How to ask for sensitive documents from your clients.
Onboarding in an ongoing process. First, you onboard your customer when you sign the up and collect KYC information. Then you onboard them each time you start a project which requires additional information.
If you can see your client personally, things are rather easy: scan a copy of the passport, ask them to fill out paper forms and ask them for hard copies of other documents. If you cannot see them in person, things get rather complex. Here is an overview of options with their pros and cons.
Unencrypted email - still works for many but in regulated industries sending sensitive personal information this way is risky and can cause issues if data is lost or compromised. That is why your bank does not send you an electronic statement as a pdf attachment. Still, the paradox is that it is highly likely that most of your personal email inboxes contain more sensitive information about you and your families that you would like to admit. We love the convenience of email but we simply lose track of what is ‘archived’, ‘deleted’, ‘in sent’ or simply lingering in forgotten folders on public servers somewhere in America. We hope that ‘no one cares’. Until one does. That is why some of us do not mind sending personal information that way. However, asking for that information is increasingly considered unprofessional.
Encrypted email - this works mainly for the most savvy. One of well-known protocols is PGP, for ‘pretty good privacy’, which uses public key cryptography. The problem is that both parties must have PGP installed and need to understand how to configure it. The requirement of setting up PGP before communication can start is a deterrent to wider adoption. This is also one of the reasons why PGP is easier to deploy for internal company communication rather than for interactions with customers.
Public cloud storage - asking customers to upload files into Dropbox, OneDrive, Icloud, you name it, is popular mainly because most of these services are free, very convenient, and no one reads the fine print. Questions such as ‘where is the data stored’, ‘who has access to it’ are rarely asked. Here is a paragraph taken from Google Drive T&Cs:
When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps).
Most of us had no idea...
End-to-end encryption. Most current solutions offering end-to-end encryption are in the world of real-time communication (such as Whatsapp). Each side creates a public/private key pair which is used to communicate securely. After the conversation ends, the keys are discarded. Similarly to PGP, the condition is that both sides use the same service which is a high ask. What if they don’t?
Secure upload. (1) Send an email to your customer with a link which expires after a set amount of time. The link might be activated with an optional ‘secret’ such as an SMS. (2) The link leads to a secure webpage where documents can be uploaded, forms filled and optionally, payment taken. (3) After a single use the link expires, if required. (5) The documents are transferred to (a) sender’s document safe and (b) recipient’s document safe and are encrypted separately with public key infrastructure. The sender’s safe is created on the fly if he or she are new to the system. Keys are carefully guarded and can even be managed by the users. Benefits: both sides keep copies of the documents which never travel by email. The documents can be re-used and securely shared.
Which option is most popular in your firm?
If you would like to learn more about the last one, feel free to contact me at [email protected]