via a generic web form is a pretty poor way to transfer sensitive PII. How can anyone be sure on how this information is stored, or who would have access to this. Surely it cannot be that difficult to develop a secure messaging feature from within the account. At least you would have some assurances it would be dealt with within your account wrapper, rather than the current fire & forget method!