Bank Statement Sharing Risk: POPIA and Financial Confidentiality

Bank statements are among the most sensitive documents an organisation handles. They contain a complete picture of an individual's or organisation's financial activity — income, expenditure, recurring payments, financial relationships, and often enough information to enable identity theft or fraud. Their handling requires specific governance controls.

When Bank Statements Contain Personal Information

A personal bank statement always contains personal information as defined by POPIA: the account holder's name, account number, transaction history, and in many cases ID number and contact details. A business bank statement may also contain personal information where the business is a sole trader, close corporation, or where transactions relate to identifiable individuals.

Common Risky Sharing Practices

Bank statements are routinely shared in ways that create POPIA compliance exposure:

• Accounting and bookkeeping: Clients email bank statements to accountants via unencrypted email. The statement may then be stored on the accountant's system, shared with a bookkeeper, uploaded to accounting software, and retained indefinitely.
• Bond and loan applications: Statements are collected by brokers or advisors and submitted to multiple financial institutions, each of which may retain them.
• Property rental: Landlords routinely request 3 months of bank statements from prospective tenants — but rarely have a policy for what happens to them if the application is unsuccessful.
• AI tool analysis: Financial managers and accountants upload bank statements to AI tools for analysis or categorisation — a clear POPIA violation.
• WhatsApp: Bank statements sent via WhatsApp for quick sharing, left in group chats accessible to multiple people.

What Organisations That Receive Bank Statements Must Do

1. Collect statements only for a specific, documented purpose
2. Store them in access-controlled locations, not shared drives or email inboxes
3. Implement a retention and deletion policy (delete once the stated purpose is served)
4. Not share them with third parties without authorisation from the data subject
5. Never upload them to AI tools or consumer cloud platforms
6. Log who accessed the statements and when

The Unsuccessful Application Problem

When a bond application, tenancy application, or loan application is unsuccessful, the personal information collected during the process — including bank statements — must be deleted unless there is a legal basis for retention. Many organisations retain this information indefinitely “just in case,” which is a clear POPIA retention violation.

Practical Controls

Organisations that regularly receive bank statements should implement: a secure upload portal (not email), access controls so only the relevant team member can view each statement, a defined retention period, and an automated deletion process at the end of that period. The existence of these controls is what demonstrates reasonable security safeguards under POPIA.