Industry Compliance Guide

CPA / Accounting / Tax Compliance

FTC Safeguards Rule and IRS security requirements for CPAs, tax preparers, bookkeepers, and payroll firms.

Get a Free Consultation
← All Industries

What’s at stake: The FTC Safeguards Rule applies directly to tax preparers and CPAs — most small firms don’t realize it. The 2021 amendments became fully enforceable June 9, 2023. PTIN renewal now includes a WISP attestation.

Regulations That Apply

RegulationWhat It Covers
FTC Safeguards RuleWISP, MFA, encryption, monitoring; 30-day breach notification for 500+ consumers
IRS Pub 4557Safeguarding Taxpayer Data — required practices for paid preparers
IRS Pub 5708Creating a Written Information Security Plan (template)
GLBATax preparers and CPAs are GLBA financial institutions
State Board RulesState accountancy board confidentiality and licensure rules
Circular 230IRS rules for those practicing before the IRS

What You Need In Place

  • Written Information Security Plan (WISP)
  • Designated qualified individual
  • Multi-factor authentication on all client data systems
  • Encryption of taxpayer data at rest and in transit
  • Annual written and dated risk assessment
  • Vendor oversight and contract review
  • Employee training and access controls
  • Incident response plan with FTC notification process

Common Threats In This Sector

CPA firms are high-value targets during tax season specifically. Attackers know your calendar — deadline pressure is the social-engineering lever they pull.

  • Wire fraud and business email compromise spiking January through April
  • Tax-software credential phishing (Drake, Lacerte, ProSeries, UltraTax, ATX impersonations)
  • Ransomware timed to encrypt client returns days before a filing deadline
  • IRS impersonation phishing aimed at preparers and clients
  • Client data exfiltration used downstream for fraudulent return filings
  • Compromised e-Services credentials with PTIN tied to attacker-controlled returns

Documentation You’ll Be Asked For

PTIN renewal now requires a Written Information Security Plan. The FTC Safeguards Rule (16 CFR Part 314) treats tax preparers as financial institutions, which means the same documentation any GLBA-covered entity maintains.

  • Written Information Security Plan (WISP) per IRS Pub. 4557 and IRS Pub. 5708
  • Designated Qualified Individual responsible for the information-security program (FTC Safeguards Rule)
  • Annual risk assessment covering systems that handle taxpayer data
  • Service provider oversight documentation — security clauses in vendor contracts
  • Workforce training records on data security and phishing recognition
  • Incident response plan with FTC and IRS notification timelines
  • System inventory including all locations where client data is stored

Where Most Small Firms Fall Short

The IRS Security Summit and FTC enforcement actions point to consistent gaps in small-firm practices. The WISP requirement has been on the books since 1999 (GLBA), but enforcement and PTIN renewal tied to it now make compliance non-optional.

  • No formal WISP — or a template downloaded years ago and never customized
  • No designated Qualified Individual as required by the FTC Safeguards Rule
  • MFA missing on email and tax-prep software logins
  • No annual risk assessment on file
  • Third-party vendors (cloud storage, payroll providers) onboarded without security review
  • e-Services and tax-software credentials shared among preparers

How CGetty Helps

WISP development, FTC Safeguards Rule advisory, and Qualified Individual support — practical and right-sized for solo CPAs, small tax practices, and bookkeeping firms.

Get a WISP review

Not Sure Where Your Business Stands?

We help small businesses understand what applies to them and build a practical plan to get there. Let’s talk.

Contact Us