FTC Safeguards Rule: Tax Preparers & Financial Institutions

Why the FTC Safeguards Rule Applies to Your Tax Practice

Most tax preparers don't think of themselves as financial institutions — but under the Gramm-Leach-Bliley Act (GLBA), the Federal Trade Commission (FTC) does. The FTC Safeguards Rule, substantially strengthened with a compliance deadline of June 9, 2023, treats any business significantly engaged in financial activities — including tax preparation — as a financial institution subject to federal data security law. If your practice collects, stores, or transmits nonpublic personal information (NPI) for clients, you are legally required to maintain a written information security program that meets the FTC's current standards.

This isn't a technicality buried in regulatory footnotes. The FTC has stated explicitly in guidance and enforcement actions that tax preparers, accountants, and other financial service providers face real consequences for non-compliance. Understanding exactly what the FTC Safeguards Rule for tax preparers and financial institutions requires — and how it intersects with IRS obligations — is essential for every firm that handles client financial data in 2026.

The rule traces its authority to 16 C.F.R. Part 314, the FTC's implementing regulation under GLBA Title V. The 2023 update replaced general best-practice language with specific, enforceable technical controls — making this one of the most operationally detailed federal data security requirements facing tax professionals today.

Who Qualifies as a Financial Institution Under the FTC Safeguards Rule?

The GLBA defines financial institution broadly. Under the FTC's implementing rule, any entity significantly engaged in financial activities falls within its scope. The FTC's own published examples include tax preparation firms, mortgage brokers, check cashers, and credit counselors. For tax preparers, the connection is direct: preparing returns means collecting Social Security numbers, wage records, bank routing numbers, and investment statements — exactly the type of NPI the Safeguards Rule is designed to protect.

The FTC Safeguards Rule for tax preparers and financial institutions applies regardless of firm size. Whether you prepare 40 returns or 40,000, if you handle client NPI, you must comply. There is no revenue threshold and no minimum return volume that creates an exemption.

What Counts as Nonpublic Personal Information?

NPI includes any financial information a client provides to obtain a financial product or service, plus any information about clients derived from transactions. For a tax practice, this means:

• Social Security numbers and Individual Taxpayer Identification Numbers (ITINs)
• W-2s, 1099s, and other income records
• Bank account and routing numbers for direct deposit of refunds
• Investment account statements and brokerage records
• Prior-year tax returns used for reference
• Health insurance records provided for ACA-related tax purposes

Information that is publicly available in general — like a business's listed phone number — does not automatically qualify as NPI. But if a client provided that information specifically to obtain your services, it retains NPI status. When in doubt, treat the information as protected. For a thorough look at how these requirements align with IRS standards, see our guide on IRS publication 4557 safeguarding taxpayer data WISP requirements.

The 9 Core Requirements of the FTC Safeguards Rule

The 2023 update moved the Safeguards Rule well beyond general principles and into specific, enforceable controls. Your information security program must address all nine of the following areas. Partial compliance is not compliance.

1. Designate a Qualified Individual

You must formally designate a single person — either an employee or an external service provider — to oversee, implement, and enforce your information security program. For small firms, this is often the owner. The requirement is that the person has genuine knowledge and authority to act, not merely a title. If you use a managed security provider to fill this role, the designation must be documented in your service contract.

2. Conduct and Document a Written Risk Assessment

Your security program must be grounded in a written risk assessment that identifies threats to the confidentiality, integrity, and availability of customer information, evaluates the sufficiency of existing safeguards, and prioritizes remediation. This assessment must be reviewed and updated whenever circumstances change materially — not just annually.

3. Implement Safeguards in Eight Specific Areas

Based on your risk assessment, the rule requires safeguards across eight functional areas: access controls, data inventory and classification, encryption, secure development practices, authentication (MFA), activity monitoring and testing, service provider oversight, and change management. Each area must be addressed — skipping one creates a documented compliance gap.

4. Encrypt All NPI In Transit and At Rest

All nonpublic personal information must be encrypted both when transmitted across networks (using TLS 1.2 or higher) and when stored on devices or in cloud systems. Unencrypted client files on a shared drive, portable hard drive, or unprotected email server violate this requirement directly. Full-disk encryption for laptops is the floor, not the ceiling.

5. Implement Multi-Factor Authentication

Any system that stores, accesses, or transmits NPI must require MFA. This applies to tax software portals, email systems where client data arrives, remote access tools such as VPN or Remote Desktop Protocol (RDP), and cloud storage platforms. Single-password access to any of these systems is a direct violation of the 2023 rule.

6. Train Employees Regularly

Staff with access to NPI must receive security awareness training that is updated to reflect current threats. For tax practices, this means training must address phishing, business email compromise (BEC), credential theft, and social engineering — the attack vectors most commonly used against tax preparers. Learn more about purpose-built security awareness training for tax firms.

7. Oversee Third-Party Service Providers

If you share NPI with outside vendors — tax software companies, cloud backup providers, payroll processors, or IT support firms — the rule requires you to select them based on their security practices, contractually require them to implement appropriate safeguards, and periodically monitor their compliance. Vendor contracts that are silent on data security are a documented compliance gap.

8. Maintain a Written Incident Response Plan

You need a documented plan for detecting, containing, assessing, and recovering from a security breach. The 2023 update added a specific notification requirement: if a breach affects 500 or more customers, you must notify the FTC within 30 days of discovery. Your incident response plan must address this timeline explicitly. Firms without a written plan cannot demonstrate compliance to an FTC examiner and have no playbook for their team to follow during an active incident.

9. Report to Your Governing Body (5,000+ Customer Records)

For firms that maintain NPI on 5,000 or more customers, the Qualified Individual must report to the board of directors or equivalent governing body at least annually. The report must cover the risk assessment summary, program status, material security events, and any deficiencies identified. Solo practitioners and partnerships with no formal board structure fulfill this by documenting the annual program review in writing.

FTC Enforcement: What Non-Compliance Actually Costs

The FTC brings civil actions under Section 5 of the FTC Act for Safeguards Rule violations. As of 2024, civil penalties reach $51,744 per violation per day, adjusted annually for inflation. For a small tax firm with a breach affecting hundreds of clients over multiple days — with unencrypted files, no MFA, and no incident response plan all simultaneously in violation — those penalties compound fast.

But the direct FTC penalty is often not the highest-cost outcome. Non-compliance exposes tax preparers to a cascade of secondary consequences:

• State attorney general enforcement — Many states have enacted data security laws aligned with GLBA, and state AGs can bring independent enforcement actions with their own penalty structures
• Client lawsuits — A documented Safeguards Rule violation significantly strengthens a negligence claim. Plaintiffs' attorneys routinely obtain FTC compliance records in discovery
• IRS Electronic Filing Identification Number (EFIN) suspension — The IRS can revoke your EFIN if you fail to maintain adequate data security, effectively shutting down your ability to e-file returns during tax season
• Cyber insurance claim denial — Insurers increasingly scrutinize compliance with mandatory security frameworks. A Safeguards Rule violation at the time of a breach may void coverage

The FTC has also required mandatory third-party security audits as part of settlement agreements — an ongoing cost that can run tens of thousands of dollars annually. For firms that want to understand the full scope of tax-season attack vectors that drive these incidents, our guide to online tax filing security risks 2025 2026 provides current threat context.

How the FTC Safeguards Rule Aligns with IRS Requirements

Tax preparers operate under layered compliance obligations. The FTC Safeguards Rule runs alongside IRS Publication 4557 (Safeguarding Taxpayer Data), which independently requires all tax professionals to create and maintain a Written Information Security Plan (WISP). The two frameworks are largely complementary — a properly constructed WISP built to IRS standards will satisfy most FTC Safeguards Rule requirements.

Where the FTC rule adds specificity beyond Publication 4557:

• The 30-day FTC breach notification requirement for incidents affecting 500 or more customers is an FTC-specific obligation with no direct IRS equivalent
• The formal annual penetration testing and vulnerability assessment schedule for firms with 5,000+ customer records goes further than general IRS guidance
• The requirement to submit a written annual report to a governing body applies only under the FTC rule, not IRS Publication 4557

For practical compliance, most firms use the IRS WISP template as their foundation and then extend it to address the additional FTC requirements. Our walkthrough of the IRS publication 5708 WISP template covers how to structure that document. For a closer look at how the full IRS framework maps to broader security requirements, see our resource on tax safeguard compliance 4557.

The NIST Cybersecurity Framework as a Compliance Bridge

Both the FTC and IRS point to the NIST Cybersecurity Framework (CSF) as a reference model for building information security programs. NIST CSF's five functions — Identify, Protect, Detect, Respond, and Recover — map directly onto the nine FTC Safeguards Rule requirements. Firms that organize their security program around NIST CSF produce documentation that satisfies FTC examiners, IRS auditors, and cyber insurers simultaneously. See our deep dive on the NIST incident response framework for how the Respond and Recover functions translate into your incident response plan requirements.

Common FTC Safeguards Rule Gaps in Tax Practices

After assessing tax and accounting firms across the country, Bellator Cyber Guard consistently identifies the same compliance gaps. Recognizing these early prevents enforcement exposure before the next filing season:

Missing or outdated vendor agreements: Most small tax firms use email and cloud storage without a signed data processing agreement that requires the vendor to maintain appropriate safeguards. Consumer-tier cloud services (personal Dropbox, Gmail without Google Workspace) do not satisfy the rule's vendor oversight requirements — and using them transfers risk directly to you without any contractual protection.

MFA gaps across systems: Firms often enable MFA on their primary tax software portal but leave email and remote access tools protected by password alone. Since client NPI typically arrives first via email, an unprotected inbox is one of the highest-risk compliance gaps in any tax practice. The rule requires MFA on every NPI-bearing system — not just the one that feels most sensitive.

Stale risk assessments: A written risk assessment completed in 2022 does not satisfy the current rule. Any material change — adopting new cloud storage, shifting to remote work, onboarding a new software vendor, or hiring staff with system access — triggers an update requirement. The assessment must reflect your current technology environment.

No written incident response plan: Many firms have an informal sense of what they would do after a breach, but the FTC Safeguards Rule requires a written plan. Without documentation, there is no audit trail for regulators and no playbook for staff managing an active incident under time pressure.

Our pillar guide on cybersecurity for tax professionals covers the complete set of technical and administrative controls required for a fully compliant tax practice. If you are assessing your firm's physical security posture alongside digital controls, our reference on which physical security practice is required for FTI? addresses the physical safeguard dimension often overlooked in Safeguards Rule assessments.

For network-level isolation of systems containing NPI — a specific control recommended under both NIST CSF and the FTC Safeguards Rule's access control requirement — see our technical guide on what is network segmentation.