1 min read
The CPAs Role in Managing Cybersecurity Threats
For the professionals whose lives revolve around April 15th, there is a world of risk and opportunity. The landscape of financial management–with...
7 min read
Jordan Hetrick
:
July 1, 2026
We're an MSP for accounting firms, and we see it all. Over the past several years, offshore labor has become increasingly common in the CPA space. Private equity consolidation is pushing firms to cut costs, and the ongoing CPA shortage means there simply are not enough domestic staff to handle the workload. Firms are turning to teams in India and other countries to handle tax preparation, and in many cases, that arrangement works. But IRS Section 7216 governs exactly what you are allowed to do with client data before it ever leaves the country, and you want to get this right before it becomes a problem.
What Is IRC Section 7216, and How Did It Get Here?
Internal Revenue Code Section 7216 is a criminal provision enacted by Congress in 1971 that prohibits preparers of tax returns from knowingly or recklessly disclosing or using tax return information. The law has been updated several times since then, each time expanding and clarifying what preparers can and cannot do.
Here is the short version of how it has evolved, per the IRS Section 7216 Information Center:
1971: Congress enacts Section 7216 as part of the Internal Revenue Code. The original statute was written for a paper-return world and provided limited guidance on consent procedures.
2008: Treasury substantially revised the regulations under Section 7216, the first major overhaul in decades. These revisions updated the framework to reflect the modern tax preparation industry, including electronic filing.
2009-2010: The IRS issued proposed and temporary regulations on December 30, 2009 (effective January 4, 2010), along with two revenue rulings that addressed specific disclosure scenarios. Revenue Ruling 2010-4 addressed using client data to notify clients of tax law changes and sharing client lists with third-party newsletter services. Revenue Ruling 2010-5 addressed disclosures to professional liability insurance carriers and to attorneys evaluating potential claims against the preparer. These regulations also clarified permitted uses for statistical compilations and conflict-of-interest reviews.
December 28, 2012: Final Treasury Regulations on disclosure and consent requirements became effective. These are the rules currently in force.
January 2013: Revenue Procedure 2013-14 was published, establishing the mandatory form and content requirements for written consent, specifically for taxpayers filing in the Form 1040 series. This is the document that governs what your consent forms must actually say. It was subsequently modified by Rev. Proc. 2013-19.
What Data Triggers This Requirement?
The consent requirement applies to tax return information, broadly defined. This covers everything a client provides in connection with preparing their return: income figures, Social Security numbers, business financials, deductions, filing status, and any supporting documentation.
The types of returns most commonly involved in offshore outsourcing arrangements include:
The 1040 series carries the strictest requirements. Even if the person preparing the return is an employee of the firm, any 1040-series returns prepared outside the United States require a signed client consent form. For entity returns, there is no requirement for an IRS-approved consent form to be used, and many firms notify business clients as part of standard engagement letters. That said, consulting with legal counsel experienced in offshore processing of entity returns is worth considering to make sure all bases are covered.
When Sending Client Data Overseas Requires Written Consent
When a preparer sends tax data to an outside vendor for data entry, return processing, or review, that transmission counts as a disclosure requiring written consent. This applies whether the vendor is across town or overseas. Offshore outsourcing gets extra scrutiny: if a contractor's employee located outside the United States can view information on a server, even without the ability to download or print it, the preparer must get consent before granting that access.
This applies even when the overseas recipient is an employee of the same firm or a subsidiary of the same corporate parent. The corporate relationship between your firm and the offshore team does not change the requirement.
What About Bookkeeping Outsourced Offshore?
This is where a lot of CPA firms get confused, and it is a reasonable area of confusion. The answer depends on two things: what your engagement with that client actually covers, and what data your offshore team is touching.
If your firm does not have a tax engagement with the client at all, meaning someone else is preparing their 1040 or business return and you are strictly providing bookkeeping services, Section 7216 most likely does not apply to that relationship. The statute governs tax return preparers and the information they receive in connection with preparing a return. If you are not in that chain, you are not the regulated party under 7216. The client's tax preparer would be the one with 7216 obligations, not you.
If your firm provides both bookkeeping and tax preparation for the same client, the picture changes. Bookkeeping work in that context such as entering transactions, reconciling accounts, running reports, processing payroll is part of the workflow that leads to a tax return. If any of that work is being sent offshore, the safer position is to treat it as falling under Section 7216 and obtain consent. The IRS has not drawn a bright line here, but if the primary purpose of the bookkeeping is to facilitate tax return preparation, the data involved is likely "furnished in connection with" preparing a return, which is the trigger.
A few specific scenarios worth thinking through even when you believe the engagement is bookkeeping-only:
The cleaner your separation between bookkeeping-only clients and tax clients, the cleaner your Section 7216 position. If there is any overlap in the engagement, the data, or the systems, the conservative approach is to treat consent as required.
What the Consent Form Must Include
There is no IRS-issued fill-in-the-blank form for this. Each firm drafts its own consent document following the requirements in Treasury Regulation Section 301.7216-3 and Revenue Procedure 2013-14. The consent must:
Vague or broad consents are invalid. The document must name the preparer, name the taxpayer, identify the exact purpose of the disclosure or use, and specify which items of tax return information are involved. If the preparer only needs adjusted gross income, the consent cannot authorize handing over the entire return. Consent must be affirmative; no opt-outs or pre-checked boxes are permitted.
For taxpayers filing in the 1040 series, a consent document must specifically and separately identify each disclosure. For 1040 clients, consent must be a standalone document and cannot be embedded in the engagement letter. For non-1040 clients (entity returns), the consent language can be included directly in the engagement letter and does not need to be a separate document.
The AICPA has published sample consent forms you can use as a starting point, including separate templates for 1040 disclosures, foreign disclosures (specifically covering offshore outsourcing scenarios with SSN disclosure language), and non-1040 engagement letter inserts. Here is the AICPA template. As noted in the AICPA's own terms, these are illustrative templates, not authoritative guidance, so your firm should review them against the specific requirements in Regs. Sec. 301.7216, Rev. Proc. 2013-14, and Rev. Proc. 2013-19 before use.
The FTC Safeguards Rule Adds Another Layer
Section 7216 is not the only compliance obligation in play when you outsource offshore. The FTC Safeguards Rule (16 CFR Part 314), which implements the Gramm-Leach-Bliley Act, applies to CPA firms because tax preparation is classified as a financial activity under 12 CFR 225.28(b)(6)(vi). That classification makes your firm a "financial institution" under the rule, and any offshore team receiving client data becomes a "service provider" subject to its requirements.
What that means practically is that your obligations do not end with getting a signed consent form. Under the Safeguards Rule, your firm is responsible for selecting service providers capable of maintaining appropriate data security, requiring those safeguards by contract, and periodically assessing whether those safeguards remain adequate. Best practice is to review your offshore partner's IT security policies at least annually. That is overhead many firms do not account for when they first set up an offshore arrangement, but it is something to build into your operational process. If you engage an offshore team and never revisit their security posture, you are not meeting the FTC's standard, which is a separate exposure from Section 7216.
For firms with fewer than 5,000 consumer records, certain Safeguards Rule requirements including written risk assessments, penetration testing, and written incident response plans do not technically apply. Many CPA firms with any volume of individual clients will exceed that threshold, so the full requirements are worth understanding. Part of meeting the Safeguards Rule is maintaining a written information security plan (WISP). If you do not have one, or if yours does not address third-party data sharing with offshore vendors, that is a gap. The IRS publishes its own WISP guidance for tax preparers in IRS Publication 5708.
What the Penalties Look Like
This is where the risk calculus matters. Section 7216 is a criminal statute, and penalties are assessed per violation, not per client.
Under Section 7216 (criminal): Up to $1,000 fine or up to one year in prison per violation, or both. If the disclosure or use is in connection with identity theft, the monetary penalty increases to up to $100,000.
Under Section 6713 (civil, no criminal intent required): $250 per unauthorized disclosure or use, capped at $10,000 per preparer per calendar year. When connected to identity theft, the penalty is $1,000 per violation with a separate $50,000 annual cap. The identity theft penalties are tracked separately, so a preparer could face up to $60,000 in combined civil penalties in a single year.
Beyond the dollar figures, a violation can result in referral to the IRS Office of Professional Responsibility, state board of accountancy action, and potential loss of PTIN.
What to Check Before Your Next Tax Season
If your firm is currently using an offshore team and you are not certain whether your engagement letter process includes compliant 7216 consent language, that is worth a closer look. It is a manageable compliance item, but one that tends to get missed in the operational rush of standing up an outsourcing arrangement.
From an IT standpoint, 7216 compliance and the FTC Safeguards Rule both connect directly to how client data is being handled in transit and at rest. How is the data being transmitted to the offshore team? What access controls exist on the other end? Does your WISP address third-party data sharing outside the U.S.? Have you reviewed your offshore partner's security policies in the past year? PK Tech works through these questions with CPA firms regularly. Contact us to talk through what secure offshore data handling looks like from an IT infrastructure standpoint.
For the full IRS guidance on Section 7216, see the IRS Section 7216 Information Center and the Section 7216 FAQs.
1 min read
For the professionals whose lives revolve around April 15th, there is a world of risk and opportunity. The landscape of financial management–with...
1 min read
As a CPA firm, you are the guardian of countless pieces of sensitive information. This leads to exceptionally high security compliance requirements –...
1 min read
As keepers of some of the most sensitive data, CPAs often wonder: what are the best online portals and workflow solutions to protect client data?