Pro Blog | PK Tech

The FTC Safeguards Rule: What Every CPA Firm and Tax Preparer Needs to Know (Before It's Too Late)

Written by Jordan Hetrick | July 1, 2026

TL;DR: The FTC Safeguards Rule is a federal data security law that officially applies to CPA firms and tax preparers, not just banks. It requires a written information security program, a designated Qualified Individual, encryption, multi-factor authentication, risk assessments, and more. Firms handling fewer than 5,000 consumer records get a partial exemption, but not a full pass. Non-compliance can mean fines exceeding $100,000 per violation. This guide explains what it is, what it requires, who is exempt and why, what the penalties look like, and how working with a qualified IT partner makes compliance a lot less painful.

Imagine you file a thousand tax returns a year. Each one contains a Social Security number, financial account details, income records, and enough personally identifiable information to make a cybercriminal's weekend. Now imagine someone asks whether your firm has a written information security program, a designated compliance officer, and multi-factor authentication on every system that touches that data. If the honest answer involves a long pause, you're not alone, and you are also not technically in compliance with federal law.

That pause is more common than it should be, and more expensive than most firms realize. The data your practice holds is not just sensitive; it's exactly the kind of concentrated, high-value target that attackers go looking for. One compromised inbox, one unpatched system, one staff member who clicked the wrong link, and client Social Security numbers, bank account details, and tax records are suddenly someone else's problem to exploit.

Most CPA firms know about IRS Publication 4557. Fewer have spent quality time with the FTC's Safeguards Rule, which has been fully enforceable since December 2023 and applies to accounting and tax preparation practices whether they know it or not. The good news is that the path to compliance is well-documented, the requirements are logical, and for smaller firms, the exemptions are meaningful. The bad news is that "we were pretty sure we were fine" isn’t a legal defense.

This guide walks through what the FTC Safeguards Rule actually requires, who it applies to, and how to get compliant without turning your practice into a full-time IT department.

Table of Contents

  1. What the FTC Is and Why It Landed in Your Inbox
  2. How CPA Firms Became "Financial Institutions" Under Federal Law
  3. The Nine Mandatory Requirements Every Covered Firm Must Meet
  4. The Small Business Exemption and What It Actually Covers
  5. What Non-Compliance Actually Costs
  6. How to Get and Stay Compliant
  7. Your Practice Has Enough on Its Plate
  8. Key Takeaways
  9. Frequently Asked Questions

What the FTC Is and Why It Landed in Your Inbox

The Federal Trade Commission is the federal agency responsible for protecting consumers and promoting fair competition. It is perhaps best known for going after deceptive advertising and monopolistic behavior, which might make its interest in your client files seem like an odd jurisdiction. The connection runs through the Gramm-Leach-Bliley Act (GLBA), a 1999 law that required financial institutions to protect consumer financial data and gave the FTC authority to enforce those requirements for the businesses under its jurisdiction.

The result was the FTC Safeguards Rule, first established in 2003, significantly expanded in December 2021, and fully enforceable with its updated requirements as of December 2023. The 2023 amendments also added breach notification requirements: if a covered firm experiences unauthorized access to 500 or more consumers' unencrypted records, it must notify the FTC within 30 days.

The short version: this rule has been around for over two decades, but its current form is meaningfully stricter than what many firms were used to ignoring.

How CPA Firms Became "Financial Institutions" Under Federal Law

This is the part that tends to produce a double-take. The Safeguards Rule applies to "financial institutions" subject to FTC jurisdiction, and the definition of financial institution is deliberately broad. Per the rule, an entity qualifies if its business involves activities that are "financial in nature or incidental to such financial activities" as described under the Bank Holding Company Act.

The FTC's own guidance lists tax preparation firms explicitly as examples of covered financial institutions. Not "tax preparation firms above a certain revenue threshold." Not "tax preparation firms with more than ten employees." Just tax preparation firms.

The rule applies to any entity providing tax planning and preparation services to any person for personal, family, or household purposes, which means solo practitioners, small CPA firms, enrolled agents, and seasonal preparers are all covered. If you hold a PTIN and file returns, you're a financial institution under law.

This tends to land differently on practitioners who have spent their careers thinking of "financial institution" as a term reserved for banks and mortgage lenders. The FTC anticipated this. Its guidance specifically notes that what matters is the type of activity the business undertakes, not how the firm or anyone else categorizes it.

The Nine Mandatory Requirements Every Covered Firm Must Meet

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. That program must be written. It must be appropriate to the size and complexity of the firm, and it must address nine specific elements.

1. Designate a Qualified Individual. Someone at the firm (or a contracted service provider) must own the information security program. This person doesn't need a specific credential; they need actual, practical expertise suited to the firm's circumstances. If an outside provider fills the role, a senior firm employee must still supervise them.

2. Conduct a written risk assessment. Before building safeguards, a firm must understand what data it holds, where it lives, and what threatens it. The assessment must be documented and updated as the firm's operations change or new threats emerge.

3. Implement specific safeguards, including:

  • Access controls that determine who can reach client data and are reviewed regularly

  • A data inventory identifying every system, device, and person that touches customer information
  • Encryption of customer data both in storage and in transit
  • Security review of any applications, internal or third-party, used to store or transmit client data
  • Multi-factor authentication for anyone accessing systems that hold customer information
  • Secure disposal of client data no later than two years after its last business use
  • Change management processes that catch new security risks when systems are updated
  • Activity logging and monitoring for unauthorized access

4. Regularly test and monitor safeguards. This can be accomplished through continuous monitoring or, alternatively, annual penetration testing and vulnerability assessments every six months.

5. Train staff. Security awareness training is required, and it needs to be ongoing. A one-time orientation doesn't satisfy the rule.

6. Oversee service providers. Any vendor with access to client data is an extension of the firm's security posture. Contracts must include security expectations, and oversight must be ongoing.

7. Keep the program current. The rule requires regular updates as the firm, its technology, and the threat landscape evolve.

8. Create a written incident response plan. The plan must cover goals, internal processes, roles and responsibilities, communication protocols, remediation steps, documentation procedures, and a post-incident review process.

9. Report to the governing body. The Qualified Individual must report at least annually to the firm's board or equivalent leadership on the state of the information security program.

The Small Business Exemption and What It Actually Covers

Firms that maintain customer information for fewer than 5,000 consumers qualify for a partial exemption from certain requirements. Specifically, they're not required to complete a formal written risk assessment, conduct penetration testing or vulnerability scans, create a written incident response plan, or provide an annual compliance report to leadership.

For firms below the threshold, only three safeguards are explicitly required: encryption of data in transit and at rest, multi-factor authentication, and secure disposal of information.

A few things worth noting here. First, the 5,000-consumer count includes records maintained by affiliates and service providers on the firm's behalf, not just what sits on the firm's own servers. Second, the exemption covers certain procedural requirements, not the underlying obligation to protect client data. A small firm that experiences a breach still faces the legal and reputational fallout. Third, as the AICPA (the American Institute of Certified Public Accountants, the national professional organization for CPAs) puts it directly: all of the above elements are worthy of consideration by firms of every size, regardless of the threshold.

The exemption isn't a license to skip security. It's an acknowledgment that formal documentation requirements can be disproportionately burdensome for a solo practitioner or two-person shop, not a suggestion that client data protection is optional below a certain headcount.

What Non-Compliance Actually Costs

The consequences fall into a few categories, and they compound.

FTC civil penalties. The FTC can impose fines exceeding $100,000 per violation, and each affected customer record can constitute a separate violation. In a breach involving 500 client records, the math gets uncomfortable quickly.

Loss of PTIN and e-filing privileges. The IRS takes data security seriously as well. Firms that don't meet security requirements (including the written WISP requirement under IRS Publication 4557, which overlaps significantly with the Safeguards Rule) risk having their PTIN revoked and their e-filing authorization suspended. That's not an inconvenience. That's the inability to practice.

Client lawsuits. A data breach that exposes client Social Security numbers, financial account details, or tax records creates direct exposure to civil litigation. State attorneys general can also pursue action under their own breach notification and consumer protection statutes.

Cyber insurance complications. Carriers are increasingly requiring documented evidence of security controls (multi-factor authentication, encryption, and incident response plans) as a condition of coverage. Firms that can't demonstrate these controls at renewal face higher premiums, reduced coverage, or both.

How to Get and Stay Compliant

The compliance path is more manageable than the list of requirements might suggest. Most of the work is a one-time investment in documentation and infrastructure, followed by ongoing maintenance.

Start with an inventory. Before anything else, know what data you have and where it lives. Client files, tax software databases, email accounts, cloud storage, third-party portals: all of it. You can't protect what you haven't mapped.

Appoint a Qualified Individual. If no one at the firm has the expertise to own this role, a qualified IT partner or MSP can serve in that capacity. The key is that someone credentialed and accountable has the job, not an IT-adjacent staff member who also does payroll.

Get the technical controls in place. Multi-factor authentication and encryption are non-negotiable at every firm size. These aren't advanced enterprise measures; they're baseline security hygiene that most modern platforms support with minimal configuration.

Write the documents. A written information security program and an incident response plan are required. Many firms try to satisfy this with a downloaded template, and that's where compliance theater begins. A boilerplate WISP that lists generic policies without reflecting how the firm actually operates doesn't satisfy the rule's requirement for a program "appropriate to the size and complexity of your business." Templates are a starting point, not a finish line.

Train the team. Phishing is still the most common entry point for data breaches, and the most credentialed cybersecurity stack in the world can't compensate for an employee who clicks the wrong link. Regular, practical training is required, and it pays dividends beyond compliance.

Maintain and update. The rule requires periodic reassessment as operations change. A compliance posture built in 2023 and never revisited isn't a compliance posture. It's a document in a drawer.

Your Practice Has Enough on Its Plate

The FTC Safeguards Rule is not a future concern or a large-firm problem. It's a current, enforceable federal requirement that applies to your practice right now, regardless of size, regardless of whether you knew it existed, and regardless of how long you've been in business. Everything this guide has covered, the nine elements, the exemptions, the penalties, the documentation, adds up to one practical question: is your firm actually prepared?

Tax season doesn't pause for compliance projects. Client deadlines don't move because a firm is trying to figure out what "penetration testing" means. And the expectation that a two-person CPA firm should independently build, maintain, and document a full information security program while also filing several hundred returns a year is, charitably, optimistic.

That's where the right technology partner stops being a vendor and starts being a genuine asset. PK Tech has spent years working with CPA firms and accounting practices in Phoenix and across the country. The FTC Safeguards Rule isn't an abstract concern for our clients; it's a documented requirement we help them meet. We work directly with firms to inventory their data environments, put the required technical controls in place, establish the Qualified Individual structure the rule requires, and produce the written documentation that turns compliance from a risk into a checkmark.

The firms we work with aren't building security departments. They're staying in compliance while staying focused on their clients, because they have a partner whose job it is to handle the complexity.

If you're not sure where your firm stands on the Safeguards Rule, that's the first question worth answering. Reach out to PK Tech for a free IT assessment, and let's find out exactly what your compliance posture looks like before the FTC does.

Key Takeaways

  • The FTC Safeguards Rule applies to CPA firms and tax preparers, not just banks. If you prepare tax returns, you're a financial institution under federal law.
  • The rule requires nine specific elements in a written information security program, including a designated Qualified Individual, risk assessment, encryption, multi-factor authentication, staff training, and a written incident response plan.
  • Firms maintaining records on fewer than 5,000 consumers qualify for a partial exemption from certain procedural requirements but must still implement encryption, MFA, and secure data disposal.
  • Non-compliance can trigger FTC fines exceeding $100,000 per violation, loss of PTIN and e-filing privileges, client lawsuits, and cyber insurance complications.
  • The IRS WISP requirement under Publication 4557 and the FTC Safeguards Rule overlap significantly, but they're distinct: both are required.
  • Boilerplate WISP templates don't satisfy the rule's requirement for a program tailored to the specific firm's size, complexity, and operations.
  • A qualified IT partner can serve as the firm's Qualified Individual and handle the technical and documentary requirements, keeping practitioners focused on clients rather than compliance infrastructure.

Frequently Asked Questions

1. Does the FTC Safeguards Rule apply to solo tax preparers?

Yes. The FTC defines "financial institution" based on what a business does, not how many people work there. Solo practitioners, enrolled agents, and seasonal preparers are all covered. There's no minimum revenue or employee threshold. The 5,000-consumer threshold only applies to a partial exemption from certain documentation requirements, not to whether the rule applies at all.

2. What is the difference between the FTC Safeguards Rule and the IRS WISP requirement?

They're related but distinct. The IRS requires a Written Information Security Plan under Publication 4557 as a condition of holding a PTIN and e-filing authorization. The FTC Safeguards Rule goes further, requiring firms to actually implement specific technical controls (encryption, MFA, access controls, monitoring) and designate a Qualified Individual to oversee the program. Both are required, and a WISP without the underlying technical controls satisfies neither.

3. What should a CPA firm do first to get compliant?

Start with an honest inventory: what client data do you hold, where does it live, and who can access it? Then put the baseline technical controls in place (MFA and encryption are non-negotiable and straightforward to implement), appoint a Qualified Individual, and produce the required written documentation. If the firm doesn't have internal expertise, a qualified IT partner can serve in the Qualified Individual role and manage the whole program.