Walk through the trading floor of a major investment bank and you will find algorithmic systems executing thousands of transactions per second. Walk into the back office of a regional mortgage lender and you will find, somewhere, a fax machine — or a cloud fax platform — actively processing loan documents, lender verifications, and compliance disclosures. The contradiction is not an accident. Financial services occupies a unique position in the fax landscape: it is simultaneously one of the most technologically advanced industries and one of the most fax-dependent. The reason is compliance.

The Gramm-Leach-Bliley Act (GLBA), the Financial Industry Regulatory Authority (FINRA) rules, Securities and Exchange Commission (SEC) recordkeeping requirements, and a web of state-level financial privacy regulations all govern how sensitive consumer financial data can be transmitted, stored, and audited. For institutions navigating those requirements, fax’s native combination of point-to-point transmission, delivery confirmation, and tamper-resistant record-keeping addresses compliance needs that email and cloud file-sharing have not fully replaced.

Who in Financial Services Still Uses Fax — and Why

The breadth of GLBA coverage surprises many people. The law applies to any entity “significantly engaged” in financial activities — a definition that extends well beyond banks and credit unions to cover a wide range of businesses most people would not immediately identify as financial institutions:

Banks & credit unions
Mortgage lenders & brokers
Insurance companies
Investment advisors
Securities brokers & dealers
Debt collectors
Payday & consumer lenders
Tax preparation firms
Auto dealers offering financing
Wire transfer services
Credit counseling agencies
Real estate settlement providers

Every one of these entities handles nonpublic personal information (NPI) — social security numbers, account numbers, credit histories, loan applications, income documentation — that GLBA requires to be transmitted through secure, auditable channels. Fax satisfies those requirements in ways that straightforward email does not, particularly for time-sensitive documents where proof of delivery has legal or regulatory significance.

The GLBA Compliance Case for Fax

GLBA’s Safeguards Rule does not mandate fax specifically. What it mandates is that financial institutions implement a written information security program and take reasonable steps to protect nonpublic personal information from unauthorized access or disclosure during transmission. In practice, many institutions have determined that fax — particularly encrypted cloud fax — satisfies that standard more cleanly than email for certain document types.

The reasoning is straightforward: a fax transmission is point-to-point. The document travels directly from the sender’s fax system to the recipient’s fax number without being stored on intermediate mail servers, without routing through cloud infrastructure outside either party’s control, and without the interception risks associated with email. Unlike an email containing a loan application or a client’s account statement, a faxed document does not sit in a third-party server queue waiting for delivery. It is transmitted and received in a controlled, logged transaction.

GLBA violation penalties
$100,000+
Per-violation civil penalty for GLBA non-compliance — with criminal penalties of up to $10,000 per violation and imprisonment for individuals who knowingly violate the Act. Penalties accumulate per violation, so a breach affecting thousands of customers creates substantial regulatory exposure.

The GLBA Safeguards Rule was significantly updated in 2023, adding specific technical requirements for encryption, multi-factor authentication, penetration testing, and access controls. These requirements apply to cloud fax platforms used by financial institutions — which means that any fax service handling NPI on behalf of a covered entity must meet the same security standards as any other vendor in that institution’s technology stack. Institutions that use a consumer-grade or unencrypted fax service to transmit client financial data are not in compliance with the Safeguards Rule, regardless of how the document gets to its destination.

What Financial Documents Are Still Transmitted by Fax

The types of financial documents that regularly move by fax reveal the specific compliance and workflow reasons each one persists:

Mortgage and lending documentation

Loan officers, underwriters, and mortgage brokers exchange some of the most sensitive consumer data in the financial system — credit reports, tax returns, pay stubs, bank statements, social security numbers. The mortgage origination process involves multiple parties: the borrower, the originating lender, the underwriter, the title company, the appraisal firm, and often a secondary market investor. These parties do not always share the same technology platforms, and fax remains the universal fallback that works across all of them regardless of system compatibility. Time-sensitive steps in the mortgage process — rate lock confirmations, appraisal orders, closing disclosure acknowledgments — often move by fax because the delivery confirmation establishes the precise timestamp needed for regulatory and contractual purposes.

Insurance claims and underwriting

Insurance companies operate across a complex web of agents, brokers, adjusters, medical providers, and legal firms. Claims documentation, underwriting submissions, policy endorsements, and medical records in support of claims all flow through this network — and fax remains embedded in it for the same reasons it persists in healthcare: the receiving parties’ intake systems were built around fax, and replacing that infrastructure takes years. For personal injury claims that involve both legal and medical documentation, fax is often the only channel that reaches all parties simultaneously without compatibility issues.

$4.9M
Average cost of a financial services data breach in 2024 — making encrypted, auditable fax transmission a practical risk management tool, not just a legacy habit.

Brokerage and investment compliance

FINRA and SEC regulations impose strict recordkeeping requirements on broker-dealers and investment advisors. Every client communication that relates to investment recommendations, account changes, or trade confirmations must be captured, stored, and retrievable for examination. Fax communications are treated as business records under FINRA Rule 4511 and SEC Rule 17a-4, and many firms maintain fax as part of their compliant communication infrastructure specifically because the confirmation logs integrate directly with their records retention systems. For time-sensitive disclosures with regulatory deadlines — prospectus delivery, options risk disclosure, margin call notifications — the timestamped fax confirmation provides an audit-ready record that firms can produce in an examination without reconstruction.

Bank-to-bank and institution-to-regulator correspondence

Federal and state banking regulators — the OCC, FDIC, Federal Reserve, and state banking departments — maintain fax lines for official correspondence with the institutions they supervise. Examination requests, corrective action responses, suspicious activity report follow-ups, and formal communications between institutions and their regulators frequently move through fax channels because the regulatory bodies’ intake systems expect it. Banks cannot unilaterally decide to stop faxing their regulator; the regulator’s process governs.

The Transition Financial Institutions Are Making

The direction of travel in financial services fax is clear: away from physical machines, toward cloud fax infrastructure. The GLBA Safeguards Rule’s 2023 updates accelerated this transition by requiring financial institutions to formally document and secure every system that handles NPI — including fax. Physical fax machines and the analog phone lines they run on create compliance gaps that are increasingly difficult to close. There is no encryption on an analog fax line. There is no centralized audit log. There is no access control. A physical fax machine in an office is a compliance liability under the current Safeguards Rule framework.

Cloud fax platforms close those gaps. Transmissions are encrypted in transit and at rest. Every fax is logged with sender, recipient, timestamp, page count, and delivery status. Access controls limit who can send and receive documents. The audit trail is centralized, searchable, and producible for regulatory examination. For financial institutions managing GLBA compliance programs, cloud fax is not just a modernization option — it is the compliant infrastructure path.

Send financial documents securely for $2.99 Encrypted transmission, timestamped delivery confirmation, no hardware required.
Send a fax for $2.99

What Financial Professionals Should Look for in a Fax Service

Not every online fax service meets the standards required for financial services use. Under GLBA’s Safeguards Rule, any vendor that accesses, processes, or transmits NPI on behalf of a covered institution must be assessed and contracted to maintain appropriate security safeguards. The evaluation criteria that matter for financial services fax are:

  • 256-bit AES encryption in transit and at rest — the minimum standard for protecting NPI during transmission and storage under the Safeguards Rule
  • Complete audit trails — every transmission must be logged with sender identity, recipient number, timestamp, page count, and delivery status for records retention and regulatory examination purposes
  • No third-party retention of transmitted documents — for firms with strict data minimization obligations, the fax service should not retain copies of transmitted documents beyond what the institution controls
  • SOC 2 Type II compliance — the leading independent certification that a service provider’s security controls meet professional standards; required by many financial institutions as a vendor baseline
  • Multi-factor authentication — the Safeguards Rule specifically requires MFA for any system accessing customer information; any fax platform used by a covered institution must support it
  • Contractual security commitments — GLBA requires covered institutions to contractually require their service providers to maintain appropriate safeguards; the fax vendor must be willing to sign those commitments

The Bottom Line for Financial Services

Financial services institutions fax because compliance requires it — and because the audit trail fax provides is genuinely valuable in an industry where regulators, counterparties, and courts all ask the same question: can you prove what you sent, to whom, and when? Fax answers that question natively. Email does not, at least not without additional infrastructure.

The shift happening in 2026 is not away from faxing in financial services — it is away from the hardware. Physical fax machines create compliance gaps under GLBA’s updated Safeguards Rule that cloud fax eliminates. Institutions that have not yet evaluated their fax infrastructure as part of their information security program are behind the compliance curve. Those that have made the transition to encrypted cloud fax are better positioned for examinations, better protected against breach liability, and operating at lower cost than those maintaining analog phone lines and aging hardware.

For financial professionals who need to send a fax securely today — a loan document, an insurance claim, a client disclosure — SendAFaxNow.com delivers it with encrypted transmission and timestamped confirmation for $2.99, from any device, with no hardware or subscription required.