Sending and receiving payments is the bread and butter of all businesses. After all, without inbound and outbound payments, a business could be said to not be operating at all.
EFTs (Electronic Funds Transfers) are a common channel used for recurring payments. To set up an EFT, certain sensitive information needs to change hands. This includes a fair amount of personal and financial information: the recipient's name, address, bank transit number, branch number, and account number－at minimum. A voided cheque includes much of the required information, and so is often used when sharing the information needed to initiate EFTs.
All of this sensitive information (Glossary: personally identifiable information) is typically sent over email.
Understand the risk of sending sensitive information attached to email
Generally speaking, our current behaviour with email means email can exist indefinitely. Just search your own email to find attachments you sent years ago and have forgotten about. Long-standing businesses will have similarly extensive troves of information, both sent and received.
This is a risk and liability, for the following reasons:
- Email inboxes are frequency targeted (Glossary: data breach) and their contents stolen.
- Email is easily forwarded, often accidentally.
That means that the history of information sent and held by a business in its email can eventually come back to haunt them.
You're probably familiar with sending voided cheques to employers. The risk there is small－an average person holds only a handful of jobs over their lifetime. But a business has numerous vendors!
Your business accumulates a very large surface area of risk when all these business partners, past, present, and future, hold a copy of your financial information in their email.
Email is not considered to be a safe way to send information. It's just the most common, which adds to the perception of being the most convenient.
A safer way: quick option
If you must send voided cheques, use a method that addresses at least the issue of email existing indefinitely.
A trusted tool like Bitwarden Send (an included feature in the Bitwarden password manager) allows you to upload files and, optionally, set an expiry date and password. Once uploaded, Send creates a link which you can give to your recipient through email.
The file you uploaded never touches the email services. Your receiver would use your link to access the file. After a preset time, the link would expire, protecting your business' financial information.
This practice is a workaround, that is, the practice is not ideal but it does mitigate some of the risk and potential liability.
Another safer way: a better option
You have a slightly better option, if you still must send payment details for an ETF. Using this method addresses the issue of email existing indefinitely, as well as the possibility that a void cheque downloaded from Bitwarden Send might be emailed around despite your best efforts.
Wise (previously, TransferWise) has a Request Payment feature, which allows you to generate a temporary link to your payment details for a payment amount of your selection.
You can send this link to vendors, which lets them access your transit number, financial institution number, and account number direct from Wise. The link expires after some time, keeping your account details from being seen indefinitely.
Our preferred payment method
The best payment method needs the minimum of information. In the case of our preferred payment sending and receiving option, just an email.
Operating in Canada, we use the digital payment method known as Interac e-Transfer, or just eTransfers. You likely have have similar options available wherever you operate. Swish is used in Sweden and MobilePay is used in both Denmark and Finland.
eTransfers are ideal for businesses. At Majorcord, we have set up an email address specifically for our partners to use when making payments. The only thing our clients need from us is that email address. On top of this convenience, the email address can be safely stored in their bank apps.
eTransfers are reliable and safe. The email address you share to send you a payment is one-way only, and does not allow another party to also pull funds from your account－as is the case with the transit number, financial institution number, and account number used for EFTs. By design, eTransfers are designed to be safe to share.
We typically suggest to all our partners that they include trusted and reliable payment methods like Interac for sending and receiving payments. Its design makes transactions easier (such as with Autodeposit). Interac e-Transfer also reduces our mutual liability by limiting sensitive information being collected and stored.
Like with other methods of payment, eTransfers are susceptible to phishing. But basic security practices (such as independently confirming a receiver) can mitigate such risk. As the sender, always copy-paste the receiver's email address to avoid accidental typos.