Skip to content

IRS requires a Written Information Security Plan — is your firm compliant?

Free Compliance Review
Bellator Cyber Guard
Required for All Tax Professionals Since 2023

FTC Safeguards Rule Compliance Checklist

The FTC Safeguards Rule mandates comprehensive data security for every tax preparer, CPA, and financial advisor. Get your free checklist and find out where you stand.

  • Covers all 9 mandatory FTC Safeguards Rule requirements
  • Includes FTC vs. IRS WISP comparison guide
  • Penalty breakdown — fines up to $100K+ per violation
  • Step-by-step remediation roadmap for your practice

AICPA Certified | A+ BBB Rating | No credit card required

Get Your Free FTC Checklist

$100K+
Per Violation Fine

FTC can impose fines exceeding $100,000 for each safeguards violation

9
Mandatory Requirements

Nine specific security elements every financial institution must implement

Dec 2023
Enforcement Deadline

Fully enforceable since December 2023 — compliance is not optional

5,000+
Records Threshold

If you handle 5,000+ customer records, enhanced requirements apply

What Is the FTC Safeguards Rule?

The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, enforced by the Federal Trade Commission, requires all "financial institutions" — including tax preparers, CPAs, bookkeepers, enrolled agents, and financial advisors — to develop, implement, and maintain a comprehensive information security program.

The updated rule, effective December 9, 2023, significantly expanded requirements beyond the original 2003 version. It now mandates specific technical controls, a designated Qualified Individual, written risk assessments, and regular testing — with real enforcement teeth.

Who Must Comply?

If you prepare tax returns, provide financial advice, manage bookkeeping, or handle any customer financial data — you are a "financial institution" under the FTC's definition and must comply with the Safeguards Rule. This applies regardless of firm size — even solo practitioners.

The 9 Mandatory Compliance Requirements

Every tax professional must implement all nine elements. Bellator handles each one as part of our managed compliance service.

Qualified Individual

Designate a Qualified Individual to oversee your information security program. Bellator serves as your outsourced QI — no need to hire in-house.

Written Risk Assessment

Conduct a thorough, documented risk assessment identifying internal and external threats to client data. We provide the assessment framework and analysis.

Access Controls

Implement and maintain access controls to limit who can view, modify, and transmit customer information. Role-based access configured for your team.

Data Encryption

Encrypt all customer information both in transit and at rest. We deploy enterprise-grade encryption across your systems and communications.

Multi-Factor Authentication

Require MFA for anyone accessing customer information systems. We configure and manage MFA across all your applications and devices.

Monitoring & Incident Response

Implement continuous monitoring, logging, secure data disposal, change management, and a tested incident response plan — all managed by Bellator.

How We Get You Compliant

From assessment to full compliance in as little as 30 days

1

Compliance Assessment

We audit your current security posture against all 9 FTC requirements, identify gaps, and prioritize remediation steps.

2

Implementation

Our team deploys the required controls — encryption, MFA, access controls, monitoring — with minimal disruption to your practice.

3

Ongoing Management

We serve as your Qualified Individual, conduct annual risk assessments, maintain documentation, and keep you audit-ready year-round.

FTC Safeguards Rule vs. IRS WISP Requirement

Both are required — but they serve different purposes. Bellator handles both.

FTC Safeguards Rule

  • ✓ Federal law (GLBA) enforced by the FTC
  • ✓ 9 specific technical & administrative controls
  • ✓ Requires a designated Qualified Individual
  • ✓ Mandates encryption, MFA, monitoring
  • ✓ Fines up to $100,000+ per violation
  • ✓ Applies to all "financial institutions"

IRS WISP Requirement

  • ✓ IRS Publication 4557 compliance
  • ✓ Written Information Security Plan document
  • ✓ Required for PTIN renewal & e-filing
  • ✓ Focus on policies and procedures
  • ✓ Risk of PTIN/EFIN revocation
  • ✓ Applies to all tax return preparers

Penalties for Non-Compliance

$100K+

Per violation FTC fines — each client record can be a separate violation

PTIN Loss

IRS can revoke your PTIN and e-filing privileges for security failures

Lawsuits

Data breaches expose you to client lawsuits and state AG action

Bellator took us from zero compliance to fully meeting the FTC Safeguards Rule in under 30 days. They handle everything — we just focus on our clients during tax season.

MP
Managing PartnerCPA Firm at Southeast Tax & Advisory

FTC Safeguards Rule — Frequently Asked Questions

Yes. The FTC defines "financial institution" broadly to include any business that handles consumer financial information — regardless of size. Solo practitioners, small CPA firms, enrolled agents, and even seasonal tax preparers are all covered.

There is no minimum revenue or employee threshold for compliance. If you prepare tax returns or handle client financial data, you must comply with all 9 mandatory requirements.

The FTC Safeguards Rule is a federal law under the Gramm-Leach-Bliley Act that requires specific technical and administrative security controls — encryption, MFA, access controls, monitoring, and a designated Qualified Individual.

A WISP (Written Information Security Plan) is required by the IRS under Publication 4557 and focuses on documenting your security policies and procedures. The WISP is your written plan; the FTC Safeguards Rule requires you to actually implement specific technical controls.

Both are required. Bellator provides both the WISP documentation and the technical implementation to satisfy the FTC Safeguards Rule.

Non-compliance carries serious consequences. The FTC can impose civil penalties exceeding $100,000 per violation — and each affected customer record can constitute a separate violation. In a data breach involving 500 client records, potential fines could reach millions.

Beyond FTC fines, the IRS can revoke your PTIN and electronic filing privileges. You also face potential lawsuits from affected clients and state attorney general enforcement actions.

Absolutely. The FTC Safeguards Rule requires every covered business to designate a Qualified Individual to oversee the information security program. This person must have the expertise to develop, implement, and maintain your security controls.

Bellator provides outsourced Qualified Individual services as part of our managed compliance program. Our cybersecurity experts serve as your designated QI, handling risk assessments, security program management, board reporting, and regulatory documentation — so your team can focus on serving clients.

Most tax practices can achieve full FTC Safeguards Rule compliance within 30 days with Bellator's managed program. The timeline depends on your current security posture and the size of your practice.

Our process starts with a comprehensive gap assessment (typically 1 week), followed by implementation of required controls (2-3 weeks), and delivery of all compliance documentation. We then provide ongoing management to keep you compliant year-round.

Not sure if you are FTC compliant?

Download our free FTC Safeguards Rule checklist and find out where your practice stands.

Get Your Free ChecklistSchedule a Free Call