Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax43 min readDeep Dive

PTIN WISP Requirements: What Tax Preparers Must Know

Every PTIN holder needs a WISP under IRS Pub. 4557 and the FTC Safeguards Rule. Learn the 9 required elements, common mistakes, and how to stay compliant.

PTIN WISP Requirements: What Tax Preparers Must Know - ptin wisp

Why Every PTIN Holder Needs a Written Information Security Plan

If you hold an active Preparer Tax Identification Number (PTIN), federal law requires you to protect every piece of client data that flows through your practice, and the IRS has made the mechanism explicit: a Written Information Security Plan (WISP). This is not advisory language. IRS Publication 4557 and the Federal Trade Commission (FTC) Safeguards Rule together establish binding data security obligations for every compensated tax preparer in the United States, regardless of firm size.

With more than 730,000 active PTIN holders on file with the IRS, tax professionals collectively hold some of the most sensitive personal and financial data in existence: Social Security numbers, income records, bank account details, and Employer Identification Numbers (EINs). That concentration of high-value data makes tax preparation a primary target for identity thieves, ransomware operators, and business email compromise actors.

Your PTIN WISP serves two functions at once. First, it is documented evidence of compliance with federal law, your proof, if the IRS or FTC ever asks, that your practice takes data protection seriously. Second, it is an operational security document that guides your firm's response when a security incident occurs.

This guide explains the exact legal basis for the PTIN WISP requirement, what your plan must contain under both IRS and FTC frameworks, the most common compliance failures tax preparers make, and how to build a WISP that holds up under regulatory scrutiny in 2026.

Tax Preparer Data Security: By The Numbers

730,000+
Active PTIN Holders

IRS Return Preparer Office

$51,744
Max FTC Penalty Per Violation, Per Day

16 CFR Part 314 enforcement

9
Required WISP Elements

FTC Safeguards Rule

5,000
Record Threshold for Full Compliance

Safeguards Rule scope

The Legal Basis: How Your PTIN Creates a WISP Obligation

The Preparer Tax Identification Number is required under IRS regulations at 26 CFR 1.6109-2 for any individual who prepares or substantially assists in preparing federal tax returns for compensation. Annual PTIN renewal is mandatory, and the IRS uses the PTIN registry to track, discipline, and when necessary sanction preparers who violate professional or legal standards.

The WISP obligation for PTIN holders flows from two overlapping legal frameworks that together leave little room for ambiguity.

IRS Publication 4557, Safeguarding Taxpayer Data

This publication instructs all tax professionals to create and maintain a written information security plan. The IRS states plainly that all tax professionals, regardless of firm size, must have a plan in place. Publication 4557 draws directly from the FTC Safeguards Rule and is the IRS's primary mechanism for communicating data security expectations to PTIN holders. For a detailed breakdown, see our guide on IRS Publication 4557 compliance and safeguarding taxpayer data.

FTC Safeguards Rule (16 CFR Part 314)

Under the Gramm-Leach-Bliley Act (GLBA), tax preparers qualify as financial institutions because they engage in activities incidental to financial services. The FTC Safeguards Rule, significantly updated effective June 9, 2023, requires all covered financial institutions to implement a written information security program with specific technical, administrative, and physical controls. The 2023 update introduced several mandates that apply directly to PTIN holders:

  • Multi-Factor Authentication (MFA) for any system that accesses client financial data
  • Encryption of client records both in transit and at rest
  • A written incident response plan that must be tested and updated regularly
  • Annual penetration testing or continuous monitoring for firms above 5,000 records

Preparers with fewer than 5,000 customer records receive a limited exemption from certain reporting provisions, but the written plan requirement applies to every covered preparer without exception. Our breakdown of the FTC Safeguards Rule for tax preparers walks through each obligation in practical terms.

Additional Enforcement Statutes

Beyond the FTC, the IRS can pursue preparers under Internal Revenue Code (IRC) 6713, which covers unauthorized disclosure of tax return information, and 7216, which imposes criminal penalties for willful disclosure. A data breach involving client information, even absent a regulatory complaint, can trigger an IRS review of whether the preparer maintained adequate safeguards. For a broader view of IRS cybersecurity mandates that affect PTIN holders, see our guide on IRS cybersecurity requirements for tax professionals.

The Takeaway

Your PTIN and your WISP are legally linked. Because the PTIN identifies you as a paid preparer, and paid preparers are financial institutions under GLBA, the FTC Safeguards Rule and IRS Publication 4557 both require a written information security plan. There is no small-firm exemption from the written plan itself.

What IRS Publication 4557 Requires of PTIN Holders

IRS Publication 4557, Safeguarding Taxpayer Data, is not structured as a simple checklist, but it establishes non-negotiable requirements for every PTIN WISP. The publication organizes its guidance around three operational areas where tax preparers must assess and control risk.

Employee management and training. How do you screen employees who handle client data? How do you limit access based on job role? What security training does staff receive, and how do you document completion? The IRS expects preparers to provide annual security awareness training that covers phishing recognition, social engineering tactics, and proper data handling procedures specific to tax practice.

Information systems. What hardware, software, and network infrastructure do you use to process and store client information, and how are these systems protected from unauthorized access? This includes your tax preparation software, client portals, email systems, local network equipment, and any cloud services that touch taxpayer data. Our overview of securing tax client portals covers the access controls this area demands.

Detecting and managing system failures. Do you have procedures to detect unauthorized access or anomalies in your systems, and what steps does your practice take when something goes wrong? This area covers your monitoring tools, antivirus and endpoint protection, logging practices, and incident response procedures.

Publication 4557 draws directly from the FTC Safeguards Rule, which means your PTIN WISP must reflect both sets of requirements at once. The IRS further emphasizes that the WISP is a living document. It must be reviewed and updated at minimum annually, and whenever a material change occurs in your business operations.

Material Changes That Trigger a WISP Review

Adopting new tax software, onboarding a cloud storage provider, expanding your staff, relocating your office, adding a remote work policy, or changing your IT support vendor all count as material changes requiring WISP review. Many preparers fail to recognize that even switching from one cloud-based tax platform to another demands a documented update to the WISP.

Service Provider Oversight

One area where PTIN holders frequently fall short is vendor management. If you use a cloud-based practice management system, an off-site document storage service, or a third-party IT support firm, your WISP must address how you verify that those vendors maintain adequate security. This includes reviewing vendor contracts for security provisions and confirming that any third party who accesses client data is contractually obligated to protect it. For a template that addresses these requirements, see our free PTIN WISP template for 2026.

How to Build a Compliant PTIN WISP: 7 Implementation Steps

1

Designate a Security Coordinator

Name the individual responsible for your information security program, with documented authority, resources, and knowledge. For solo practitioners, that is you, so record your name, title, and designation date.

2

Conduct a Written Risk Assessment

Document internal and external threats to client data across all three Publication 4557 areas, then rate each threat by likelihood and potential impact.

3

Inventory Systems and Client Data

List every system that stores or processes taxpayer data, including tax software, portals, email, local network gear, and cloud services.

4

Deploy Required Technical Controls

Enable MFA on all systems accessing financial data, configure encryption in transit and at rest, and apply least-privilege access controls.

5

Document Vendor Oversight

Collect signed contracts with security provisions and request SOC 2 Type II attestations from every vendor who touches client data.

6

Write and Test Your Incident Response Plan

Detail containment, client and regulator notification, and recovery steps, then run a tabletop test to confirm the plan works.

7

Schedule the Annual Review

Set a recurring date to review, update, sign, and retain the WISP, along with all supporting compliance records.

The Nine Elements the FTC Safeguards Rule Requires in Your WISP

The FTC Safeguards Rule (16 CFR Part 314) mandates nine specific elements in a qualified information security program. Because tax preparers are covered financial institutions under GLBA, your PTIN WISP must address all nine. Here is what each means in practical terms for a tax preparation practice.

1. Qualified Individual. Designate a specific person to oversee your information security program. This individual must have the authority, resources, and knowledge to implement and maintain the plan. For a solo practitioner, you fill this role by default, so document it explicitly with your name, title, and date of designation.

2. Risk Assessment. Conduct a written assessment of internal and external risks to the security, confidentiality, and integrity of client information. Your assessment must cover all three operational areas outlined in Publication 4557 and must be updated when your risk environment changes. It should identify specific threat categories, evaluate their likelihood and potential damage, and document which safeguards address each risk.

3. Safeguards Design and Implementation. Implement safeguards to control the risks you identified. The updated Safeguards Rule specifies that covered institutions must implement MFA for any system accessing client financial data, a mandatory technical control for PTIN holders using cloud-based tax software. NIST Special Publication 800-171 Revision 3 provides a detailed control catalog that maps well to Safeguards Rule requirements for small practices.

4. Monitoring and Testing. Regularly test and monitor your safeguards to confirm they function as intended. For firms below the 5,000-record threshold, continuous monitoring is not mandated, but periodic vulnerability assessments are strongly advisable. Automated tools can scan your network for misconfigurations and unpatched systems on a schedule.

5. Staff Training. Train employees who access client data on your security policies and the threats relevant to tax practice, particularly phishing attacks targeting tax professionals, which the IRS warns about every filing season through its Security Summit alerts. Training must be documented with employee names, dates, and topics covered.

6. Service Provider Oversight. Select and retain service providers that maintain appropriate safeguards. Contracts with vendors who access client data must require them to protect that data to standards at least equivalent to your own. You must verify compliance on a regular basis, not simply trust that vendors are compliant.

7. Program Updates. Keep your security program current with changes in your business, technology environment, and threat environment. An annual review is the minimum standard, not a ceiling. Any material operational change triggers a required update.

8. Incident Response Plan. Establish a written plan for responding to a security event. This plan must include procedures for assessing and containing the incident, notifying affected clients and regulators as required by state breach notification laws, and documenting lessons learned. For guidance on structuring this plan, see our resource on building an incident response plan for a tax practice.

9. Reporting. Report regularly on the status of the security program to your governing body. For sole practitioners, this means a documented annual self-review with signed attestation. For firms, partners or managing members must receive a written update at least annually confirming the program's status, any incidents that occurred, and changes made.

PTIN WISP Core Components Checklist

  • Named information security coordinator with documented authority and responsibilities
  • Written risk assessment identifying specific threats, likelihood, and selected safeguards
  • Multi-factor authentication enabled on all systems accessing client financial data
  • Encryption configured for client data in transit (TLS 1.2 or higher) and at rest (AES-256)
  • Access controls implemented using least-privilege principle with documented user permissions
  • Annual security awareness training completed and documented for all staff
  • Vendor contracts reviewed for security provisions with documented verification
  • Written incident response plan with containment, notification, and recovery procedures
  • Annual WISP review completed, dated, and signed by the security coordinator
  • Prior WISP versions and all compliance records retained for a minimum of five years
  • Physical security controls for paper records and workstations documented
  • Employee offboarding procedures with immediate access revocation documented

Common PTIN WISP Mistakes That Expose Tax Preparers to Risk

The most frequent compliance failure among PTIN holders is not the outright absence of a WISP. It is maintaining a plan that exists only on paper, one that bears no relationship to how the practice actually operates. IRS examiners and FTC investigators look for internal consistency: does the document describe the systems the preparer actually uses? Do the access control policies reflect who actually has system access? Are training records dated and retained?

Using a Generic Template Without Customization

Downloadable WISP templates are a valid starting point, but they must be customized to reflect your specific tax software, network configuration, staff roles, and physical location. A WISP that references systems you do not use, or omits systems you do use, fails the basic standard of being an accurate description of your security program. If your template references on-premises server infrastructure but your practice runs entirely on cloud-based platforms, the document fails the accuracy test immediately. Our guide to how to create a WISP explains what thorough customization looks like, and our IRS Publication 5708 sample WISP resource shows how different practice types should approach the document.

No Documented Risk Assessment

The FTC Safeguards Rule requires a written risk assessment, not a mental note and not a conversation. Many preparers skip this step or treat it as a formality. A genuine risk assessment identifies specific threat scenarios relevant to your practice: credential theft via phishing, ransomware delivered through a malicious email attachment, unauthorized access by a former employee after improper offboarding, or physical theft of a laptop containing unencrypted client data. Each scenario should be evaluated for likelihood and potential impact, with the findings driving your safeguard selection.

Missing MFA for Tax Software Access

Since the Safeguards Rule update in 2023, MFA is mandatory for any system that accesses customer financial data. Many small practices still rely on password-only authentication for their tax preparation software and client portals. This is a direct regulatory gap, and one the IRS specifically highlights in its annual Security Summit campaigns. The IRS has repeatedly stated that single-factor authentication on tax software is insufficient for compliance with Publication 4557.

No Vendor Contracts with Security Provisions

If you use a cloud-based document management system, a remote IT support service, or a third-party payroll provider, your contracts with those vendors must include explicit security provisions. Many preparers assume major software vendors handle security automatically, but the FTC requires you to verify this contractually and document that verification in your WISP. Request a SOC 2 Type II report or equivalent attestation from each vendor who touches client data.

Annual Review Not Performed or Documented

A WISP dated 2022 that has never been revised is not a compliant document in 2026. Each annual review should be dated, signed by the designated information security coordinator, and retained as part of your compliance records. The review should document what changed since the last version, confirm that all safeguards remain operational, and note any new threats or business changes that require additional controls.

2026 Filing Season Compliance Notice

The IRS expects every PTIN holder to have a current, signed WISP in place before the 2026 filing season opens. Preparers cannot renew a PTIN without attesting to a data security plan, and a plan that has not been reviewed since a prior year does not satisfy the annual update requirement. Confirm your WISP reflects your 2026 systems, staff, and vendors now, not during peak season.

Enforcement: What Happens to PTIN Holders Without a Compliant WISP

The IRS enforces data security requirements for PTIN holders through several channels, and understanding those mechanisms clarifies why treating the PTIN WISP as optional is a serious miscalculation.

The most direct enforcement path runs through the IRS Office of Professional Responsibility (OPR), which has authority to sanction enrolled agents, Certified Public Accountants (CPAs), and attorneys under Circular 230. Available sanctions range from a formal reprimand to indefinite suspension or disbarment from practice before the IRS. While Circular 230 applies specifically to credentialed preparers, the IRS can revoke any PTIN holder's number for conduct incompatible with the privilege of preparing federal tax returns.

A data breach affecting client tax information also triggers notification obligations under state law. As of 2026, all 50 states have enacted data breach notification statutes, and many impose civil penalties for failures in security program maintenance. Some state laws specifically designate tax return information as a protected data category with elevated notice requirements and shorter notification windows, in some states as little as 30 days from discovery.

The FTC retains independent enforcement authority under the Safeguards Rule. Violations can result in civil penalties of up to $51,744 per violation, per day, plus injunctive relief requiring the preparer to implement a remediation program under FTC oversight. For a small tax preparation practice, even a single enforcement action can be a business-ending financial event.

Beyond regulatory consequences, preparers who experience a breach without a documented security program face substantially elevated civil liability from affected clients. Courts have often treated the absence of a written security policy as evidence of negligence, shifting the practical burden onto the preparer. Your PTIN WISP is, among other things, a legal defense document, evidence that you exercised reasonable care in protecting client data. For a detailed view of how these incidents develop in the tax field, see how identity theft prevention for tax pros reduces your exposure, and our overview of what to do after a data breach.

Not Sure Your WISP Would Survive an FTC Review?

Our security team works exclusively with tax professionals and has built compliant Written Information Security Plans for thousands of PTIN holders. Get a plan mapped to your actual systems.

PTIN WISP Documentation: What to Keep and for How Long

A WISP is not a single document. It is a documentation system. Beyond the written plan itself, maintaining records that demonstrate your security program is active and operational is what separates a compliant practice from one that simply has paperwork on file. Both the IRS and FTC emphasize that evidence of implementation matters as much as the plan itself.

The records you should maintain as part of your PTIN WISP compliance package include:

  • The current WISP, signed and dated by the designated information security coordinator, reflecting your actual systems and workflows as of the signature date
  • Prior WISP versions, retained to demonstrate a history of updates and program evolution over time
  • The written risk assessment, including the date conducted, methodology used, findings documented, and safeguards selected in response
  • Employee training records, with names, dates, topics covered, and completion verification for every session
  • Vendor security agreements, including signed contracts with security provisions for every third party who accesses client data
  • Incident logs, documenting any security events, including minor ones such as suspicious emails reported by staff, and the response taken
  • Annual review documentation, dated and signed, confirming the plan was reviewed and identifying any changes made
  • Access control records, documenting who has access to which systems, when access was granted or revoked, and the business justification

No single federal statute specifies a retention period for WISP documentation, but IRS practice guidance and FTC enforcement precedent point to a minimum of five years for all security program records. State-level requirements may be longer; California and New York both impose extended retention obligations for financial records.

Store these records in a secure location separate from the primary systems a breach might compromise. Cloud-based encrypted storage with access limited to the security coordinator and firm leadership is the recommended approach. For guidance on structuring your documentation alongside your broader IRS obligations, including those tied to Electronic Filing Identification Numbers (EFINs), see our breakdown of IRS Written Information Security Plan requirements and our guide to a WISP for a small tax firm.

Bottom Line

Every active PTIN holder must maintain a current, customized, and documented WISP. The plan is required by IRS Publication 4557 and the FTC Safeguards Rule, must contain all nine FTC-mandated elements, must be reviewed at least annually, and must accurately describe your real systems. A generic template that sits untouched is a liability, not protection.

Get a Free PTIN WISP Assessment

Our cybersecurity specialists work exclusively with tax professionals. We will review your current security posture, identify gaps in your PTIN WISP, and deliver a prioritized remediation plan at no cost to you.

PTIN WISP: Frequently Asked Questions

A written plan is required for every PTIN holder who prepares returns for compensation, regardless of size. IRS Publication 4557 states that all tax professionals must have a plan in place. Firms with fewer than 5,000 customer records get a limited exemption from certain reporting and testing provisions, but the written plan requirement itself applies to everyone.

Your PTIN identifies you as a paid federal tax return preparer. Paid preparers are treated as financial institutions under the Gramm-Leach-Bliley Act, which brings you under the FTC Safeguards Rule and its written information security program requirement. The IRS also ties PTIN renewal to attestation of a data security plan.

A solo practitioner using a customized template can typically complete a first draft in a few hours, but a genuinely compliant plan requires a written risk assessment, a systems inventory, MFA and encryption configuration, and vendor documentation. Most practices should budget several days across those tasks, or work with a specialist to compress the timeline.

The IRS does not run a routine WISP audit program, but it reviews security practices in response to a reported data breach, a client complaint, or an Office of Professional Responsibility inquiry. The FTC can also investigate under the Safeguards Rule. In any of these reviews, examiners check whether your plan is written, current, and accurate to your actual operations.

A breach without a documented security program can prompt an IRS review of your fitness to hold a PTIN, potential Circular 230 sanctions if you are credentialed, FTC civil penalties, state breach notification penalties, and elevated civil liability from affected clients. The absence of a written plan is frequently treated as evidence that you failed to exercise reasonable care.

Both. The FTC Safeguards Rule and IRS Publication 4557 cover the security, confidentiality, and integrity of client information in any format. Your WISP must document physical security controls for paper records and workstations, such as locked file storage, clean-desk practices, and secure shredding, alongside your electronic safeguards.

A free template is a valid starting point, and the IRS provides a sample in Publication 5708. The requirement is that the final plan accurately describe your specific software, network, staff roles, and vendors. If you can customize the template honestly and maintain the supporting documentation, a template can work. Practices with complex setups or limited time often benefit from professional help.

At least once a year, and any time a material change occurs. Material changes include adopting new tax software, adding a cloud vendor, hiring staff, relocating, adding remote work, or changing IT support. Each review should be dated, signed by your security coordinator, and retained with your prior versions.

The FTC Safeguards Rule (16 CFR Part 314) implements the data security provisions of the Gramm-Leach-Bliley Act. It requires covered financial institutions to maintain a written information security program with nine specific elements. Because paid tax preparers qualify as financial institutions, PTIN holders must comply, including the 2023 mandates for MFA, encryption, and a written incident response plan.

The FTC can assess civil penalties of up to $51,744 per violation, per day, plus mandated remediation under its oversight. The IRS can pursue Circular 230 sanctions and PTIN revocation, and state regulators can impose breach notification penalties. Affected clients may also bring civil claims where the lack of a written plan supports a negligence argument.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.