Where information is requested from external resources (users not having logins to Enate) then there is no need to model this request in the flow. The way to think about the workflow is from the perspective of the resource communicating with the external contact. Their activity is to GAIN approval, or GET additional info.
In this example, there is no need to model the “exceptional” flow. The user should validate the paperwork and that might entail getting additional information from a third party.
This, again, simplifies how the process is mapped. It also defines the process from an operational point-of-view. If someone is responsible for gaining information from an external party then the responsibility is on them, not the external party.