PTIN WISP Requirements: What Tax Preparers Must Know

Why Every PTIN Holder Needs a Written Information Security Plan

If you hold an active Preparer Tax Identification Number (PTIN), you are legally obligated to protect every piece of client data that flows through your practice — and the IRS has made the mechanism for doing that explicit: a Written Information Security Plan (WISP). This is not advisory language. IRS Publication 4557 and the Federal Trade Commission (FTC) Safeguards Rule together establish binding data security obligations for every compensated tax preparer in the United States, regardless of firm size.

With more than 730,000 active PTIN holders on file with the IRS, tax professionals collectively hold some of the most sensitive personal and financial data in existence — Social Security numbers, income records, bank account details, and employer identification numbers. That concentration of high-value data makes the tax preparation field a primary target for identity thieves, ransomware operators, and business email compromise actors.

Your PTIN WISP serves two functions simultaneously. First, it is documented evidence of compliance with federal law — your proof, if the IRS or FTC ever asks, that your practice takes data protection seriously. Second, it is an operational security document that guides your firm's response when — not if — a security incident occurs. This guide explains the exact legal basis for the requirement, what your PTIN WISP must contain, the most common compliance failures, and how to build a plan that will hold up under regulatory scrutiny.

The Legal Basis: How Your PTIN Creates a WISP Obligation

The Preparer Tax Identification Number is required under IRS regulations at 26 CFR § 1.6109-2 for any individual who prepares or substantially assists in preparing federal tax returns for compensation. Annual PTIN renewal is mandatory, and the IRS uses the PTIN registry to track, discipline, and when necessary, sanction preparers who violate professional or legal standards.

The WISP obligation for PTIN holders flows from two overlapping legal frameworks that together leave no room for ambiguity:

• IRS Publication 4557 — Safeguarding Taxpayer Data: This publication instructs all tax professionals to create and maintain a written information security plan. The IRS explicitly states that "all tax professionals, regardless of firm size" must have a plan in place. Publication 4557 draws directly from the FTC Safeguards Rule and is the IRS's primary mechanism for communicating data security expectations to PTIN holders.
• FTC Safeguards Rule (16 CFR Part 314): Under the Gramm-Leach-Bliley Act (GLBA), tax preparers qualify as "financial institutions" because they engage in activities incidental to financial services. The FTC's Safeguards Rule — significantly updated effective June 9, 2023 — requires all covered financial institutions to implement a written information security program with specific technical, administrative, and physical controls.

The 2023 Safeguards Rule update introduced several new mandates that apply directly to PTIN holders: Multi-Factor Authentication (MFA) for any system that accesses client financial data, encryption of client records both in transit and at rest, and a written incident response plan that must be tested and updated regularly. Preparers with fewer than 5,000 customer records receive a limited exemption from certain reporting provisions, but the written plan requirement applies without exception to all covered preparers.

Beyond the FTC, the IRS can pursue preparers under Internal Revenue Code (IRC) §6713, which covers unauthorized disclosure of tax return information, and §7216, which imposes criminal penalties for willful disclosure. A data breach involving client information — even absent a regulatory complaint — can trigger an IRS review of whether the preparer maintained adequate safeguards. For a broader view of IRS cybersecurity mandates that affect PTIN holders, see our guide on IRS cybersecurity requirements for tax professionals.

What IRS Publication 4557 Actually Requires of PTIN Holders

IRS Publication 4557, Safeguarding Taxpayer Data, is not structured as a compliance checklist, but it establishes non-negotiable requirements for every PTIN WISP. The publication organizes its guidance around three operational areas where tax preparers must assess and control risk:

1. Employee management and training — How do you screen employees who handle client data? How do you limit access? What security training do staff receive, and how do you document it?
2. Information systems — What hardware, software, and network infrastructure do you use to process and store client information, and how are these systems protected from unauthorized access?
3. Detecting and managing system failures — Do you have procedures to detect unauthorized access or anomalies in your systems? What steps does your practice take when something goes wrong?

Publication 4557 draws directly from the FTC Safeguards Rule, which means your PTIN WISP must reflect both sets of requirements simultaneously. The IRS further emphasizes that the WISP is a living document — it must be reviewed and updated at minimum annually, and whenever a material change occurs in your business. Adopting new tax software, onboarding a cloud storage provider, expanding your staff, or relocating your office all constitute material changes that require WISP review.

One area where PTIN holders frequently fall short is service provider oversight. If you use a cloud-based practice management system, an off-site document storage service, or a third-party IT support firm, your WISP must address how you verify that those vendors maintain adequate security. This includes reviewing vendor contracts for security provisions and confirming that any third party who accesses client data is contractually obligated to protect it. For a template that addresses this and other requirements, download our free PTIN WISP template for 2026.

The Nine Elements the FTC Safeguards Rule Requires in Your WISP

The FTC Safeguards Rule (16 CFR Part 314) mandates nine specific elements in a qualified information security program. Because tax preparers are covered financial institutions under GLBA, your PTIN WISP must address all nine. Here is what each element means in practical terms for a tax preparation practice.

1. Qualified Individual

Designate a specific person to oversee your information security program. This individual must have the authority, resources, and knowledge to implement and maintain the plan. For a solo practitioner, you fill this role by default — document it explicitly in your WISP.

2. Risk Assessment

Conduct a written assessment of internal and external risks to the security, confidentiality, and integrity of client information. Your assessment must cover all three areas outlined in Publication 4557 and must be updated when your risk environment changes.

3. Safeguards Design and Implementation

Implement safeguards to control the risks identified in your assessment. The updated Safeguards Rule specifies that covered institutions must implement MFA for any system that accesses client financial data — a mandatory technical control for PTIN holders using cloud-based tax software. The NIST Special Publication 800-171 Revision 3 provides a detailed control catalog that maps well to Safeguards Rule requirements for small practices.

4. Monitoring and Testing

Regularly test and monitor your safeguards. For firms below the 5,000-record threshold, continuous monitoring is not mandated, but periodic vulnerability assessments are strongly advisable. See our overview of penetration testing for small businesses for what this process involves.

5. Staff Training

Train employees who access client data on your security policies and the specific threats relevant to tax practice — particularly phishing attacks targeting tax professionals, which the IRS warns about every filing season through its Security Summit alerts.

6. Service Provider Oversight

Select and retain service providers that maintain appropriate safeguards. Contracts with vendors who access client data must include provisions requiring them to protect that data. You must also verify compliance with those provisions on a regular basis.

7. Program Updates

Keep your security program current with changes in your business, your technology environment, and the threat environment. An annual review is the minimum standard — not a ceiling.

8. Incident Response Plan

Establish a written plan for responding to a security event. This plan must include procedures for assessing and containing the incident, notifying affected clients and regulators as required, and documenting lessons learned to prevent recurrence.

9. Reporting

Report regularly on the status of the security program to your governing body. For sole practitioners, this means a documented annual self-review. For firms, partners or managing members must receive a written update at least annually confirming the program's status and any changes made.

Common PTIN WISP Mistakes That Expose Tax Preparers to Risk

The most frequent compliance failure among PTIN holders is not the outright absence of a WISP — it is maintaining a WISP that exists only on paper, one that bears no relationship to how the practice actually operates. IRS examiners and FTC investigators look for internal consistency: does the document describe the systems the preparer actually uses? Do the access control policies reflect who actually has system access? Are training records dated and retained?

Using a Generic Template Without Customization

Downloadable WISP templates are a valid starting point, but they must be customized to accurately reflect your specific tax software, network configuration, staff roles, and physical location. A WISP that references systems you do not use — or omits systems you do use — fails the basic compliance standard of being an accurate description of your security program. Our review of best WISP templates for accountants explains what thorough customization looks like in practice, and our accounting firm WISP template examples show how different practice types should approach the document.

No Documented Risk Assessment

The FTC Safeguards Rule requires a written risk assessment — not a mental note, not a conversation, a written document. Many preparers skip this step entirely or treat it as a formality. A genuine risk assessment should identify specific threat scenarios: credential theft via phishing, ransomware delivered through a malicious email attachment, unauthorized access by a former employee after offboarding. Each scenario should be evaluated for likelihood and potential impact, with the findings driving your safeguard selection.

Missing MFA for Tax Software Access

Since the Safeguards Rule update in 2023, MFA is mandatory for any system that accesses customer financial data. Many small practices still rely on password-only authentication for their tax preparation software and client portals. This is a direct regulatory violation and one the IRS specifically highlights in its annual Security Summit campaigns. For implementation guidance, see our resource on two-factor authentication for tax professionals.

No Vendor Contracts with Security Provisions

If you use a cloud-based document management system, a remote IT support service, or a third-party payroll provider, your contracts with those vendors must include security provisions. Many preparers assume that major software vendors handle security automatically — but the FTC requires you to verify this contractually and document that verification in your WISP.

Annual Review Not Performed or Documented

A WISP dated 2022 that has never been revised is not a compliant document in 2026. Each annual review should be dated, signed by the designated information security coordinator, and retained as part of your compliance records. To understand the cyberthreats driving the need for regular updates, see our analysis of ransomware protection for tax practices and how cyberattacks on tax firms typically unfold.

Enforcement: What Happens to PTIN Holders Without a Compliant WISP

The IRS enforces data security requirements for PTIN holders through several channels, and understanding those mechanisms clarifies why treating the PTIN WISP as optional is a serious miscalculation.

The most direct enforcement path runs through the IRS Office of Professional Responsibility (OPR), which has authority to sanction enrolled agents, Certified Public Accountants (CPAs), and attorneys under Circular 230. Available sanctions range from a formal reprimand to indefinite suspension or disbarment from practice before the IRS. While Circular 230 applies specifically to credentialed preparers, the IRS can revoke any PTIN holder's number for conduct incompatible with the privilege of preparing federal tax returns.

A data breach affecting client tax information also triggers notification obligations under state law. As of 2026, all 50 states have enacted data breach notification statutes, and many of those statutes impose civil penalties for failures in security program maintenance. Some state laws specifically designate tax return information as a protected data category with elevated notice requirements.

The FTC retains independent enforcement authority under the Safeguards Rule. Violations can result in civil penalties of up to $51,744 per violation per day, plus injunctive relief requiring the preparer to implement a remediation program under FTC oversight. For a small tax preparation practice, even a single enforcement action represents a potentially business-ending financial event.

Beyond regulatory consequences, preparers who experience a breach without documented security programs face substantially elevated civil liability from affected clients. Courts have consistently treated the absence of a written security policy as evidence of negligence per se. Your PTIN WISP is, among other things, a legal defense document — evidence that you exercised reasonable care in protecting client data. For a detailed view of how these incidents develop in the tax field, see our analysis of cyberattacks on tax firms.

PTIN WISP Documentation: What to Keep and for How Long

A WISP is not a single document — it is a documentation system. Beyond the written plan itself, maintaining records that demonstrate your security program is active and operational is what separates a compliant practice from one that simply has paperwork on file. Both the IRS and FTC emphasize that evidence of implementation matters as much as the plan itself.

The records you should maintain as part of your PTIN WISP compliance package include:

• The current WISP, signed and dated by the designated information security coordinator, reflecting your actual systems and workflows
• Prior WISP versions, retained to demonstrate a history of updates and program evolution
• Written risk assessment, including the date conducted, methodology, findings, and the safeguards selected in response
• Employee training records, with names, dates, topics covered, and completion verification for every training session
• Vendor security agreements, including signed contracts with security provisions for every third party who accesses client data
• Incident logs, documenting any security events — even minor ones — and the response actions taken
• Annual review documentation, dated and signed by the security coordinator, confirming the plan was reviewed and identifying any changes made

No single federal statute specifies a retention period for WISP documentation, but IRS practice guidance and FTC enforcement precedent point to a minimum of five years for all security program records. State-level requirements may be longer. Store these records in a secure location separate from the primary systems that a breach might compromise, and ensure your information security coordinator has documented access to all of them.

For guidance on structuring your security documentation alongside your broader IRS compliance obligations — including those related to Electronic Filing Identification Numbers (EFINs) and W-9 collection — see our detailed breakdown of IRS WISP requirements for tax professionals and our PTIN and EFIN protection resources.