Skip to content
Security & trust

Secure ways to receive client bank statements (ranked)

By Chris Wattinger, Founder at Scale CPA · Published · 3 min read
securitystatement collection

The short answer: ranked from worst to best — texted photos and email attachments (retire immediately), client uploads to a secure portal (acceptable), and direct retrieval via a consented bank connection (best: no credentials, no inbox copies, verified originals). If you change one thing this quarter, stop receiving statements by email — your regulators already expect it.

Why does the channel matter so much?

A bank statement is a dense bundle of exactly what fraud needs: full account numbers, balances, counterparties, spending patterns, home address. Whatever channel carries it determines where copies live, who can reach them, and whether you’d ever know. Firms are also squarely inside the compliance perimeter here: the FTC’s Safeguards Rule requires financial-data safeguards of professional firms, and the IRS’s Publication 4557 spells out the same expectations for anyone handling taxpayer data: encrypt, control access, monitor.

The ranking, worst to best

5. Texted photos & chat apps — retire today

Screenshots of statements in SMS/WhatsApp: unencrypted-at-rest on two phones, backed up to personal clouds, impossible to inventory, and usually cropped uselessly anyway. If a client sends one, thank them, file the real statement via a proper channel, and gently close the lane.

4. Email attachments — the expensive default

Email’s failures are structural, not behavioral:

  • Copies everywhere, forever. Sender’s sent-mail, your inbox, both providers’ backups — unencrypted at rest in most configurations, discoverable in any mailbox compromise years later.
  • The BEC superhighway. Business email compromise is among the costliest cybercrime categories the FBI tracks (IC3 reporting), and firms that visibly traffic financial documents by email are prime targets for spoofed “send it to this address instead” plays.
  • Zero systematic control. No access roles, no retention rules, no audit trail beyond inbox forensics.

“But clients prefer it” is real — which is why the fix is offering a channel that’s easier than email, not lecturing. Keep reading.

3. Secure client portals — the acceptable middle

Portals (ShareFile, Liscio, SmartVault, Content Snare-style request tools) fix transport and storage: encrypted in transit and at rest, access-controlled, auditable, with automated reminders. For one-off documents — organizers, contracts, signatures — they’re the right tool, full stop.

Their honest limits for statements: the client still fetches and uploads every month (so timeliness and completeness stay client-dependent), and what arrives is whatever was uploaded — no source verification. See retrieval vs client portals for the full trade-off.

2. Shared bank logins — never (yes, it outranks nothing)

Placed here only to be explicit: holding a client’s online-banking credentials is worse than every option above except losing documents outright. It defeats the client’s MFA, generally violates bank terms of use, and makes your firm the custodian of the keys to an account it doesn’t own. Any workflow built on shared logins should migrate to consented connections this month. (Why the consented version is different.)

1. Direct retrieval via consented bank connection — the end state

The client authenticates once at their own bank (Plaid / Mastercard Open Banking); statements are then retrieved from the source each cycle. Security-wise this wins on every axis that matters:

  • No credentials shared — with the firm or the software; bank-side MFA stays intact.
  • No documents in inboxes — files move provider → system → your Drive, encrypted in transit, access-controlled at rest.
  • Verified originals — SHA-256 hash-checked PDFs with a logged retrieval trail (chain of custody, effectively).
  • Revocable & auditable — the client can cut access anytime; every retrieval is recorded.

This is the model StatementFlow implements, with the full control list published.

The one-page policy to adopt

Steal this verbatim:

Policy lineRule
Approved intakeBank connection (default) or firm portal (fallback)
BannedEmail attachments, texts/chat apps, shared bank logins
Client commsOne-line explanation + connect link in every onboarding
FilingClient / year / month, standard names, one Drive location
VerificationPrefer source-retrieved, hash-verified originals
ExceptionsNamed owner; reviewed at each close on the coverage board

Rolling this out takes one announcement and removes your two riskiest channels immediately — the complete guide includes the client-facing wording. And if you want the top-ranked channel running on your book with hands-on help, that’s what early access is for.

FAQ

Is it safe for clients to email bank statements?
No. Statements carry account numbers, balances, and transaction detail; email stores them unencrypted-at-rest in multiple inboxes indefinitely and is the primary channel for business-email-compromise fraud. Regulator guidance (FTC Safeguards Rule, IRS Pub 4557) points firms to encrypted, access-controlled channels instead.
What is the most secure way to collect bank statements from clients?
A consented, bank-side connection: the client authenticates at their own bank once, and statements are retrieved directly from the source with encrypted tokens, hash-verified files, and an audit log. Nothing travels through inboxes and no credentials are ever shared.
Can I accept a client’s online banking login to download statements?
Don’t. Holding client credentials defeats their MFA, generally violates the bank’s terms of use, and concentrates liability on your firm. Consented aggregator connections exist specifically to make credential-sharing unnecessary.

Keep reading

Chris Wattinger — Founder, Scale CPA. Chris runs Scale CPA, a US accounting firm, and built StatementFlow inside the firm to kill the monthly statement chase across its own client book.

LinkedIn · About StatementFlow

Stop chasing. Start closing.

Join the early-access waitlist and be one of the founding firms that never asks a client for a bank statement again.

Get early access