Secure Document Workflows for HNW Client Onboarding

Onboarding a high-net-worth client is rarely a matter of a signature and a welcome pack. Before the relationship begins, a regulated firm has to satisfy its customer due diligence obligations. Under regulation 28 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, customer due diligence measures require you to identify the customer and verify their identity, unless that identity has already been verified, and to assess and, where appropriate, obtain information on the purpose and intended nature of the business relationship.

Those duties do not stop at onboarding. The same regulation requires ongoing monitoring of the relationship, including scrutiny of transactions and, where necessary, the source of funds, to make sure activity stays consistent with what the firm knows about the customer. For a wealth-management firm, a private bank, or an adviser taking on a substantial new client, that means collecting documents that are far more sensitive than a name and a date of birth.

Where the situation is higher risk, more is expected. Regulation 33 requires enhanced due diligence in higher-risk situations, and the enhanced measures must include, as far as reasonably possible, examining the background and purpose of the transaction and obtaining information on the source of funds and source of wealth of the customer and the customer’s beneficial owner, alongside senior management approval and increased ongoing monitoring. Many high-value relationships will fall into this category, and the volume of supporting paperwork rises accordingly.

In practice, satisfying these duties means asking the client for a stack of personal and financial records. The precise list depends on your firm’s own risk assessment, but a typical high-net-worth onboarding gathers:

• Identity verification: passport or driving licence to identify and verify the client under regulation 28.
• Proof of address: recent utility bills, bank statements, or council tax correspondence.
• Source of funds: evidence of where the money for a specific transaction has come from, such as a sale completion statement or pay and bonus records.
• Source of wealth: evidence of how the client’s overall wealth was accumulated, which under regulation 33 forms part of enhanced due diligence where it applies.
• Beneficial ownership: structure charts, trust deeds, and identity documents for any underlying beneficial owners.

The default for most firms is still email. The adviser asks the client to “just send everything over”, and the client replies with attachments. It feels efficient, but it quietly creates a confidentiality and compliance problem.

The UK GDPR security principle, Article 5(1)(f) on integrity and confidentiality, requires personal data to be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The ICO frames this as making sure personal data cannot be accidentally or deliberately compromised, preserving its confidentiality, integrity and availability.

Email struggles against that standard. Once a client emails a passport scan and a set of bank statements, copies of those files sit indefinitely in the client’s sent folder, your inbox, and the backups of both mail servers. The message can be forwarded, misaddressed by a single autocomplete slip, or read by anyone who later gains access to either mailbox. Most email is not encrypted end to end, so its security depends on infrastructure neither you nor the client controls.

A better approach replaces the open-ended email request with a single, encrypted upload link. The firm creates a request for the specific documents it needs, sends the client a link, and the client uploads the files directly. The files are encrypted before they leave the client’s device, so the platform never holds readable copies, and they are deleted automatically once they have been downloaded.

The client experience is no harder than an email reply, which matters when you are asking a busy, high-value individual to hand over the most sensitive records they own. The difference is invisible to them and decisive for you: the sensitive material travels over an encrypted channel and does not stay where it can leak. Firms running larger structures may also want to read our guide to family office secure document sharing and, for related anti-money-laundering checks, KYC and AML document collection.

Encryption is not just good practice; it is something the regulator explicitly points to. The ICO states that the UK GDPR security principle includes encryption as an example of an appropriate technical measure to manage risk, referencing Article 32. Encrypting personal data can reduce the risk of a personal data breach and the extent to which it impacts people’s rights and freedoms; where data is lost or unlawfully accessed and encryption was not used, the ICO may consider regulatory action.

Automatic deletion after download closes the other half of the gap. Once you have collected and reviewed a client’s source-of-wealth evidence, there is no reason for an extra copy to sit on a sharing platform. Deleting it after retrieval keeps the live exposure window short and supports the data-minimisation thinking behind the security principle.

Read together, regulation 28 and regulation 33 tell you what to collect, SYSC 6.3 tells you to run a sound system for handling it, and the ICO’s security guidance tells you that encryption and prompt deletion are the kind of measures it expects. A one-time encrypted request link is simply the workflow that satisfies all three at once.

What documents do I need to collect when onboarding a high-net-worth client?

Customer due diligence under the Money Laundering Regulations 2017 requires you to identify the client and verify their identity, which typically means a photo identity document and proof of address, and to obtain information on the purpose and intended nature of the relationship. Where enhanced due diligence applies in higher-risk situations, you must also examine the background and purpose of transactions and obtain information on the source of funds and source of wealth of the client and any beneficial owner. The exact mix depends on your firm’s risk assessment.

Is email safe for collecting source-of-wealth and source-of-funds documents?

Email is a poor channel for these documents. The UK GDPR security principle requires personal data to be processed in a manner that ensures appropriate security against unauthorised access and accidental loss. Email attachments sit in multiple inboxes and backups indefinitely, can be forwarded or misaddressed, and are rarely encrypted end to end. A one-time encrypted upload link collects the documents over a secure channel and deletes them after download, which fits the security principle far better than email.

Does encryption help with AML and GDPR compliance for client documents?

Yes. The ICO names encryption as an example of an appropriate technical measure under the UK GDPR security principle, and notes that encrypting personal data can reduce the risk and impact of a breach. Combined with the systems-and-controls duty that the FCA expects firms to maintain against financial crime, encrypted collection and prompt deletion of onboarding documents both reduces breach exposure and produces a clean record of how client data was handled.

High-net-worth onboarding sits at the intersection of three duties: the customer due diligence and enhanced due diligence rules in the Money Laundering Regulations 2017, the systems-and-controls expectation in SYSC 6.3, and the UK GDPR security principle. The documents you collect to satisfy the first are among the most sensitive a person owns, which is precisely why the way you collect them is not a side issue.

Email scatters those documents across systems you cannot control. A one-time encrypted request link does the opposite: it collects exactly what you need over a secure channel, deletes it once you have it, and leaves a record of the request behind. For any firm onboarding substantial clients, that is the workflow worth building the relationship on.