DocSafe Limited
Share this content

How to ask for sensitive documents from your clients.

Sep 2nd 2016
DocSafe Limited
Share this content

Customer onboarding is a process that actually never ends.  First, you onboard a customer when you sign them up and collect KYC information.  Then, you keep onboarding them for each job that requires extra information which is not readily available. 

If you can see your client personally, things are rather easy but inefficient: scan a copy of the passport and ask them to fill out a paper form or bring copies of documents.  If you cannot see them in person, things get rather complex.  Here is an overview of digital options with their pros and cons.  

Unencrypted email - still works for many but in regulated industries sending sensitive personal information this way is risky and can cause issues if data is lost or compromised.    That is why your bank does not send you an electronic statement as a pdf attachment.   Still, there is a paradox.  It is highly likely that most of your personal email inboxes contain more sensitive information about you and your families that you would like to admit.  We simply love the convenience of email but lose track of what is ‘archived’, ‘deleted’, ‘in sent’ or simply lingering in forgotten folders on public servers somewhere in America.  We hope that ‘no one cares’.  Until one does.  That is why some of us do not mind sending personal information that way.  However, asking for that information is increasingly considered unprofessional.  

Encrypted email - this works mainly for the most savvy.  One of well-known protocols is PGP, for ‘pretty good privacy’, which uses public key cryptography.  The problem is that both parties must have PGP installed and need to understand how to configure it.  The requirement of setting up PGP before communication can start is a deterrent to wider adoption.  This is also one of the reasons why PGP is easier to deploy for internal company communication rather than for interactions with customers.   

Public cloud storage - asking customers to upload files into Dropbox, OneDrive, Icloud, you name it, is popular mainly because most of these services are free, very convenient, and no one reads the fine print.  Questions such as ‘where is the data stored’, ‘who has access to it’ are rarely asked.  Here is a paragraph taken from Google Drive T&Cs:

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps).

Most of us had no idea...

End-to-end encryption.  Most current solutions offering end-to-end encryption are in the world of real-time communication (such as Whatsapp).  Each side creates a public/private key pair which is used to communicate securely. After the conversation ends, the keys are discarded.  Similarly to PGP, the condition is that both sides use the same service which is a high ask.  What if they don’t?

Secure upload.  Here is a method which is increasingly popular with modern 'paperless' accountancies.  (1) Send an email to your customer with a link which expires after a set amount of time.  (2) The link might be activated with an optional ‘secret’ such as an SMS.  (3) The link leads to a secure webpage where documents can be uploaded and forms filled.  (4) After a single use the link expires, if required.  (5) The documents are transferred to (a) sender's secure vault and (b) recipient's secure vault and are encrypted separately with public key infrastructure.  Sender's vault is created on the fly if the user is new to the 'system'.  Encryption keys are carefully guarded and can even be managed by the users.  Benefits: both sides keep copies of the documents which never travel by email.  The documents can be re-used and securely shared and most importantly, are already filed in the right place so that the accountant can start working on them immediately.

Which option is most popular in your firm?

If you would like to learn more about the last method, feel free to contact me at [email protected].


MyDocSafe onboarding process


Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.