FTC Safeguards Rule Recordkeeping Guide
The FTC Safeguards Rule requires financial institutions — including every tax preparer — to maintain detailed records proving compliance. Missing documentation means you can't prove compliance, even if you have the controls in place. This guide covers exactly what to document, how long to keep it, and how to stay audit-ready.
- All 6 required record categories mapped to FTC Safeguards Rule sections
- Retention periods for every document type (2-year, 5-year, and permanent)
- Audit documentation checklists the FTC expects to see
- Proof-of-compliance templates for risk assessments and testing
- Vendor oversight records and third-party service provider agreements
- Incident log formats that satisfy FTC investigation requirements
AICPA Certified | A+ BBB Rating | No credit card required
Download Your Free Recordkeeping Guide
FTC Safeguards Rule requires records kept for at least 2 years after creation — many categories require 5+
Risk assessments, security policies, training records, vendor agreements, incident logs, and testing results
Inability to produce records during an FTC audit is treated as non-compliance — fines start at $50,120 per violation
Every tax preparer, CPA, EA, and enrolled agent must maintain written records — no size exemptions exist
What the FTC Safeguards Rule Requires You to Document
Section 314.4(h) of the FTC Safeguards Rule mandates that financial institutions — including tax preparers — maintain written records of their information security program. The FTC doesn't just want controls in place. They want proof those controls exist, are tested, and are updated. Here are the six documentation categories the rule requires.
1. Risk Assessments
Written risk assessments identifying internal and external threats to customer information. Must be updated whenever there are material changes to operations or new threats emerge. Retain for a minimum of 5 years.
2. Security Policies
Your Written Information Security Plan (WISP), access control policies, encryption standards, data disposal procedures, and acceptable use policies. Must be version-controlled with revision dates documented.
3. Training Records
Documentation proving all employees received cybersecurity awareness training. Includes training dates, topics covered, attendance records, and assessment results. Must be conducted and documented annually.
4. Vendor Agreements
Contracts and oversight records for every third-party service provider with access to customer data. Must include security requirements, audit rights, breach notification terms, and due diligence assessments.
5. Incident Logs
Records of all security events — attempted breaches, phishing attempts, unauthorized access, and malware detections. Must document what happened, when it was detected, response actions taken, and remediation steps.
6. Testing Results
Results from continuous monitoring, annual penetration testing, vulnerability scans, and system audits. The FTC requires either continuous monitoring or annual testing — and written proof that you did it.
Our free recordkeeping guide includes templates, checklists, and retention schedules for all six categories — everything you need to stay audit-ready.
What Proper Recordkeeping Includes
Six documentation areas every tax professional must maintain under the FTC Safeguards Rule
Risk Assessment Documentation
Formal written assessments identifying threats to customer data, evaluating likelihood and impact, and documenting safeguards in place. Updated annually or after material changes to your practice.
Security Policy Records
Your WISP, access control policies, encryption standards, data retention and disposal procedures — all version-controlled with documented revision histories and board/owner approval dates.
Training Logs & Certifications
Employee training attendance records, curriculum outlines, quiz scores, and completion certificates. The FTC requires proof that every staff member with data access received annual security training.
Vendor Management Files
Due diligence assessments, signed service agreements with security clauses, ongoing monitoring records, and breach notification provisions for every third-party provider handling client data.
Incident Response Records
Chronological logs of every security event — detection timestamp, classification, response actions, containment measures, root cause analysis, and remediation verification. Even near-misses must be logged.
Testing & Audit Reports
Penetration test results, vulnerability scan reports, continuous monitoring dashboards, and annual security program assessments. Must document findings, remediation timelines, and verification of fixes.
How Bellator Manages Your Recordkeeping
From scattered files to organized, audit-ready documentation
Document
We audit your existing records, identify documentation gaps, and create compliant templates for all six FTC-required record categories — tailored to your tax practice.
Organize
All records are structured into a centralized, version-controlled system with proper retention schedules, access controls, and automated reminders for annual updates.
Maintain
Ongoing management keeps records current — annual risk reassessments, training logs updated after each session, incident logs maintained in real time, and testing results archived.
What Happens Without Proper Records
Failed FTC Audits
The FTC can audit any financial institution at any time. Without organized records proving compliance, having the controls in place is irrelevant — you can't prove you had them
Compounded Fines
Incomplete documentation turns a single violation into multiple — each missing record category counts separately, and penalties exceed $50,120 per violation per day
No Legal Defense
If a client data breach occurs and you can't produce incident logs, risk assessments, and training records, you lose every legal defense available under the Safeguards Rule
“We thought we were compliant because we had antivirus and a firewall. Bellator showed us we were missing documentation for five out of six FTC record categories. Their recordkeeping system got us audit-ready in under 30 days.”
FTC Safeguards Recordkeeping FAQ
Section 314.4(h) of the FTC Safeguards Rule requires financial institutions, including tax preparers, to maintain written records in six categories: risk assessments, security policies (including your WISP), employee training records, third-party vendor agreements, incident response logs, and testing/audit results. These records must demonstrate that your information security program is implemented, monitored, and updated regularly.
The FTC Safeguards Rule requires that records be maintained for at least 2 years after creation. However, best practice for tax preparers is to retain risk assessments and security policies for 5 years, training records for 3 years, vendor agreements for the duration of the relationship plus 3 years, and incident logs permanently. Our recordkeeping guide includes a detailed retention schedule for every document type.
Without proper records, you cannot prove compliance even if you have security controls in place. The FTC treats missing documentation as non-compliance. Penalties start at $50,120 per violation and can be assessed per record category, per day of non-compliance. In severe cases, the FTC can issue consent orders requiring ongoing third-party auditing at your expense for up to 20 years. Having organized, current records is your first and strongest line of defense.
No. Your Written Information Security Plan (WISP) is one component of FTC Safeguards recordkeeping — it falls under the security policies category. But the FTC requires five additional record categories beyond the WISP: risk assessments, training documentation, vendor oversight records, incident logs, and testing results. Many tax preparers mistakenly believe having a WISP alone satisfies the recordkeeping requirement. Our guide shows you exactly what additional documentation you need alongside your WISP.
Yes. Bellator provides full recordkeeping management as part of our tax cybersecurity service. We create and maintain all six record categories, organize them in a centralized system with proper version control, set up automated retention schedules, and keep everything current with annual updates. When the FTC or IRS requests documentation, everything is organized and ready to present. Start by downloading our free recordkeeping guide to see exactly what's required, then schedule a consultation to discuss managed recordkeeping for your practice.
Are you keeping the right compliance records?
Download our free FTC Safeguards Rule recordkeeping guide.