diff --git a/app/template/rest.py b/app/template/rest.py
index ac7e12d5b..b15401f1a 100644
--- a/app/template/rest.py
+++ b/app/template/rest.py
@@ -42,10 +42,8 @@ def _has_service_permission(template_type, action, permissions):
         template_type_text = template_type
         if template_type == SMS_TYPE:
             template_type_text = 'text message'
-        message = 'Cannot {action} {type} templates'.format(
-            action=action, type=template_type_text)
-        errors = {'content': [message]}
-        raise InvalidRequest(errors, status_code=400)
+        raise InvalidRequest("{action} {type} template is not allowed".format(
+            action=action, type=template_type_text), 403)
 
 
 @template_blueprint.route('', methods=['POST'])
@@ -55,7 +53,7 @@ def create_template(service_id):
     permissions = fetched_service.permissions
     new_template = template_schema.load(request.get_json()).data
 
-    _has_service_permission(new_template.template_type, 'create', permissions)
+    _has_service_permission(new_template.template_type, 'Create', permissions)
 
     new_template.service = fetched_service
     over_limit = _content_count_greater_than_limit(new_template.content, new_template.template_type)
@@ -73,7 +71,7 @@ def create_template(service_id):
 def update_template(service_id, template_id):
     fetched_template = dao_get_template_by_id_and_service_id(template_id=template_id, service_id=service_id)
 
-    _has_service_permission(fetched_template.template_type, 'update', fetched_template.service.permissions)
+    _has_service_permission(fetched_template.template_type, 'Update', fetched_template.service.permissions)
 
     data = request.get_json()
 
diff --git a/tests/app/conftest.py b/tests/app/conftest.py
index 8ac5f13db..372dfbb2f 100644
--- a/tests/app/conftest.py
+++ b/tests/app/conftest.py
@@ -196,6 +196,11 @@ def sample_template_without_sms_permission(notify_db, notify_db_session):
     return sample_template(notify_db, notify_db_session, permissions=[EMAIL_TYPE])
 
 
+@pytest.fixture(scope='function')
+def sample_template_without_letter_permission(notify_db, notify_db_session):
+    return sample_template(notify_db, notify_db_session, template_type="letter", permissions=[EMAIL_TYPE])
+
+
 @pytest.fixture(scope='function')
 def sample_template_with_placeholders(notify_db, notify_db_session):
     # deliberate space and title case in placeholder
diff --git a/tests/app/template/test_rest.py b/tests/app/template/test_rest.py
index 8ce72bd40..ad951f35a 100644
--- a/tests/app/template/test_rest.py
+++ b/tests/app/template/test_rest.py
@@ -13,8 +13,9 @@ from app.dao.templates_dao import dao_get_template_by_id, dao_redact_template
 from tests import create_authorization_header
 from tests.app.conftest import (
     sample_template as create_sample_template,
+    sample_template_without_email_permission,
+    sample_template_without_letter_permission,
     sample_template_without_sms_permission,
-    sample_template_without_email_permission
 )
 from tests.app.db import create_service
 
@@ -90,8 +91,9 @@ def test_should_raise_error_if_service_does_not_exist_on_create(client, sample_u
 
 
 @pytest.mark.parametrize('permissions, template_type, subject, expected_error', [
-    ([EMAIL_TYPE], SMS_TYPE, None, 'Cannot create text message templates'),
-    ([SMS_TYPE], EMAIL_TYPE, 'subject', 'Cannot create email templates'),
+    ([EMAIL_TYPE], SMS_TYPE, None, 'Create text message template is not allowed'),
+    ([SMS_TYPE], EMAIL_TYPE, 'subject', 'Create email template is not allowed'),
+    ([SMS_TYPE], LETTER_TYPE, 'subject', 'Create letter template is not allowed'),
 ])
 def test_should_raise_error_on_create_if_no_permission(
         client, sample_user, permissions, template_type, subject, expected_error):
@@ -115,14 +117,15 @@ def test_should_raise_error_on_create_if_no_permission(
         data=data
     )
     json_resp = json.loads(response.get_data(as_text=True))
-    assert response.status_code == 400
+    assert response.status_code == 403
     assert json_resp['result'] == 'error'
-    assert json_resp['message'] == {'content': [expected_error]}
+    assert json_resp['message'] == expected_error
 
 
 @pytest.mark.parametrize('template_factory, expected_error', [
-    (sample_template_without_sms_permission, 'Cannot update text message templates'),
-    (sample_template_without_email_permission, 'Cannot update email templates'),
+    (sample_template_without_sms_permission, 'Update text message template is not allowed'),
+    (sample_template_without_email_permission, 'Update email template is not allowed'),
+    (sample_template_without_letter_permission, 'Update letter template is not allowed')
 ])
 def test_should_be_error_on_update_if_no_permission(
         client, sample_user, template_factory, expected_error, notify_db, notify_db_session):
@@ -143,9 +146,9 @@ def test_should_be_error_on_update_if_no_permission(
     )
 
     json_resp = json.loads(update_response.get_data(as_text=True))
-    assert update_response.status_code == 400
+    assert update_response.status_code == 403
     assert json_resp['result'] == 'error'
-    assert json_resp['message'] == {'content': [expected_error]}
+    assert json_resp['message'] == expected_error
 
 
 def test_should_error_if_created_by_missing(client, sample_user, sample_service):