← Back to blog
    Compliance

    Sending confidential financial documents: a guide for accountants

    Share annual accounts, tax returns and due-diligence files demonstrably securely: GDPR, Wwft, biometric identity verification and an audit report that bridges the tax retention period.

    TransferGuard redactieJuridisch & Compliance8 min

    Annual accounts, tax returns, payroll administration and due-diligence files are among the most confidential documents an accountancy firm handles. This article describes how to transfer financial documents in a demonstrably secure way, and how to comply at the same time with the GDPR, the Dutch Anti-Money Laundering Act (Wwft) and your tax record- keeping obligation.

    The confidentiality of financial documents

    Financial documents provide far-reaching insight into the position of a company or individual: turnover, margins, debts, salaries, banking relationships and strategic plans. An accidentally leaked set of annual accounts or an M&A file can damage negotiating positions, give competitors an advantage and permanently harm the trust between accountant and client. The care that characterises the accountant in the file itself must therefore extend to the manner of transfer.

    Two legal frameworks: GDPR and Wwft

    For accountants, two frameworks of obligations apply side by side, both of which bear directly on secure data exchange.

    GDPR

    Many financial documents contain personal data, think of payslips, personal tax returns and shareholder information. GDPR art. 32 requires appropriate technical and organisational measures, matched to the risk. For financial personal data that risk is high, which makes a transfer method with strong encryption and verifiable receipt necessary.

    Wwft

    The Dutch Anti-Money Laundering Act (Wwft) requires accountants to carry out client due diligence and to establish the identity of the client. Knowing for certain with whom you are doing business, and being able to demonstrate it, ties in closely with the way you exchange sensitive documents. A transfer channel that verifies the recipient's identity reinforces that same diligence.

    Concrete situations in accountancy practice

    Secure transfer arises in virtually every phase of the service. A few common situations:

    • Annual accounts to the client. The final annual accounts with notes contain the company's complete financial position.
    • Tax return to an authorised representative. Returns and underlying documents contain personal and corporate data that must reach the right recipient confidentially.
    • Due-diligence files in an acquisition. In M&A transactions, extensive data rooms with highly sensitive information are shared with advisers and acquiring parties.
    • Payslips and payroll administration. Salary data are personal data that may reach only the employer or employee concerned.

    Demonstrable proof of who received the document

    With financial documents not only encryption matters, but also the certainty of who actually received the document. TransferGuard offers biometric identity verification through a specialist identity verification provider: the recipient scans a passport or ID document, takes a live selfie and completes a liveness check. Only after that is the document unlocked. This establishes, and makes demonstrable, that the annual accounts or the M&A file reached the intended person and not a third party. See how this works step by step in the verified identity demo.

    Encryption and EU storage

    TransferGuard encrypts every file with AES-256-GCM in the sender's browser. The data are therefore encrypted before they leave the device, and the decryption key is only released to verified recipients after successful identity or email verification. Transport runs over TLS 1.3 and storage is in the EU, on ISO 27001-certified infrastructure. There is room for large data rooms: transfers of up to 100 GB per shipment are possible, so a complete due-diligence file can travel in a single secure transfer.

    Record-keeping obligation and the verifiable audit report

    The tax record-keeping obligation is a hard fact for accountants: under the Dutch General Tax Act (AWR art. 52), records and underlying documents must in principle be retained for seven years. That includes being able to demonstrate what was provided when and to whom.

    TransferGuard concludes every transfer, where desired, with a verifiable PDF audit report with SHA-256 integrity check and an independent verified timestamp. The SHA-256 hash proves that the received file is exactly identical to the file that was sent; the independent timestamp records the moment of transfer. You can easily archive this report with the file, and it forms a strong piece of evidence throughout the entire retention period.

    Proof tailored to each transfer

    You decide per transfer how extensive the identity verification and the evidence file must be, matched to the sensitivity of the document. For a routine exchange a light verification may suffice; for sending annual accounts, a tax return or an M&A file, full biometric identity verification with a verifiable audit report including integrity check is appropriate.

    Practical example

    The example below is anonymised and illustrative. An accountancy firm guides the sale of a family business and must share an extensive data room with annual figures, contracts and payroll administration with the adviser of the acquiring party. The sensitivity is great: a premature leak would disrupt the negotiation.

    The firm sends the data room via TransferGuard with fully verifiable proof. The buyer's adviser completes a biometric identity verification before the documents are unlocked, so that it is demonstrable that only the authorised adviser gains access. After receipt the platform generates a verifiable audit report with the SHA-256 hash and an independent verified timestamp, which the firm retains with the file for seven years. Should it later be disputed which version of the figures was shared when, that can be established objectively from the report.

    Conclusion

    For accountants, secure file transfer is not a side issue but an extension of professional diligence. End-to-end encryption, EU storage on ISO 27001-certified infrastructure, biometric identity verification and a verifiable audit report meet the requirements of the GDPR, support the identity check the Wwft demands and deliver a piece of evidence that effortlessly bridges the tax retention period.

    View the full overview of features on the features page or the pricing options on the pricing page. For the broader GDPR context, see our article on GDPR requirements for file transfer.

    Ready to send certified?

    Certified Delivery from €49/mo excl. VAT. Verified Identity from €79/mo. Cancel monthly.

    Get started

    Read next