Identity theft is a major concern among accountants and tax preparers, and rightfully so. At minimum, a victim of identity theft faces weeks of work freezing credit reports, locking down financial accounts, and undoing actions that were fraudulently carried out in his or her name. At worst, identity theft can be financially ruinous.
All accountants and tax preparers have an obligation to do their part to prevent identity theft by safeguarding client information. One of the most important ways accountants can do this is by transmitting sensitive information in a secure manner.
In this article we’ll talk about client portals, one of the best tools for protecting sensitive financial and identity information. We’ll talk about what client portals are, why you should use them, and what to look for when choosing a client portal for your practice.
What are client portals?
A client portal is a secure website that allows you and clients to upload files to share with one another. Client portals allow you to tightly control uploaded files, which reduces the risk of accidentally exposing client data. In fact, client portals are so effective at protecting client data that the AICPA recommends the use of client portals as one of its “Best Practices for Keeping Client Data Secure.”
Why should my firm use a client portal?
The benefits of a client portal over the alternatives are significant. Client portals give you better control of client data, they are convenient, and they advertise your professionalism to your clients.
Data control
One of the most important reasons to use a client portal is to control your clients’ information. As mentioned earlier, identity theft is a major concern. Client portals can help you prevent the theft of your clients’ identities by tightly controlling who can access financial and personally identifying information.
Typically, client portals distinguish between different “roles” for users. For example, there are usually different roles for “staff” and “clients”. This allows accountants and tax preparers with the “staff” role to access all files uploaded to the client portal while allowing clients to only see their own files.
In addition to roles, a client portal may also have other permission schemes that help you institute more fine-grained controls over client data. For example, some client portals allow you to control who can see different files, even among staff. This can allow you to permit only those staff who need access to a particular file to access it. In larger organizations, you might use permissions to control access to files based on a staff member’s department.
Taken together, these data controls ensure that only those who should have access to your clients’ data gets it. This helps keep your clients’ sensitive information private, and helps prevent its misuse by others.
Convenience & efficiency
Client portals provide convenience, for both you and your clients. They give you a single place to look for important files that have been shared, and allow you to see at a glance when a file was last viewed by a client. They also give your clients 24/7 access to tax returns and other files that they might need access to, allowing this task to become self-service.
Appearance of professionalism
Some of your clients may not have any idea of how important it is to protect their financial data. After all, they hired you to worry about those details. However, those clients who are aware of the dangers of identity theft are likely to notice the steps you take to protect their data.
Using a client portal to exchange sensitive information gives reassurance to your most knowledgeable clients, and lets them know that you take seriously your responsibility to protect their data. It lends an appearance of professionalism to your firm, and makes it clear that you are taking all necessary steps to keep them safe.
Why not just use email?
If not for client portals, most small accounting and tax firms would just use email to exchange files. That’s a bad idea.
Email is a fundamentally insecure service that is notorious for being difficult to maintain. Between its sender and recipient, an email might pass through any number of systems that are controlled by third parties. Each system an email passes through represents an opportunity for a compromised or misconfigured email server to expose your message. Adding to the risk, emails that pass through third party systems can often be read by the owners of these systems.
But what about the many “secure” email systems that are advertised? The problem is that many of these so-called secure email systems aren’t actually secure. Oftentimes they only solve part of the problem. They might protect messages on the accountant’s system, but leave your clients’ systems completely exposed. This puts puts your clients’ data at risk.
To properly secure your clients’ data, communication must be secured at both the sending and receiving end. In practice, this means that both parties must be forced to authenticate themselves before accessing a message. This is exactly the problem that client portals were designed to solve.
What to look for in a client portal
There are a lot of client portal solutions available on the market today. Some of them are better suited to accounting and tax practices than others. If you’re looking for a client portal solution for your business, here are some things to consider.
Security
When choosing a client portal, security should be your first concern. Improving data security is the reason you’re considering one, after all. So when evaluating client portals, consider each service’s use of encryption and statements about internal controls.
Encryption at rest
At a bare minimum, data stored in a client portal should be encrypted in order to protect it from accidental disclosure. So when evaluating client portals, look for statements made by a vendor that its product uses strong authenticated encryption. When reviewing a vendor’s literature, you might see the phrase “encrypted at rest,” which means that files in the client portal are encrypted when they are not actively being used. You might also see phrases like AES, ChaCha, Salsa20, or variations of these phrases, which all refer to well respected encryption algorithms.
Even if you don’t completely understand these terms, they can serve as indicators that a client portal vendor has considered these security issues. They can also serve as points of discussion when questioning vendors. Any vendor unwilling to discuss how their data is encrypted should be suspect.
Data in transit
It’s not enough that data at rest be encrypted. To be secure, data in transit must be encrypted as well. Data in transit refers to information that is in the process of being sent to and received from the client portal. Information that is in transit might hop through dozens of third party servers between the data’s origin and its destination. Without encryption, this data in transit might be inspected on any Internet server it passes through. Enforcing encryption for data in transit ensures that your clients’ data remains private as it is transmitted over the Internet.
When evaluating whether a particular client portal enforces encryption for data in transit, look for claims that data is “encrypted in transit.” You might also look for phrases like TLS or SSL which are different ways of encrypting internet connections.
Data center internal controls
Another aspect of security that should be considered is the physical security of the servers that host the client portal. In general, servers should reside in a facility that has successfully completed an AICPA SSAE 18 SOC 2 audit. (These are usually just called a “SOC 2 audit.”) A SOC 2 audit, which is defined by the American Institute of Certified Public Accountants (AICPA), attests to the internal controls of a facility, concentrating on controls over privacy, security, availability, processing integrity, and confidentiality. Since internal controls over these areas are critical to maintaining the security of computer hardware, successfully completing a SOC 2 audit is generally recognized as a standard that any facility handling sensitive information should meet.
Permissions systems
Another feature that you should consider when evaluating a client portal is whether the tool has a robust permission system. Being able to assign permissions on a file or folder can be useful in a number of settings.
For example, you can use permissions to control which of your staff have access to files. This ensures that only those who need access to confidential information have it.
You can also use permissions to protect client data from your clients themselves. For instance, you might not want to permit your clients to delete files. Or for past tax years, you might want to allow clients to read files without being able to change them.
A fine-grained permission system makes all of these options available, and ensures that you can maintain tight control of client data.
Other features
There are a number of other features that you might also find valuable when considering a client portal system. These features include:
- File retention policies: In some settings it is important that documents not be retained longer than required. In these cases file retention policies that automatically delete a file after a set amount of time can prove useful.
- Access control policies: If you have a need to strictly control data, the ability to set access control policies on certain files and folders might be useful. For example, you might allow certain sensitive information to only be accessed by computers on your office network.
- File tagging: The ability to assign arbitrary identifies (called “tags”) to files can make it easier to search for information within your client portal. For example, you might tag files with the current tax year or with a client’s name so that you can more easily find those files in the future.
Wrapping up
A client portal is an important tool for safeguarding your clients’ data and protecting clients from identity theft. In fact it’s such an important tool, that any accountant or tax preparer who exchanges electronic files should have one.
If you have any questions about client portals or the details discussed in this article, I invite you to contact RelaNet. We would be happy to explain anything that remains unclear, and help you evaluate which features are most important given your specific circumstances.
And if you’re already looking for a client portal for your tax or accounting practice, I hope that you will consider RelaNet Cloud, the client portal that RelaNet provides to our customers. It’s built around the needs that financial professionals, it’s secure, and it incorporates all the important features described above. I would be happy to talk to you about RelaNet Cloud and how it can help your business, or you can see it in action by requesting a demo using the form below.
Try RelaNet Cloud for Free
If you’re looking for a client portal for your firm, we hope you’ll consider RelaNet Cloud, our client portal that’s specifically designed to meet the needs of small tax and accounting firms.
If you would like to see RelaNet Cloud in action, use the form on this page to request a free demo. We’ll get in touch to schedule an online demo so we can show you how easy RelaNet Cloud makes it to securely exchange files.
There’s no charge, no credit card required, and no obligation, so request a demo today and see for yourself just how easy it can be to get the client portal your business needs.