Every day in India, business owners forward bank login credentials to their CAs on WhatsApp. Bank passwords travel in family groups. GST portal credentials are shared with office staff on Telegram. CA firms store client passwords in Excel sheets.
This is not a workflow problem. This is a systemic failure in how Indian businesses manage financial access. And it puts everyone at risk — the business, the CA, and the staff.
Why Credential Sharing Is So Common in India
The practice exists because the alternatives have been worse.
The CA Needs Access
Your CA needs to:
- Download bank statements for reconciliation
- File GST returns on the GST portal
- Check TDS compliance on the TRACES portal
- Access Tally or accounting software for bookkeeping
None of these systems were designed for multi-party access. So the only option is to share your login.
The Business Owner Is Busy
Small business owners do not have time to:
- Log into the GST portal and navigate its interface
- Download bank statements in the right format
- Forward the right documents at the right time
It is easier to share the password and let the CA handle it.
The Tools Encourage It
Tally, the most widely used accounting software in India, runs on a single desktop. Access means being at that computer, or sharing the login remotely. There is no concept of “invite your CA with limited access.”
The Risks You Are Taking
1. Financial Fraud
If your bank credentials are compromised — whether through a leaked WhatsApp message, a stolen phone, or a malicious actor — the fraudster has full access to your money. No bank will compensate you for losses when you voluntarily shared your credentials.
RBI’s official position: Never share your OTP, PIN, or password with anyone. This includes your CA.
2. Untraceable Actions
When three people share one login, you cannot determine who did what. Did the CA file the GST return, or did the office assistant? Was the payment authorized by the owner, or was it made by mistake?
Without individual access logs, there is no accountability.
3. Compliance Violations
Sharing GST portal credentials violates the terms of service. If the GST department audits your filings and discovers unauthorized access, it can create complications — especially if there are errors in the returns.
4. Data Leaks
WhatsApp messages are not end-to-end secure when:
- Someone takes a screenshot
- The message is forwarded to another chat
- The phone is lost or stolen
- WhatsApp backups are stored on Google Drive without encryption
Your bank credentials, once sent on WhatsApp, exist in multiple places permanently.
5. Professional Liability for CAs
CA firms that store client credentials are exposed to professional liability. If a client’s bank account is compromised, the CA could be held responsible — even if they did not commit the fraud.
What Proper Financial Access Looks Like
The solution is not “be more careful with passwords.” The solution is structural: role-based access with audit trails.
How It Should Work
For Business Owners:
- Full access to your own financial data
- Ability to invite your CA with specific, limited permissions
- Power to revoke access at any time
- Visibility into every action your CA takes on your behalf
For CAs:
- Access to client books, bank data, and GST returns through their own login
- No need for client bank passwords
- Ability to reconcile, categorize, and file — within defined permissions
- Their own actions logged under their name
For Staff:
- Limited access to specific functions (create invoices, view reports)
- No access to bank details or tax filing
- All actions tracked
The Audit Trail
Every action must be logged with:
- Who performed the action (specific person, not shared login)
- When it was performed (timestamp)
- What was done (created invoice, filed return, modified entry)
- From where (UI, API, CLI)
This is not a nice-to-have. For businesses above a certain scale, it is a compliance requirement. And for CA firms managing multiple clients, it is the only way to maintain professional standards.
The Access Control Model
Roles That Make Sense
| Role | Can Do | Cannot Do |
|---|---|---|
| Owner | Everything | — |
| CA / Accountant | View books, file returns, reconcile, generate reports | Modify business settings, add/remove users |
| Data Entry | Create invoices, record payments | File returns, view bank details, modify past entries |
| Viewer | View reports and dashboards | Create or modify anything |
Permissions Should Be Granular
“Read-only access” is too broad. Your CA needs to file GST returns and reconcile bank statements — they do not need to see your personal expenses. Staff who create invoices should not see profitability reports.
Proper access control means granting the minimum permissions needed for each person to do their job.
How to Transition Away From Credential Sharing
Step 1: Audit Current Practices
List every system where credentials are shared:
- Bank portals
- GST portal
- Tally / accounting software
- TDS / TRACES portal
- Any other financial system
Step 2: Reset All Shared Credentials
Change passwords on every system where credentials were shared. This is uncomfortable but necessary.
Step 3: Set Up Proper Access
Use a system that supports role-based access. Invite your CA and staff with appropriate permissions. Each person gets their own login.
Step 4: Establish a Verification Routine
Review the audit log weekly. Ensure every action is attributable to a specific person. This builds the habit of accountability.
What This Looks Like with Hisaabo
In Hisaabo, financial access works as follows:
- You invite your CA with “Accountant” role — they get their own login
- Your CA sees only what they need — books, reports, GST data. Not your personal settings.
- Every action is logged — you see exactly what your CA did, when, and through which interface
- No passwords shared — your bank credentials stay with you
- Revoke access anytime — if you switch CAs, one click removes their access
Your CA can reconcile bank statements, file GST returns, and manage your books — all without ever seeing your bank password. This is how professional financial management should work.
Frequently Asked Questions
Is it really that dangerous to share bank credentials with my CA?
Yes. RBI explicitly warns against sharing credentials with anyone. If your account is compromised after sharing credentials, the bank is not liable for the loss.
What if my CA says they need direct bank access?
They need the data, not the access. Export bank statements as CSV and share the file. Or use a system where your CA can access the data through controlled permissions without needing your login.
Does this mean I cannot trust my CA?
Trust is not the issue — accountability is. Even with a trusted CA, a shared login means neither party can prove what happened if something goes wrong. Individual logins protect both the business and the CA.
What about the GST portal? It does not support multi-user access.
This is a limitation of the GST portal itself. The workaround is to file returns through your accounting system (which generates the correct data) rather than logging into the portal directly. Your CA files on your behalf using the data, not your login.
How is this different from sharing a Google Sheet?
Google Sheets track edits by user. Bank portals and accounting software that use shared logins do not. The difference is accountability.
If your financial workflow starts with forwarding a password on WhatsApp, it is time for an upgrade. Role-based access is not a luxury — it is the minimum standard for any business that takes its finances seriously.