Granting your bookkeeper access to your business bank account is appropriate, but it should be restricted to view-only or limited permissions, not full administrative access. The right access level allows your bookkeeper to reconcile transactions accurately and retrieve statements without gaining the ability to move funds, add payees, or change security settings. This guide covers the correct permission level, the 7 controls that keep access safe, and the actions that must stay outside your bookkeeper’s reach entirely.
What “Bank Access” Actually Means (Data vs Money Movement)
Bank account access splits into 2 distinct tiers, and confusing these 2 tiers is the source of most access governance mistakes.
Data access covers viewing transactions, downloading bank statements, and connecting bank feeds to accounting software. Transaction authority covers initiating payments, approving transfers, adding or editing payees, and changing security settings or user roles.
These tiers are separate permission levels, not a single on/off switch. CPA Canada’s internal controls guidance defines segregation of duties as separating the authorization, custody, and recording of transactions across different individuals, a principle that applies directly to bank access governance. A bookkeeper requires data access. Transaction authority belongs to the business owner or a designated authorized approver.
The Safest Access Level for a Bookkeeper
View-only or read-only access is the correct permission level for a bookkeeper; it provides everything required for reconciliation without enabling any money movement.
This follows the least-privilege principle: grant only the access rights a role specifically requires. The Canadian Centre for Cyber Security (CCCS) Baseline Cyber Security Controls recommends applying least-privilege access as a foundational control for all business systems, including online banking. Role-based access control, assigning permissions by function rather than by individual, is the implementation model that makes this scalable as your team grows.
A bookkeeper assigned view-only or limited-access user permissions can log transaction details, retrieve monthly statements, and match records. A bookkeeper assigned admin or full-access permissions can do all of that, and transfer funds, change your login credentials, or lock you out of your own account.
Why Bookkeepers Request Bank Access (What It Enables)
Bookkeepers request bank access to perform bank reconciliation, matching every transaction in your accounting records against actual bank activity to catch errors, duplicates, and missing entries before they compound.
Read-only access lets your bookkeeper reconcile bank accounts in real time, without waiting for manually exported statements from you. Without direct access, reconciliation depends on the business owner forwarding statements, introducing delays and version-control risk. The Canada Revenue Agency’s record-keeping requirements state that businesses must keep records supporting all income and expense amounts reported; accurate, timely reconciliation is part of meeting that standard.
The practical benefits are 3: real-time transaction accuracy, faster monthly close, and fewer corrections at year-end. Ensuring monthly reconciliations and an audit trail makes corporate tax filing more predictable and reduces year-end surprises.
Risks You’re Actually Trying to Avoid
Unrestricted bookkeeper bank access creates 4 specific risks, each preventable through the controls in the next section.
Unauthorized transfers. Full access includes payment initiation. A compromised account or a misuse of trust can result in funds being moved without the owner’s knowledge.
Fraudulent payee additions. Admin access allows new vendors or payees to be added. Payments directed to fraudulent destinations are a common small business fraud pattern flagged by the Canadian Anti-Fraud Centre.
Security setting changes. Full-access users can alter MFA settings, change passwords, or modify user roles, potentially locking the owner out entirely.
Account takeover through shared credentials. The CCCS Cyber Hygiene guidance identifies shared login credentials as a primary vector for unauthorized account access. Sharing your primary login with a bookkeeper removes the entire access governance layer.
7 Controls That Make Bookkeeper Access Safe
These 7 controls eliminate the vulnerabilities that make bookkeeper bank access risky, and each maps directly to one of the risk scenarios above.
| Risk | Control |
| Shared credential exposure | Separate sub-user profile, no shared login |
| Unauthorized login | MFA + device/session controls |
| Undetected fraudulent activity | Activity log/audit trail review |
| Missed suspicious transactions | Alerts and notifications on all activity |
| Unauthorized payments | Approval workflow + transaction limits |
| Single-person fund control | Dual authorization + segregation of duties |
| Lingering access after offboarding | Scheduled quarterly review + immediate revocation |
The CCCS Baseline Controls explicitly recommend MFA for all business banking systems. CPA Canada’s internal controls guidance identifies dual authorization, the maker–checker model, where one person creates a payment and a separate person approves it, as a key control for payment processing integrity. Both controls, MFA and dual authorization, apply regardless of business size.
Permission Matrix: Bookkeeper vs Accountant/CPA vs Financial Advisor
Data access is appropriate for bookkeepers and accountants. Money movement authority belongs exclusively to the business owner or a designated authorized approver.
| Permission | Bookkeeper | Accountant / CPA | Financial Advisor |
| View transactions | ✓ Required | ✓ Required | ✗ Not required |
| Download statements | ✓ Required | ✓ Required | ✗ Not required |
| Connect bank feed/data feed | ✓ Recommended | ✓ Acceptable | ✗ Not required |
| Initiate payments/transfers | ✗ Never | ✗ Not required | ✗ Never |
| Approve payments/transfers | ✗ Never | ✗ Not required | ✗ Never |
| Add or edit payees/vendors | ✗ Never | ✗ Not required | ✗ Never |
| Change security settings/user roles | ✗ Never | ✗ Not required | ✗ Never |
CRA T2 filing requirements confirm that accountants require complete transaction records and statements for year-end review and corporate tax preparation, not admin bank access. CPB Canada’s scope of bookkeeping practice establishes that bookkeepers record and classify transactions; signing authority is explicitly outside the bookkeeper’s role. Defining role boundaries helps you decide who needs which permissions and whether you need a bookkeeper or an accountant for your business.
How to Set Up Limited Bookkeeper Access (Practical Steps)
Limited bookkeeper access is configured through 3 tracks: bank-level user permissions, accounting software role-based access, or statement-only delivery.
Bank-Level Setup (7 Steps)
Bank-level limited access is configured by creating a separate sub-user profile, never modifying the primary account owner’s profile.
- Create a separate sub-user or secondary user profile for the bookkeeper
- Assign view-only or reporting permissions only to that profile
- Disable transfers, bill pay, and payee management on the sub-user profile
- Enable MFA and device/session controls for the sub-user login
- Confirm that the activity log and audit trail are visible to the account owner
- Set an approval workflow or dual authorization requirement if any payment access exists
- Schedule a quarterly access review; revoke access immediately when the engagement ends
These steps are bank-agnostic, and Canadian business banking platforms that support online banking user management provide sub-user profiles with configurable permission levels. Confirm sub-user availability with your bank before setup.
Software-Level Alternative (QuickBooks Online and Xero)
Accounting software role-based access is the recommended track for most Canadian small businesses. It keeps the bookkeeper working inside the accounting system rather than the bank portal, separating data access from bank portal access.
QuickBooks Online supports role-based user access with defined permission levels. The bookkeeper role provides transaction entry and reconciliation access without payment authority. Xero provides standard and advisor user roles with comparable permission scoping. Both platforms support bank feed connections; the bookkeeper accesses transaction data through the software, with no direct bank portal login required.
Statement-Only Alternative
Statement-only delivery gives the bookkeeper zero login access. The business owner exports monthly bank statements and delivers them through a secure channel, a client portal, encrypted email, or a shared drive with restricted access. A consistent file naming convention (e.g., BusinessName_BankStatement_YYYY-MM) and defined storage location create the audit trail without any system access. This track suits businesses with lower transaction volumes or owners who prefer maximum control.
What a Bookkeeper Should Not Be Able to Do
A bookkeeper’s authority ends at recording and classifying transactions, 5 actions must remain outside their access at all times.
A bookkeeper should not be able to: initiate or approve fund transfers, move money between accounts, add or edit payees and vendors, change security settings or user roles, or hold any form of signing authority over the business account.
CPB Canada’s scope of bookkeeping practice is explicit: bookkeepers record and classify financial transactions. Signing authority, the legal right to authorize fund movement, is excluded from the bookkeeper’s defined role. CPA Canada’s internal controls guidance reinforces this: payment initiation and approval require the owner or an authorized signatory, not a service provider with data access.
Does an Accountant Need Access or Just Bank Statements?
An accountant or CPA needs transaction history and bank statements for year-end review and T2 preparation, not admin access to your bank account.
Exported statements, accounting software access, or a bank feed connection through QuickBooks Online or Xero satisfy the accountant’s data requirements completely. CRA T2 filing requirements confirm that complete transaction records are required for corporate tax preparation; the format of delivery (portal, software, export) is not prescribed. Admin bank access adds no value to the accountant’s work and introduces unnecessary risk.
Should a Financial Advisor Have Access to Your Bank Account?
A financial advisor does not require access to your business bank account for standard advisory engagements; their role is planning and guidance, not transaction management.
CIRO’s investor resources define the advisory mandate as planning, recommendation, and portfolio oversight; day-to-day banking access falls outside this scope. CPA Canada’s internal controls guidance establishes that each external service provider’s access must be scoped to the minimum required by their defined function. For a financial advisor, that function does not include transaction management. Read-only reporting access applies in specific advisory relationships only when engagement terms explicitly document it for cash flow analysis purposes, a defined exception, not a default permission.
FAQs
Is it normal for your accountant to have access to your bank account?
It is normal for an accountant to have read-only or data-level access to your business bank account, typically through accounting software or exported statements rather than direct bank portal admin access. Accountants reviewing transactions for year-end or T2 preparation need the data, not the ability to move funds.
Does my accountant need to see my bank statements?
Yes, your accountant needs bank statements and transaction history to prepare accurate financial statements and file your T2 corporate return. The CRA requires that all income and expense amounts reported be supported by complete records. Statements can be delivered through accounting software, a secure portal, or direct export; admin bank access is not required.
What can a bookkeeper not do?
A bookkeeper cannot initiate transfers, approve payments, add payees, change security settings, or hold signing authority over your business bank account. CPB Canada defines the bookkeeper’s role as recording and classifying transactions; fund movement authority is explicitly outside that scope.
Should my financial advisor have access to my bank account?
A financial advisor does not require access to your business bank account for standard engagements. Advisory services cover planning and guidance; transaction management is not part of the role. Read-only reporting access applies only when engagement terms explicitly document it, as an exception, not a default.
Why This Matters for Year-End and Corporate Tax Filing
Clean, consistent bank reconciliations reduce year-end surprises and improve readiness for corporate tax filing. The CRA’s record-keeping requirements establish that all income and expense amounts reported on a T2 return must be supported by complete, organized records; reconciled monthly books satisfy this requirement directly.
Ensuring monthly reconciliations and a complete audit trail makes corporate tax filing more predictable; every transaction is documented, categorized, and matched before year-end review begins. Maintaining accurate books reduces delays that can cascade into late filing penalties with the CRA.
An access governance setup combined with monthly bookkeeping and a year-end readiness review gives you a documented, CRA-ready financial record without handing over control of your accounts. Review your bookkeeper’s current access level and reconciliation process if either needs structure.
