I received an email from American Express late last night after resetting my password earlier in the day (see screenshot below). I can never remember my AmEx password, because I can't use my usual one due to the company's surprisingly short field of just 8 characters that also doesn't support special characters. I have it written down somewhere, but I can never find that either.

I went online late Friday afternoon to pay my overdue bill at AmericanExpress.com. I was pretty sure it was one of three possibilities, but after two unsuccessful attempts, and with the website warning me the third attempt would cause a lockout (note 1), I decided to go through the online reset process instead. 

That was easy. I just needed the card number, the code on the front of the card, and the answer to a security question. At that point, AmEx displayed my username and let me reset the password. It's one of the easier reset processes I've tested. That's a benefit to customers and helps cut customer service costs for AmEx. 

But the thing I liked most was the email message sent later that night informing me of the password reset (screenshot below). But I don't understand why it was sent more than six hours later. Why not send it right away? That would be way more impressive to customers, and would help reduce any potential fraud or privacy violations. Better yet, send a text message right to the customer's mobile, so they have real-time knowledge of the account changes.

Email Critique
Personalization: The company uses two pieces of personalization, cardmember name and the last five digits of the account number, to differentiate this message from the average phish. Excellent.  

Subject line: Your American Express Forgotten User ID is good and right to the point

From: "American Express" using an American Express email address. Good.  

Headline: Verify Your Account Transaction is a little confusing. All I did was reset my password. I'm not sure that average person views that as a "transaction."

Copy: The copy is short and to the point, but it could use a little editing for clarity. The third sentence, "If you did contact us...." seems unnecessary. And "If you did not complete the retrieval...." is not very user friendly language.

Design & Layout: Excellent.

Overall Grade: A- for the message, B- for timeliness

Note:

1. We recommend allowing more than three attempts before lockout. It's pretty easy to forget a digit or make a typing mistake. See our Online Banking Report on Security (#119) for more information.