Come up with a sensible way of implements a new security policy
You locked me out of my account and said I received an email with instructions to report password for to be security policy.
I did not receive an email. Forgot issues did not result in an email either.
I then had to sit on the phone for 40 mins before I could speak to someone who sent me a password reset email which arrive instantly.
Why on earth would you not just ask the user to change the password when they log on?
You have implemented this in such a way that there are more ways for it to do wrong and or a bizarre way to do it.
If you want better security, don't increase passwords to 12 characters - allow the user to switch on 2FA like every other modern business service.
Denying access to a service is not a great way to be customer-focused is it? Especially when there are other way to achieve the same which avoid that.
Please think about this next time.