I concur, Gerard.
This sort of thing is exactly what Secure Shell public key authentication was designed for, and it shouldn't be hard to make a case to take that approach, and you can use it either on SCP or SFTP - they use the same underlying protocol after all.
http://ask-leo.com/how_can_i_automate_an_sftp_transfer_between_two_servers.htmlYou can even lock down the authorized_keys so that the key you use for the file transfer can not be used to connect from any other host but the one you're using to fetch the file (from=fetch-host.you.com), and also make it impossible for the key to be used to start a shell (no-pty).
When you lock down the permissions of the password-less private key to 400 for the userid that will be using it, then you'll have a number of layers of security at work, and no plaintext password sitting in a script file.
See also
http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html for a decent discussion of the subject.
