Regulated firms using Salesforce Financial Services Cloud (FSC) must take special care with respect to email compliance as a portion of the “books and records” section of the Securities Exchange Act (SEA). Because FSC can send, receive, and store email communication to clients’ financial accounts, it is essential to deliberately plan your compliance strategy for Salesforce. This blog post will examine the various decision points and considerations when using Salesforce’s email functionality.
Sending Email in Salesforce
The first decision point when formulating your email compliance strategy should be whether you will allow your users to send emails while logged into Salesforce. When making this decision it is crucial to understand that you are adding another application that you will need to support for archiving and compliance. Your company may already have an existing information security policy for 3rd party applications to send email. Since Salesforce has email functionality automatically enabled, it is important to formulate and execute your compliance strategy before granting end-users access to Salesforce.
Although Salesforce can be used to store and bring together customer touchpoints to provide a 360-degree customer view, it should never be used as an archival solution. To that end, Salesforce offers the Compliance BCC Email capability to automatically copy each outgoing email to a designated compliance email address provided by your email archival system. A few email compliance solutions we’ve seen clients use in combination with Salesforce include Barracuda, Smarsh, and Mimecast.
Another core consideration when emailing from Salesforce is whether you will have Salesforce’s email server send the emails, or if you will have Salesforce relay the email to your email server to send them. Some companies prefer the relay option because they have already configured email compliance for all emails sent by their server, and this enables 3rd party application compliance to be managed in a more centralized manner.
If you decide to utilize email relay make sure to turn on Send through External Email Services in the setup menu in Salesforce. When the user sends their first email to a Lead or Person Account, they will be prompted to connect their Gmail or Microsoft account to Salesforce. Any emails sent from Salesforce will then be routed through your email server.
Important Note: If you enable Send through External Email Services the end-user can change their sending settings in their personal settings within Salesforce. In case an email is inadvertently sent via Salesforce’s email server, it is recommended to utilize Salesforce BCC’s compliance feature as a failsafe.
Sending Email with Salesforce Inbox
Users leveraging Salesforce Inbox (a paid email add-on) will automatically have their emails relayed by Salesforce when sending from Salesforce or via the Salesforce Inbox mobile app.
Users cannot change their email settings to send through Salesforce’s email server when using Salesforce Inbox. This makes Inbox a strong email option for companies in financial services using Salesforce.
Emails sent through external services or Inbox will show up in the sent folder of the user’s email box, so if the person replies you have the full thread history. If you have a different type of email server you can configure email relay instead in the setup menu. Make sure that you utilize TLS so that the email is forwarded from Salesforce to your server in a secure manner.
Receiving Emails in Salesforce
Salesforce has the ability to receive inbound emails via Email-to-Case and Apex Email Services. Both features generate an email address that Salesforce uses to receive incoming emails, but neither option utilizes the BCC Compliance feature Salesforce offers. Typically, an email alias is set up (ex. support@yourcompany.com) and configured to forward to Salesforce’s service address (ex. 12345@yourcompany.force.com). The email alias is then published to customers. As a result, it is recommended to configure email archival for inbound emails at the server level for your email alias, and to not publish your Salesforce service address.
Visibility of Emails in Salesforce
While logging emails to Salesforce is not an archival risk it still exposes firms to compliance risk. For example, personal information such as a social security number, banking details, or account passwords may be sent by the client via an unencrypted email–even if not requested. If your users’ emails are automatically logged to Salesforce via Einstein Activity Capture, then sensitive information could be inadvertently exposed to everyone with Salesforce access. Note if you have email logging turned on with Einstein Activity Capture all emails are logged to Salesforce if a match for that person’s email address is found (and not excluded via domain filter setting). While you cannot delete a single email via Einstein Activity Capture you can control which emails are shared to Salesforce. You can also log a request with Salesforce to delete all emails for a person.
Another option to log emails to Salesforce is to do so on a one-off basis to ensure no sensitive information makes it into Salesforce. Users can utilize the Salesforce side panel available in either Chrome (Gmail) or Outlook (Office 365/Exchange) to log emails.
Removing Email Capabilities in Salesforce
If you opt to not allow users to send emails from Salesforce, there are a few settings you need to update. In the Setup menu under Deliverability, you can change the Access Level to No Access or System Email Only. No Access means that even system emails such as those generated by Workflow Rules, Process Builder, Flow, or Apex will not be sent. This includes email notifications to internal users such as Chatter mentions, Task, and Lead assignment notifications, and new user and password reset emails. Note that when you change the Deliverability settings, this disables all Lightning email actions and Classic email quick actions. Although you won’t be able to email directly in Salesforce you may still consider enabling email logging so that key customer interactions are tracked within Salesforce.
In conclusion, when implementing Salesforce and add-ons like Inbox or Einstein Activity Capture, be sure you go back and review your email compliance requirements. If you are working with a Salesforce consulting partner, like ShellBlack, communicate your requirements early so they can formulate a strategy tailored to your specific compliance needs.
Author Credit: Paul Fischer is a Senior Consultant at ShellBlack. He is a certified Salesforce Application Architect and is passionate about Salesforce Financial Services Cloud and Pardot.