Secure ways to receive client bank statements (ranked)
The short answer: ranked from worst to best — texted photos and email attachments (retire immediately), client uploads to a secure portal (acceptable), and direct retrieval via a consented bank connection (best: no credentials, no inbox copies, verified originals). If you change one thing this quarter, stop receiving statements by email — your regulators already expect it.
Why does the channel matter so much?
A bank statement is a dense bundle of exactly what fraud needs: full account numbers, balances, counterparties, spending patterns, home address. Whatever channel carries it determines where copies live, who can reach them, and whether you’d ever know. Firms are also squarely inside the compliance perimeter here: the FTC’s Safeguards Rule requires financial-data safeguards of professional firms, and the IRS’s Publication 4557 spells out the same expectations for anyone handling taxpayer data: encrypt, control access, monitor.
The ranking, worst to best
5. Texted photos & chat apps — retire today
Screenshots of statements in SMS/WhatsApp: unencrypted-at-rest on two phones, backed up to personal clouds, impossible to inventory, and usually cropped uselessly anyway. If a client sends one, thank them, file the real statement via a proper channel, and gently close the lane.
4. Email attachments — the expensive default
Email’s failures are structural, not behavioral:
- Copies everywhere, forever. Sender’s sent-mail, your inbox, both providers’ backups — unencrypted at rest in most configurations, discoverable in any mailbox compromise years later.
- The BEC superhighway. Business email compromise is among the costliest cybercrime categories the FBI tracks (IC3 reporting), and firms that visibly traffic financial documents by email are prime targets for spoofed “send it to this address instead” plays.
- Zero systematic control. No access roles, no retention rules, no audit trail beyond inbox forensics.
“But clients prefer it” is real — which is why the fix is offering a channel that’s easier than email, not lecturing. Keep reading.
3. Secure client portals — the acceptable middle
Portals (ShareFile, Liscio, SmartVault, Content Snare-style request tools) fix transport and storage: encrypted in transit and at rest, access-controlled, auditable, with automated reminders. For one-off documents — organizers, contracts, signatures — they’re the right tool, full stop.
Their honest limits for statements: the client still fetches and uploads every month (so timeliness and completeness stay client-dependent), and what arrives is whatever was uploaded — no source verification. See retrieval vs client portals for the full trade-off.
2. Shared bank logins — never (yes, it outranks nothing)
Placed here only to be explicit: holding a client’s online-banking credentials is worse than every option above except losing documents outright. It defeats the client’s MFA, generally violates bank terms of use, and makes your firm the custodian of the keys to an account it doesn’t own. Any workflow built on shared logins should migrate to consented connections this month. (Why the consented version is different.)
1. Direct retrieval via consented bank connection — the end state
The client authenticates once at their own bank (Plaid / Mastercard Open Banking); statements are then retrieved from the source each cycle. Security-wise this wins on every axis that matters:
- No credentials shared — with the firm or the software; bank-side MFA stays intact.
- No documents in inboxes — files move provider → system → your Drive, encrypted in transit, access-controlled at rest.
- Verified originals — SHA-256 hash-checked PDFs with a logged retrieval trail (chain of custody, effectively).
- Revocable & auditable — the client can cut access anytime; every retrieval is recorded.
This is the model StatementFlow implements, with the full control list published.
The one-page policy to adopt
Steal this verbatim:
| Policy line | Rule |
|---|---|
| Approved intake | Bank connection (default) or firm portal (fallback) |
| Banned | Email attachments, texts/chat apps, shared bank logins |
| Client comms | One-line explanation + connect link in every onboarding |
| Filing | Client / year / month, standard names, one Drive location |
| Verification | Prefer source-retrieved, hash-verified originals |
| Exceptions | Named owner; reviewed at each close on the coverage board |
Rolling this out takes one announcement and removes your two riskiest channels immediately — the complete guide includes the client-facing wording. And if you want the top-ranked channel running on your book with hands-on help, that’s what early access is for.
FAQ
Is it safe for clients to email bank statements?
What is the most secure way to collect bank statements from clients?
Can I accept a client’s online banking login to download statements?
Keep reading
Chris Wattinger — Founder, Scale CPA. Chris runs Scale CPA, a US accounting firm, and built StatementFlow inside the firm to kill the monthly statement chase across its own client book.