Password Compliance
RBC • Lead Interaction Designer • Web and Mobile
As Lead Interaction Designer, I partnered with Online and Mobile Banking teams to reframe the problem and work on a quick solution.
I also identified risks of disrupting daily banking, created a mitigation plan with business partners, and, using call listening insights, proposed to redesign the sign-in and reset flows to reduce password-related call volume.
6 million
Active users impacted
30%
Mobile-only users
27% = Mobile + web
Influenced by research and risk assessment
2026 roadmap
Risk assessment
Product strategy
Compliance
Influencing the product roadmap through a user-centric approach that mitigates risks.
Users would be forced to comply with new security guidelines
Goal:
RBC needed to ensure that all clients met new minimum password security standards for online and mobile banking to comply with updated Canadian regulations.
Business request:
Display a message at sign-in, forcing users with non-compliant passwords to reset in order to proceed with their banking.
But forcing it would disrupt people's banking experience
Learnings and insights:
While users are accustomed to being asked to change passwords on other websites, they don’t expect it from their banks.
When signing in to online or mobile banking, clients typically intend to complete quick, often time-sensitive transactions.
Forcing a Reset Password is a cognitively demanding multi-step task.
High risk of account lock-outs and spikes in call volume due to forgetting the new password.
The initial proposal to ship fast
After aligning with other designers, product, tech and business partners, I made a proposal that included:
Re-platform and refresh to incorporate the most recent UI patterns and enable advanced encryption technology.
Adopt a proactive communication strategy that is prominent but less intrusive, following the pattern of another Compliance project.
Make the Change Password flow available in the Mobile App using webviews to speed up development.
Develop a cohesive strategy to force clients to change their passwords once they reach the communication target date.
After a few iterations and trade-offs...
Staggered approach
Run multiple campaigns with smaller groups of clients as a way to mitigate the impact on Advice Centre.
Pilot
Test live with 40K users to measure the impact on Advice Centre channels before opening to millions of clients.
After Target Date is reached
The design team recommended displaying all password change fields immediately upon login to streamline the process. and avoid confusion.
However, the business opted to link users to the existing Reset Password flow instead.
This approach involves more validation steps and greater cognitive load, increasing the likelihood of user errors and potential spikes in support calls.
Why?
Would this solution be enough to avoid spikes in call volume?
Probably not.
Humans have short memory and may
forget their new passwords.
Then I realized:
The real risk for the business comes
after the password change.
Aha!
Listening to recordings revealed that clients call because:
A. They try a wrong PW too many times
B. They try to reset their PW and encounter issues
Streamline the Sign-In and Reset Password flows.
So I proposed 3 solutions to the business:
Reconsider the original design recommendation when enforcing
Explore new ways to sign-in
Added to the roadmap!
Root cause and consequences
Human memory limitation
Underestimation of password strength
Lack of awareness/education on password security
Low motivation to create strong PWs
Harder PWs are hard to remember
Avoid changing it
Reuse PWs across multiple sites/apps
Lead to...
Which results in...
Clients who are vulnerable to fraud
Security and reputational risks for RBC
Clients mindsets
How clients may feel when signing in to RBC to do their banking and are asked to change or reset their password:
Annoyed 🙄
I don’t like to change passwords because it’s hard to remember
I don’t remember my old password
RBC is telling me to change my password
Confused 😒
I don’t know how to create a strong password
I don’t know how to keep my password safe
I don't understand why I have to change it
Unsure 🤔
I don’t think I’ll remember my new password next time I need to sign in
Confident and at ease 😎
RBC has my best interests in mind
RBC worries about my safety
I will change my password because I want to keep my account safe
Why people avoid changing passwords or creating weak passwords:
Usability test insights
With a grain of salt...
Familiarity
Participants were familiar with other websites and apps that requested them to change their passwords upon sign-in
Clarity
The message to change their password was considered clear and direct. All participants understood what they had to do and what would happen if they didn’t act by the target date
Annoyance Vs. Importance
Changing passwords is not a top-of-mind task because people have memory issues. However, several participants recognized the importance of keeping their accounts secure and appreciated the bank's proactive approach to protecting them.
Minimal disruption
Forcing clients to change their passwords wouldn’t cause a significant disruption on assisted channels. None of the participants said they felt they would need to call after seeing the message.
However....
"The real risk for burdening the assisted channels actually comes after clients change their passwords."
Due to...
Confusing Reset Password flow:
The current Reset Password process has multiple steps where clients get stuck:
Last name and Postal code - when they enter information that doesn't match their profiles
2-step verification - when they don't have a mobile device
Confusing Sign-in that leads to Reset failure:
Current sign-in is split into 2 steps that happen on separate screens
Error messages are unclear and don't help users to self recover
Mistakes made on sign-in are carried over to the Reset flow
Design influence
This extensive research was crucial for me to help stakeholders view the problem from a different angle and empathize with users.
It was clear that to avoid a spike in calls related to Change Password, what we actually needed was:
Streamline the Sign-In and Reset Password flows.
Once 30 days have passed from the initial communication, force users to change their passwords directly on the sign-in screen, rather than directing them to the Reset Password flow.
Re-think the ways we allow clients to sign in and reset/change their passwords altogether.
Added to the
product roadmap!
What research, data and call listening revealed!
