My husband and I are shopping around for mortgage, probably an FHA one because we have so little down payment compared to the price of houses in the Boston area. I found on the HUD website 3 familiar bank names for FHA loans and started looking in to them. The first two I was able to contact a broker by email to get the process started. The third one had an "Apply online!" link on there website but no names listed for contacts. I should have noticed earlier how wonky the front page was, thus the feeling-really-dumb bit now.
So I fill in some information, though not our social security numbers or any other information I've forgotten. I get to the end and they ask me to set up a password, which is what I expect of banks when I don't already have an account with them. I do so, get a login page with my email pre-populated, view my status, and then go back to the home page. I can find nowhere on the home page that says says to login to see the status of your application, which is my first red flag, but maybe it's hidden somewhere. So I go back a few screens to the other login page, bookmark it, and go check my email.
My email has a confirmation email from the bank. At the bottom of that plaintext email is my username and the password I set up. Warning bells start going off. I work in a financial institution and sending passwords by email is a huge no-no. So I send of a quick reply saying "Bad bank security! Bad!" (paraphrased) and go to change my password. Again, can't find a link to the login page anywhere, just the option to resubmit the loan application. I go back to my bookmark and log in.
There are 3 options: edit app, view app, and log out. No specific link to change my password. Selecting edit app brings me to a section that's identical to the original application process but with my information prepopulated. The second page has the same "make a password" piece. As this is the only section having anything to do with the password, I change it there.
I then log out and try to log in again. My new password doesn't work, but they don't have a page that says "wrong password." Instead, it deletes my username from the link and asks me for a password with no username. There's no text box to enter a username, either. Easy enough to solve--I hit back to get the link with my username in it. After about ten tries (and no lockout for multiple tries) I try my old password. That works and brings me back to the edit/view/logout page.
After typing this post up initially but before calling in, I tried changing the non-password information. This also did not take; none of the information changed when I submitted it.
So I fired off a follow-up email detailing my efforts to fix this. I've asked them to delete all my information from their website system. I will probably still check their rates for a loan, etc. but I'm not too thrilled by the idea of banking with them in any way. They haven't answered my email yet. I may be over-reacting... or I may be too blase about it. This happened about half an hour ago. I'm going to give them another hour, at which point I'll call them up and ask in person that my information be removed from the website.
ETA: Decided I was probably freaking out too much (and possibly over nothing) to just sit here. Called them up and asked them to delete my application. I've been assured it will be deleted, and they asked me to forward the email with password (which I did, with a big PASSWORD WAS HERE over my actual password.) We'll see how fast they remove my information from the website.
ETA2: Got a call back from the bank. The person I spoke to confirmed that 1) yes, I did set up an application with them and not a spoof site or third party and 2) they have deleted that information and their website person is looking into what went wrong and how to fix it. So the end result is good and the response time it good, too. I didn't get any pushback about the issue and I'll probably still check what their rates are, but not online.
TL;DR version: Website loan application sends a confirmation email with the user-chosen password in the contents of the email, and there's no way to change the password nor delete any of the information that's been given. Called them up to get it removed. They remove it within an hour and are now looking in to their website issues. I'll update again if they let me know what's happening with their website or if they've fixed it.