Every UK and UAE firm we speak to agrees in principle that client documents should not travel by email. Almost none of them have fully stopped doing it. The gap between principle and practice exists because the risk of email feels abstract and the cost of switching feels concrete. This article quantifies both, so the comparison stops being a matter of intuition.
What email actually is, from a security standpoint
SMTP was designed in 1982 for a network of trusted academic institutions. It has been retrofitted with TLS, SPF, DKIM and DMARC, but its fundamental model - store-and-forward across untrusted intermediaries - has not changed. A typical client email containing a P60, an ID document and a set of accounts passes through the sender's mail server, one or more relay servers, the recipient's mail server, and any backup or archive systems on either side. The document sits decrypted in mailbox storage indefinitely.
For HMRC tax data, AML identification documents and financial statements, this is materially below the standard that the ICO, FCA and the supervisory bodies expect a professional firm to operate.
The cost of a single breach
The ICO has been notably willing to fine professional service firms for poor data handling. A relatively small breach - for example, sending a client's tax return to the wrong recipient through autocomplete - typically results in a mandatory ICO notification within 72 hours, an internal investigation, professional indemnity notification, and a written explanation to the affected client.
Direct costs run from £2,000 to £15,000 for a small incident, before any fine. A material breach involving multiple clients can easily reach six figures including ICO penalties, PI excess, remediation and lost clients. The IBM Cost of a Data Breach Report consistently puts the average professional services breach at over £3 million globally, with the majority of incidents originating in email or misconfigured cloud storage.
The hidden productivity cost of email-based document exchange
Even setting security aside, email is a poor file exchange tool. Documents are scattered across inboxes, version control collapses the moment a client replies with "updated", and onboarding a new team member to a client requires forwarding chains of historical email. A 2024 Wiseman Group study of mid-sized UK accounting firms found that staff spent 4.2 hours per fee earner per week searching for, forwarding or re-requesting documents that already existed somewhere in the email system.
For a 12-person firm at £85 charge-out per hour, that is roughly £225,000 a year of fee-earner time spent on document logistics that a portal eliminates.
What secure file exchange actually provides
Quick reference below - what to know about what secure file exchange actually provides.
- End-to-end encrypted upload and download - documents are never decrypted in transit or in transient storage
- Granular access control - only named users on both sides can see each document
- Auditable history - every view, download and message is timestamped and attributed
- Retention policy enforcement - documents auto-archive or auto-delete per firm policy
- No mailbox sprawl - documents live against the client record, not in a dozen inboxes
- Mobile access without the security trade-offs of consumer email apps
Cost comparison, honestly
Standalone secure file exchange tools run from roughly £8 to £25 per user per month. Bundled into a practice-management platform, the marginal cost is typically nil because the portal is included in the base subscription. For a 10-person firm, the all-in cost of secure file exchange via a bundled portal is usually less than £2 per fee earner per month against the standalone tool - and dramatically less than the cost of a single breach excess.
Regulatory expectation is no longer ambiguous
The ICO's guidance on professional services data handling has become explicit over the past three years. The expectation is that personal and financial data is exchanged through controlled channels with access logging, encryption in transit and at rest, and a documented retention policy. Email with TLS in transit alone does not meet this standard for sensitive document categories. In a post-breach investigation, an ICO casework officer will ask whether a secure alternative was available and not used. If yes, that materially worsens the firm's position.
Migration is shorter than firms expect
The typical objection - "our clients will not accept it" - does not survive contact with reality. When a firm enforces portal-only document exchange for new engagements and migrates the existing book over 90 days, complaint rates run below 2 percent and resolve quickly with a brief explanation of why. The firms that struggle are the ones that offer the portal as optional, because the path of least resistance for staff is still email.
Where Accupe fits
Accupe is the practice-management layer that includes secure file exchange, encrypted messaging, e-signatures and a branded client portal as part of the same workflow your team uses for jobs, deadlines and compliance. Documents land against the client record automatically, retention is enforced centrally, and the audit log is one click away when the supervisor or the ICO asks for it.
Closing
The comparison is not close. Email is cheaper to start with and meaningfully more expensive within 12 months once productivity loss, breach exposure and audit risk are accounted for. Secure file exchange is no longer a nice-to-have for professional firms - it is the baseline, and the regulators have made that explicit.