PTIN WISP Requirements: What Tax Preparers Must Know

Why Every PTIN Holder Needs a Written Information Security Plan

If you hold an active Preparer Tax Identification Number (PTIN), you are legally obligated to protect every piece of client data that flows through your practice — and the IRS has made the mechanism for doing that explicit: a Written Information Security Plan (WISP).

This is not advisory language. IRS Publication 4557 and the Federal Trade Commission (FTC) Safeguards Rule together establish binding data security obligations for every compensated tax preparer in the United States, regardless of firm size.

With more than 730,000 active PTIN holders on file with the IRS, tax professionals collectively hold some of the most sensitive personal and financial data in existence — Social Security numbers, income records, bank account details, and employer identification numbers. That concentration of high-value data makes the tax preparation field a primary target for identity thieves, ransomware operators, and business email compromise actors.

Your PTIN WISP serves two functions simultaneously. First, it is documented evidence of compliance with federal law — your proof, if the IRS or FTC ever asks, that your practice takes data protection seriously. Second, it is an operational security document that guides your firm's response when a security incident occurs.

This guide explains the exact legal basis for the PTIN WISP requirement, what your plan must contain under both IRS and FTC frameworks, the most common compliance failures tax preparers make, and how to build a WISP that holds up under regulatory scrutiny in 2026.

The Legal Basis: How Your PTIN Creates a WISP Obligation

The Preparer Tax Identification Number is required under IRS regulations at 26 CFR § 1.6109-2 for any individual who prepares or substantially assists in preparing federal tax returns for compensation. Annual PTIN renewal is mandatory, and the IRS uses the PTIN registry to track, discipline, and when necessary, sanction preparers who violate professional or legal standards.

The WISP obligation for PTIN holders flows from two overlapping legal frameworks that together leave no room for ambiguity:

IRS Publication 4557 — Safeguarding Taxpayer Data

This publication instructs all tax professionals to create and maintain a written information security plan. The IRS explicitly states that "all tax professionals, regardless of firm size" must have a plan in place. Publication 4557 draws directly from the FTC Safeguards Rule and is the IRS's primary mechanism for communicating data security expectations to PTIN holders. For a detailed breakdown of this publication, see our guide on IRS Form 4557 and safeguarding taxpayer data.

FTC Safeguards Rule (16 CFR Part 314)

Under the Gramm-Leach-Bliley Act (GLBA), tax preparers qualify as "financial institutions" because they engage in activities incidental to financial services. The FTC Safeguards Rule — significantly updated effective June 9, 2023 — requires all covered financial institutions to implement a written information security program with specific technical, administrative, and physical controls.

The 2023 Safeguards Rule update introduced several new mandates that apply directly to PTIN holders:

• Multi-Factor Authentication (MFA) for any system that accesses client financial data
• Encryption of client records both in transit and at rest
• Written incident response plan that must be tested and updated regularly
• Annual penetration testing or continuous monitoring for firms above 5,000 records

Preparers with fewer than 5,000 customer records receive a limited exemption from certain reporting provisions, but the written plan requirement applies without exception to all covered preparers.

Additional Enforcement Statutes

Beyond the FTC, the IRS can pursue preparers under Internal Revenue Code (IRC) §6713, which covers unauthorized disclosure of tax return information, and §7216, which imposes criminal penalties for willful disclosure. A data breach involving client information — even absent a regulatory complaint — can trigger an IRS review of whether the preparer maintained adequate safeguards.

For a broader view of IRS cybersecurity mandates that affect PTIN holders, see our guide on IRS WISP requirements for tax professionals.

What IRS Publication 4557 Requires of PTIN Holders

IRS Publication 4557, Safeguarding Taxpayer Data, is not structured as a compliance checklist, but it establishes non-negotiable requirements for every PTIN WISP. The publication organizes its guidance around three operational areas where tax preparers must assess and control risk:

Employee Management and Training — How do you screen employees who handle client data? How do you limit access based on job role? What security training do staff receive, and how do you document completion? The IRS expects preparers to provide annual security awareness training that covers phishing recognition, social engineering tactics, and proper data handling procedures specific to tax practice.

Information Systems — What hardware, software, and network infrastructure do you use to process and store client information? How are these systems protected from unauthorized access? This includes your tax preparation software, client portals, email systems, local network equipment, and any cloud services that touch taxpayer data.

Detecting and Managing System Failures — Do you have procedures to detect unauthorized access or anomalies in your systems? What steps does your practice take when something goes wrong? This area covers your monitoring tools, antivirus and endpoint protection, logging practices, and incident response procedures.

Publication 4557 draws directly from the FTC Safeguards Rule, which means your PTIN WISP must reflect both sets of requirements simultaneously. The IRS further emphasizes that the WISP is a living document — it must be reviewed and updated at minimum annually, and whenever a material change occurs in your business operations.

Material Changes That Trigger WISP Review

Adopting new tax software, onboarding a cloud storage provider, expanding your staff, relocating your office, adding a remote work policy, or changing your IT support vendor all constitute material changes requiring WISP review. Many preparers fail to recognize that even switching from one cloud-based tax platform to another demands a documented update to the WISP.

Service Provider Oversight

One area where PTIN holders frequently fall short is vendor management. If you use a cloud-based practice management system, an off-site document storage service, or a third-party IT support firm, your WISP must address how you verify that those vendors maintain adequate security. This includes reviewing vendor contracts for security provisions and confirming that any third party who accesses client data is contractually obligated to protect it.

For a template that addresses these requirements, see our free PTIN WISP template for 2026.

The Nine Elements the FTC Safeguards Rule Requires in Your WISP

The FTC Safeguards Rule (16 CFR Part 314) mandates nine specific elements in a qualified information security program. Because tax preparers are covered financial institutions under GLBA, your PTIN WISP must address all nine. Here is what each element means in practical terms for a tax preparation practice.

1. Qualified Individual

Designate a specific person to oversee your information security program. This individual must have the authority, resources, and knowledge to implement and maintain the plan. For a solo practitioner, you fill this role by default — document it explicitly in your WISP with your name, title, and date of designation.

2. Risk Assessment

Conduct a written assessment of internal and external risks to the security, confidentiality, and integrity of client information. Your assessment must cover all three operational areas outlined in Publication 4557 and must be updated when your risk environment changes. The assessment must identify specific threat categories, evaluate their likelihood and potential damage, and document which safeguards address each identified risk.

3. Safeguards Design and Implementation

Implement safeguards to control the risks identified in your assessment. The updated Safeguards Rule specifies that covered institutions must implement MFA for any system accessing client financial data — a mandatory technical control for PTIN holders using cloud-based tax software. NIST Special Publication 800-171 Revision 3 provides a detailed control catalog that maps well to Safeguards Rule requirements for small practices.

4. Monitoring and Testing

Regularly test and monitor your safeguards to ensure they function as intended. For firms below the 5,000-record threshold, continuous monitoring is not mandated, but periodic vulnerability assessments are strongly advisable. Automated tools can scan your network for misconfigurations and unpatched systems on a scheduled basis.

5. Staff Training

Train employees who access client data on your security policies and the specific threats relevant to tax practice — particularly phishing attacks targeting tax professionals, which the IRS warns about every filing season through its Security Summit alerts. Training must be documented with employee names, dates, and topics covered.

6. Service Provider Oversight

Select and retain service providers that maintain appropriate safeguards. Contracts with vendors who access client data must include provisions requiring them to protect that data according to standards at least equivalent to your own. You must verify compliance with those provisions on a regular basis — not simply trust that vendors are compliant.

7. Program Updates

Keep your security program current with changes in your business, your technology environment, and the threat environment. An annual review is the minimum standard — not a ceiling. Any material operational change triggers a required update.

8. Incident Response Plan

Establish a written plan for responding to a security event. This plan must include procedures for assessing and containing the incident, notifying affected clients and regulators as required by state breach notification laws, and documenting lessons learned to prevent recurrence. For guidance on structuring this plan, see our resource on ransomware protection for tax practices.

9. Reporting

Report regularly on the status of the security program to your governing body. For sole practitioners, this means a documented annual self-review with signed attestation. For firms, partners or managing members must receive a written update at least annually confirming the program's status, any incidents that occurred, and changes made to the security program.

Common PTIN WISP Mistakes That Expose Tax Preparers to Risk

The most frequent compliance failure among PTIN holders is not the outright absence of a WISP — it is maintaining a plan that exists only on paper, one that bears no relationship to how the practice actually operates. IRS examiners and FTC investigators look for internal consistency: does the document describe the systems the preparer actually uses? Do the access control policies reflect who actually has system access? Are training records dated and retained?

Using a Generic Template Without Customization

Downloadable WISP templates are a valid starting point, but they must be customized to accurately reflect your specific tax software, network configuration, staff roles, and physical location. A WISP that references systems you do not use — or omits systems you do use — fails the basic compliance standard of being an accurate description of your security program.

For example, if your template references on-premises server infrastructure but your practice runs entirely on cloud-based platforms like Drake Cloud or Intuit ProConnect, the document fails the accuracy test immediately. Our guide to how to create a WISP explains what thorough customization looks like in practice, and our WISP template examples show how different practice types should approach the document.

No Documented Risk Assessment

The FTC Safeguards Rule requires a written risk assessment — not a mental note, not a conversation, a written document. Many preparers skip this step entirely or treat it as a formality. A genuine risk assessment should identify specific threat scenarios relevant to your practice: credential theft via phishing, ransomware delivered through a malicious email attachment, unauthorized access by a former employee after improper offboarding, physical theft of a laptop containing unencrypted client data. Each scenario should be evaluated for likelihood and potential impact, with the findings driving your safeguard selection.

Missing MFA for Tax Software Access

Since the Safeguards Rule update in 2023, MFA is mandatory for any system that accesses customer financial data. Many small practices still rely on password-only authentication for their tax preparation software and client portals. This is a direct regulatory violation and one the IRS specifically highlights in its annual Security Summit campaigns. The IRS has repeatedly stated that single-factor authentication on tax software is insufficient for compliance with Publication 4557 requirements.

No Vendor Contracts with Security Provisions

If you use a cloud-based document management system, a remote IT support service, or a third-party payroll provider, your contracts with those vendors must include explicit security provisions. Many preparers assume that major software vendors handle security automatically — but the FTC requires you to verify this contractually and document that verification in your WISP. Request a SOC 2 Type II report or equivalent attestation from each vendor who touches client data.

Annual Review Not Performed or Documented

A WISP dated 2022 that has never been revised is not a compliant document in 2026. Each annual review should be dated, signed by the designated information security coordinator, and retained as part of your compliance records. The review should document what changed since the last version, confirm that all safeguards remain operational, and note any new threats or business changes that require additional controls.

Enforcement: What Happens to PTIN Holders Without a Compliant WISP

The IRS enforces data security requirements for PTIN holders through several channels, and understanding those mechanisms clarifies why treating the PTIN WISP as optional is a serious miscalculation.

The most direct enforcement path runs through the IRS Office of Professional Responsibility (OPR), which has authority to sanction enrolled agents, Certified Public Accountants (CPAs), and attorneys under Circular 230. Available sanctions range from a formal reprimand to indefinite suspension or disbarment from practice before the IRS. While Circular 230 applies specifically to credentialed preparers, the IRS can revoke any PTIN holder's number for conduct incompatible with the privilege of preparing federal tax returns.

A data breach affecting client tax information also triggers notification obligations under state law. As of 2026, all 50 states have enacted data breach notification statutes, and many impose civil penalties for failures in security program maintenance. Some state laws specifically designate tax return information as a protected data category with elevated notice requirements and shorter notification windows — in some states as little as 30 days from discovery.

The FTC retains independent enforcement authority under the Safeguards Rule. Violations can result in civil penalties of up to $51,744 per violation per day, plus injunctive relief requiring the preparer to implement a remediation program under FTC oversight. For a small tax preparation practice, even a single enforcement action represents a potentially business-ending financial event.

Beyond regulatory consequences, preparers who experience a breach without documented security programs face substantially elevated civil liability from affected clients. Courts have consistently treated the absence of a written security policy as evidence of negligence per se — meaning the preparer is presumed to have been negligent, shifting the burden of proof. Your PTIN WISP is, among other things, a legal defense document — evidence that you exercised reasonable care in protecting client data.

For a detailed view of how these incidents develop in the tax field, see our analysis of cyberattacks on tax firms and how identity theft prevention reduces your exposure.

PTIN WISP Documentation: What to Keep and for How Long

A WISP is not a single document — it is a documentation system. Beyond the written plan itself, maintaining records that demonstrate your security program is active and operational is what separates a compliant practice from one that simply has paperwork on file. Both the IRS and FTC emphasize that evidence of implementation matters as much as the plan itself.

The records you should maintain as part of your PTIN WISP compliance package include:

• The current WISP — signed and dated by the designated information security coordinator, reflecting your actual systems and workflows as of the signature date
• Prior WISP versions — retained to demonstrate a history of updates and program evolution over time
• Written risk assessment — including the date conducted, methodology used, findings documented, and the safeguards selected in response to identified risks
• Employee training records — with names, dates, topics covered, and completion verification for every training session conducted
• Vendor security agreements — including signed contracts with security provisions for every third party who accesses or could access client data
• Incident logs — documenting any security events, including minor ones such as suspicious emails reported by staff, and the response actions taken
• Annual review documentation — dated and signed by the security coordinator, confirming the plan was reviewed and identifying any changes made since the prior version
• Access control records — documenting who has access to which systems, when access was granted or revoked, and the business justification

No single federal statute specifies a retention period for WISP documentation, but IRS practice guidance and FTC enforcement precedent point to a minimum of five years for all security program records. State-level requirements may be longer — California and New York both impose extended retention obligations for financial records.

Store these records in a secure location separate from the primary systems that a breach might compromise. Cloud-based encrypted storage with access limited to the security coordinator and firm leadership is the recommended approach. Ensure your information security coordinator has documented access to all compliance records at all times.

For guidance on structuring your security documentation alongside your broader IRS compliance obligations — including those related to Electronic Filing Identification Numbers (EFINs) and W-9 collection — see our detailed breakdown of IRS Written Information Security Plan requirements and the IRS Publication 5708 sample WISP resource.