What the FTC Safeguards Rule Means for Tax Preparers
The Federal Trade Commission's Safeguards Rule, codified at 16 CFR Part 314, imposes legally binding data security requirements on tax preparers, Certified Public Accountants (CPAs), bookkeepers, and any firm significantly engaged in providing financial services. Enacted under the Gramm-Leach-Bliley Act (GLBA), the updated FTC Safeguards Rule took full effect on June 9, 2023, closing a long-standing gap in which many small tax practices operated without a formal information security program.
If your firm prepares federal or state tax returns, manages payroll, or provides financial planning services, you are almost certainly a "financial institution" under this rule—and the compliance requirements are specific, enforceable, and tied to significant civil penalties. The Federal Trade Commission has made clear that tax preparers fall within the rule's definition of a covered financial institution, and enforcement activity against non-compliant firms has increased since the expanded requirements took effect.
For tax professionals already familiar with IRS Publication 4557 and its Written Information Security Plan (WISP) requirement, the FTC Safeguards Rule adds another enforceable layer on top of IRS guidance. Where the IRS can revoke your Electronic Filing Identification Number (EFIN), the FTC can impose civil monetary penalties per violation. Together, these two regulatory frameworks create a strong compliance imperative that every tax preparer must address proactively.
FTC Safeguards Rule: Key Numbers for Tax Preparers
2025 FTC-adjusted maximum per Safeguards Rule violation
Daily penalty for ongoing violations under FTC consent order
IBM Cost of a Data Breach Report 2025
Average time from breach to containment, IBM 2025
Does the FTC Safeguards Rule Apply to Your Tax Practice?
One of the most common misconceptions among independent tax preparers and small CPA firms is that the FTC Safeguards Rule only targets large financial institutions like banks and insurance companies. The rule's definition of "financial institution" under GLBA Section 6809(3) is deliberately broad: it includes any business significantly engaged in financial activities, which the FTC has specifically confirmed encompasses tax preparation services.
The following business types are covered under the FTC Safeguards Rule for tax preparers:
- Individual tax preparers holding a Preparer Tax Identification Number (PTIN) who prepare returns for compensation
- CPA firms and accounting practices of any size, including sole proprietorships
- Enrolled Agents (EAs) representing taxpayers before the IRS
- Bookkeeping services that handle payroll or financial record preparation
- Financial planning firms that also prepare tax returns as part of their service offering
- Tax software facilitators who collect consumer financial data as part of the return preparation process
The determining factor is not your firm's size but whether you collect, store, or process "customer financial information"—a term the FTC defines to include Social Security Numbers, income data, bank account details, and any other nonpublic personal information obtained in connection with providing a financial service. Because virtually every tax return contains this type of data, the FTC Safeguards Rule's applicability to tax preparers is effectively universal among paid preparers.
If your practice operates exclusively through a volunteer program like VITA or TCE and you do not charge for services, you may not qualify as a covered financial institution under the rule. However, reviewing your specific situation with a compliance advisor before assuming any exemption applies is the prudent course of action—the FTC's enforcement posture has signaled a broad reading of who qualifies as a covered financial institution.
The 9 Elements of an FTC-Compliant Information Security Program
Designated Qualified Individual
Appoint a Qualified Individual (QI) responsible for overseeing your information security program. For small practices, the owner can serve in this role after completing appropriate security training.
Written Risk Assessment
Conduct and document a risk assessment identifying threats to the confidentiality, integrity, and availability of customer information across all systems, processes, and physical locations.
Risk-Based Safeguards
Implement technical, physical, and administrative safeguards calibrated to your identified risks. These must be reviewed and updated as your risk environment changes over time.
Service Provider Oversight
Select vendors that maintain appropriate safeguards and require contractual provisions mandating those protections. Periodically assess your service providers' security posture.
Access Controls & MFA
Limit access to customer data to authorized users only. Implement Multi-Factor Authentication (MFA) for all systems that access or store covered customer information.
Encryption Standards
Encrypt all customer information in transit and at rest using current industry standards—AES-256 for stored data and TLS 1.2 or higher for all data transmissions.
Monitoring & Testing
Continuously monitor your systems and periodically test the effectiveness of your safeguards. Firms above 5,000 records must conduct annual penetration testing by an independent third party.
Employee Security Training
Implement a security awareness training program for all personnel with access to customer data. Update training content to reflect current threats, especially during tax season.
Written Incident Response Plan
Develop and maintain a written incident response plan addressing containment, assessment, notification, remediation, and post-incident evaluation procedures.
Breaking Down the Nine Required Elements
The updated FTC Safeguards Rule expanded from a general principles-based framework to one with specific, measurable requirements. Understanding what each element demands in practice—particularly for tax preparers running lean operations—is essential for building a compliant program without over-engineering your security posture.
Qualified Individual and Leadership Reporting
Your Qualified Individual does not need to hold a specific certification but must have the knowledge and authority to implement and manage your information security program effectively. For firms with fewer than 5,000 customer records, a business owner who has completed security training can serve as the QI. Firms above the 5,000-record threshold must also submit written reports to their board of directors (or equivalent senior leadership) at least annually, covering program status, risk assessment findings, and material changes to the security environment.
Risk Assessment Requirements
Your written risk assessment must identify reasonably foreseeable internal and external threats to your customer data, evaluate the likelihood and potential damage of each identified threat, and assess the sufficiency of your existing safeguards. For tax preparers, high-priority threats typically include phishing attacks targeting tax professionals, credential stuffing against tax software portals, and ransomware targeting client file repositories. The assessment must be updated whenever material changes occur to your business operations or threat environment. Per NIST SP 800-171 Rev. 3, effective risk assessments account for threat frequency, vulnerability severity, and the potential impact on affected individuals.
Access Controls and Multi-Factor Authentication
The FTC Safeguards Rule mandates Multi-Factor Authentication (MFA) for any individual accessing customer information systems from outside your internal network. For any user accessing systems containing covered data regardless of location, MFA is required unless you have documented equivalent compensating controls approved by your Qualified Individual. For tax preparers using cloud-based tax preparation platforms, this requirement effectively mandates MFA across your entire workflow. See our guide on implementing two-factor authentication for tax professionals for step-by-step setup instructions.
The 5,000-Record Threshold: Additional Obligations
Tax preparers who maintain customer information on more than 5,000 individuals face two additional obligations beyond the baseline nine elements: annual penetration testing by a qualified independent third party, and biannual vulnerability assessments of all systems that process or store covered customer information. Many mid-size tax practices reach this threshold faster than expected—a firm that has operated for five years and retains prior-year client records for audit defense purposes can easily accumulate records for tens of thousands of individuals. See our guide to penetration testing to understand what a qualifying independent assessment involves and how to select a qualified vendor to perform it.
How to Build an FTC Safeguards Rule-Compliant Program for Your Tax Practice
Appoint Your Qualified Individual
Designate a Qualified Individual to own your information security program. Document this appointment in writing and define their responsibilities, authority, and reporting structure. For small firms, the principal can serve as QI after completing appropriate security training. For firms above 5,000 records, consider engaging a virtual Chief Information Security Officer (vCISO) to fulfill this role.
Inventory All Customer Data
Map every location where customer financial information is stored or processed—tax software databases, cloud storage, email archives, paper files, and portable devices. This inventory is foundational to your risk assessment and also determines whether you exceed the 5,000-record threshold that triggers additional FTC Safeguards Rule requirements.
Complete a Written Risk Assessment
Document threats to your customer data, assess likelihood and impact for each identified threat, and evaluate your current safeguards against those risks. Your risk assessment must be written, retained as a record, and updated whenever conditions materially change—including after security incidents, technology changes, or staffing shifts.
Implement Required Technical Controls
Deploy MFA on all systems accessing customer data. Enable AES-256 encryption for stored files and TLS 1.2 or higher for all data transmissions. Configure access controls so each user has the minimum permissions required for their job functions, applying the principle of least privilege across your entire technology stack.
Draft Your Written Information Security Plan (WISP)
Create a WISP documenting your entire information security program—risk assessment findings, implemented safeguards, employee roles, service provider oversight procedures, and incident response plan. Your WISP simultaneously satisfies the FTC Safeguards Rule's documentation requirement and IRS Publication 4557's WISP mandate, making it the most efficient single compliance artifact you can produce.
Vet and Contract Your Service Providers
Review all third-party vendors with access to customer data—tax software providers, cloud storage services, IT support contractors, and document management platforms. Obtain written contracts requiring them to implement appropriate safeguards and notify you of security incidents affecting your customers' data within a defined timeframe.
Train All Personnel with Data Access
Implement annual security awareness training covering phishing recognition, password hygiene, device security, and incident reporting procedures. Document training completion for all staff. Tax season phishing campaigns specifically targeting tax professionals are a documented and recurring threat, making role-specific training for tax preparers especially important.
Test, Monitor, and Report Continuously
Establish ongoing monitoring for anomalous system activity. Conduct periodic testing of your safeguards—quarterly at minimum, with independent penetration testing annually if you exceed 5,000 records. Provide written annual reports to senior leadership covering program status, risk findings, and any material changes to your security program or threat environment.
FTC Safeguards Rule Penalties: What Non-Compliant Tax Preparers Face
The consequences of failing to comply with the FTC Safeguards Rule are significant and span multiple dimensions—regulatory, legal, operational, and reputational. Tax preparers who view compliance as optional should carefully evaluate the full scope of exposure they are accepting before making that determination.
Federal Civil Penalties
The Federal Trade Commission can impose civil penalties of up to $50,120 per violation (the 2025 inflation-adjusted figure under 15 U.S.C. § 45). Each failure to implement a required safeguard can constitute a separate violation—a firm missing multiple elements of its information security program can face penalties across each deficiency simultaneously. For firms under an FTC consent order, ongoing violations carry a separate daily penalty rate of up to $43,792 per day until the violation is remediated and verified by the FTC.
Loss of IRS E-File Access
The IRS can suspend or revoke a tax preparer's Electronic Filing Identification Number (EFIN) following a data breach or demonstrated failure to protect client data under IRS Publication 4557. Losing EFIN access prevents your firm from filing returns electronically—a severe operational disruption that can effectively shut down your practice during peak tax season. See our detailed guide on protecting your EFIN to understand the specific steps required to maintain access and what to do if your EFIN is compromised.
Private Civil Litigation
Clients whose data is exposed in a breach can pursue civil lawsuits against your firm for negligence, breach of fiduciary duty, or violations of state consumer protection laws. While the Gramm-Leach-Bliley Act does not itself create a private right of action, plaintiffs have successfully litigated state law claims arising from GLBA-covered data breaches. The average cost of defending even a favorable data breach lawsuit routinely exceeds the cost of building a compliant security program from the ground up.
Circular 230 Professional Consequences
Under Circular 230 §10.21, tax practitioners have affirmative duties related to client data. Failure to implement adequate security measures—particularly when that failure results in unauthorized disclosure of client information—can trigger disciplinary proceedings before the IRS Office of Professional Responsibility, potentially resulting in suspension or disbarment from practice before the IRS. These professional consequences are distinct from FTC penalties and can occur independently of any federal civil enforcement action.
Reputational Damage
FTC enforcement actions are public record. A consent decree or settlement announcement naming your firm publicly identifies you as having failed to protect client financial data. For tax preparers whose business depends on client trust and professional referrals, this type of public disclosure can be more damaging long-term than any monetary penalty. Unlike a fine you can pay and move past, a public enforcement record persists in search results and professional databases for years after the underlying issue is resolved.
FTC Safeguards Rule Compliance Requirements by Practice Size
| Feature | Solo/Small Practice (<5,000 records) | RecommendedMid-Size Firm (5,000+ records) | Managed Security with Bellator |
|---|---|---|---|
| Qualified Individual | Owner/Principal | Designated staff or vCISO | Virtual CISO provided |
| Written Risk Assessment | Required | Required (annual) | Conducted & documented |
| WISP Documentation | Required | Required | Drafted & maintained |
| Multi-Factor Authentication | Required | Required | Deployed & monitored |
| Encryption (at rest & transit) | Required | Required | Implemented & verified |
| Annual Penetration Testing | Recommended | Required | Included annually |
| Biannual Vulnerability Assessments | Recommended | Required | Continuous scanning |
| Incident Response Plan | Required | Required | Tested & maintained |
| Annual Board/Leadership Report | Not required | Required | Prepared & delivered |
| Employee Security Training | Required | Required | Annual program included |
How the FTC Safeguards Rule Aligns with IRS Publication 4557
Tax preparers navigating regulatory compliance frequently encounter two overlapping frameworks: the FTC Safeguards Rule and IRS Publication 4557, Safeguarding Taxpayer Data. Understanding how these frameworks relate to each other allows you to build a single, unified compliance program rather than maintaining separate documentation sets for each regulator.
IRS Publication 4557 requires all tax preparers—regardless of practice size—to create and maintain a Written Information Security Plan (WISP). This requirement applies even to solo practitioners preparing a single return for compensation. The WISP must document your data security policies, procedures, and safeguards in written form that can be produced during an IRS examination or a breach investigation.
The FTC Safeguards Rule's nine-element Information Security Program requirement substantially overlaps with what a thorough WISP contains. Firms that build a WISP addressing all nine FTC elements—risk assessment, access controls, encryption, incident response, employee training, service provider oversight, and the rest—will simultaneously satisfy the IRS Publication 4557 documentation requirement. The most efficient approach is to build one document that satisfies both frameworks from the outset, rather than treating them as separate compliance workstreams.
Key distinctions between the two frameworks worth understanding:
- Scope of applicability: IRS Publication 4557 applies to all paid tax preparers regardless of return volume. The FTC Safeguards Rule applies to firms significantly engaged in financial services—a category the FTC treats as including all tax preparation firms.
- Enforcement authority: IRS Publication 4557 is enforced by the IRS, which can revoke EFIN access and refer violations to the Office of Professional Responsibility. The FTC Safeguards Rule is enforced by the FTC, which imposes civil monetary penalties directly.
- Specificity of requirements: The updated FTC Safeguards Rule is more prescriptive than IRS Publication 4557, specifying exact controls like MFA mandates, encryption standards, and penetration testing thresholds for larger firms.
For detailed guidance on building a WISP that satisfies both sets of requirements, see our WISP templates for accountants and our complete guide on IRS WISP requirements for tax professionals.
Are You Above the 5,000-Record Threshold?
If your firm has prepared tax returns for more than 5,000 individuals across its operating history and retains prior-year records—as most practices do for audit defense—you likely exceed the FTC Safeguards Rule's 5,000-record threshold. This triggers mandatory annual penetration testing and biannual vulnerability assessments. Count all records in your systems, not just active current-year clients, when determining your threshold status.
Service Provider Oversight: A Commonly Overlooked FTC Obligation
The FTC Safeguards Rule places explicit responsibility on tax preparers for the security practices of third-party service providers who access or process their customer data. This means your compliance obligation extends beyond your own internal systems to every vendor in your technology stack that touches client financial information.
For a typical tax practice, covered service providers commonly include cloud-based tax preparation software platforms, document storage and scanning services, IT support contractors with remote access to client systems, cloud storage services used to share client documents, and email service providers. If any of these vendors experience a breach involving your client data, your firm may face regulatory exposure if you cannot demonstrate that you selected the vendor with appropriate due diligence and contracted for required security protections.
The FTC Safeguards Rule requires tax preparers to: select service providers that maintain appropriate safeguards; require by contract that those providers implement and maintain those safeguards; and periodically assess the adequacy of their security controls. In practice, this means requesting SOC 2 Type II reports or equivalent security certifications from your key vendors, reviewing their breach notification procedures, and ensuring your data processing agreements include provisions requiring notification of security incidents affecting your customers' data.
Review your existing vendor relationships against the tax season cybersecurity checklist to identify gaps in your service provider oversight program. When you identify a vendor that cannot demonstrate adequate security controls, the FTC Safeguards Rule requires you to either work with that vendor to remediate identified gaps or select an alternative provider. Continuing to use a vendor with known security deficiencies after identifying those deficiencies creates compounding compliance and liability exposure for your firm. For a deeper look at how cyberattacks on tax firms frequently originate through third-party vendor compromises, see our analysis of recent incidents affecting the tax profession.
The Verizon 2025 Data Breach Investigations Report found that third-party involvement was a factor in a significant share of confirmed breaches across industries, underscoring the real-world risk that inadequate vendor oversight creates for tax practices of all sizes. Your WISP should include a dedicated section on vendor management procedures—both for initial vendor selection and for ongoing periodic review—to document your compliance with this often-overlooked element of the FTC Safeguards Rule.
Get a Free FTC Safeguards Rule Compliance Assessment
Our cybersecurity experts will evaluate your tax practice's information security program against all nine FTC Safeguards Rule requirements and deliver a prioritized remediation roadmap—at no cost.
Frequently Asked Questions: FTC Safeguards Rule for Tax Preparers
Yes. The FTC Safeguards Rule applies to any person or business significantly engaged in providing financial services, including tax preparation for compensation. Solo practitioners with a Preparer Tax Identification Number (PTIN) who prepare returns for paying clients are covered financial institutions under the Gramm-Leach-Bliley Act and must comply with all nine elements of the rule's Information Security Program requirements, including maintaining a written program and designating a Qualified Individual to oversee it.
Both frameworks require tax preparers to protect client financial data, but they originate from different regulatory authorities with different enforcement mechanisms. The FTC Safeguards Rule (16 CFR Part 314) is enforced by the Federal Trade Commission, which can impose civil monetary penalties of up to $50,120 per violation. IRS Publication 4557 is the IRS's guidance on safeguarding taxpayer data; the IRS enforces it primarily through its ability to revoke your EFIN and refer violations to the IRS Office of Professional Responsibility. A well-constructed Written Information Security Plan (WISP) addressing all nine FTC Safeguards Rule elements can satisfy both requirements simultaneously.
The FTC Safeguards Rule specifies nine elements: (1) a designated Qualified Individual; (2) a written risk assessment; (3) safeguards based on the risk assessment; (4) regular monitoring and testing; (5) employee security training; (6) service provider oversight with contractual protections; (7) a written incident response plan; (8) periodic program evaluation and adjustment; and (9) written annual reporting to senior leadership or the board of directors. Firms maintaining records on more than 5,000 individuals have two additional requirements: annual penetration testing by an independent third party and biannual vulnerability assessments of all covered systems.
The FTC can impose civil penalties of up to $50,120 per violation (2025 inflation-adjusted figure under 15 U.S.C. § 45). Ongoing violations under an FTC consent order carry penalties of up to $43,792 per day until resolved. Beyond FTC penalties, non-compliant tax preparers also risk loss of IRS e-file access via EFIN revocation, civil lawsuits from affected clients under state consumer protection laws, and disciplinary action under Circular 230 §10.21 that could result in suspension or disbarment from practice before the IRS.
Annual penetration testing by a qualified independent third party is required under the FTC Safeguards Rule if your firm maintains customer information on more than 5,000 individuals. If you fall below this threshold, penetration testing is strongly recommended as a best practice but is not explicitly mandated. The 5,000-record count includes all records in your systems—not just active current-year clients—so firms that retain multi-year client records for audit defense purposes may exceed this threshold without realizing it. Conducting an accurate record count before assuming you fall below the threshold is an essential first step.
A Qualified Individual (QI) is the person responsible for overseeing and implementing your firm's information security program. The FTC does not require specific certifications, but the QI must have sufficient knowledge and authority to manage the program effectively. For small tax practices, the firm owner or principal can serve as QI after completing appropriate security training. Larger firms often designate a staff member or engage an external virtual Chief Information Security Officer (vCISO) to serve in this role. Firms above the 5,000-record threshold must provide written annual reports to their board or equivalent senior leadership, prepared or overseen by the QI.
The FTC Safeguards Rule requires covered financial institutions to notify the FTC within 30 days of discovering a security breach affecting 500 or more customers. Your written incident response plan must also address notification procedures for affected individuals. Separately, applicable state data breach notification laws—which vary by jurisdiction—generally require prompt notification to affected individuals regardless of the number of records involved. Your incident response plan should address both FTC reporting requirements and applicable state notification obligations simultaneously.
Under the FTC Safeguards Rule, your written incident response plan must address: the goals of the plan; internal processes for responding to a security event; defined roles and responsibilities for response personnel; external and internal communications procedures; identification of requirements for remediating identified weaknesses; documentation and regulatory reporting requirements; and post-incident evaluation procedures to update your safeguards based on lessons learned. The plan should be tested at least annually through tabletop exercises and updated following any actual security incident.
No. While your tax software vendor's security certifications—such as a SOC 2 Type II report—demonstrate their security posture and can be retained as part of your service provider oversight documentation, they do not substitute for your own Information Security Program. The FTC Safeguards Rule requires you to implement and oversee your own program covering your entire operation: your workstations, networks, email systems, portable devices, and all other systems that access or process customer data. Vendor certifications are evidence of due diligence in vendor selection, not a replacement for your own compliance obligations.
The FTC Safeguards Rule requires you to evaluate and adjust your information security program whenever material changes occur to your business operations, technical environment, or threat conditions. At minimum, conduct an annual review of your WISP and risk assessment. You should also update your WISP following any security incident, significant changes to your technology stack, changes in staffing with access to customer data, or after identifying new threats through your monitoring program. For templates and step-by-step guidance, see our WISP templates for accountants and our free WISP template for 2026.
Free Consultation
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.