Skip to content

The FTC Safeguards Rule for Tax Preparers: What It Actually Requires

Checked against the primary record: July 17, 2026Rule last amended: November 13, 2023 (88 FR 77508)

Dolev Arama, Founder/Last updated July 18, 2026/Every figure primary-sourced

The short answer

Yes. If your firm prepares tax returns for compensation, the FTC Safeguards Rule almost certainly applies to you. Under the Gramm-Leach-Bliley Act, a tax-preparation firm is a "financial institution," so 16 CFR Part 314 requires you to build, keep, and follow a written information security program. Here is what the rule actually requires, exactly who it covers, and where it stops.

This explains what the FTC Safeguards Rule requires of tax-preparation firms and who it covers. It is general information, not legal advice for your specific situation. For that, consult a qualified professional.

At a glance

FTC Safeguards Rule (16 CFR Part 314), at a glance

Authority
The Gramm-Leach-Bliley Act, sections 501(b) and 505(b)(2) (15 U.S.C. 6801 and 6805). The Federal Trade Commission enforces it.
Who it covers
Financial institutions under FTC jurisdiction. The rule names tax preparation firms specifically.
Core duty
Develop, keep, and follow a written information security program with the nine elements in section 314.4.
Small-firm relief
A firm with customer information on fewer than 5,000 consumers is excused from four requirements, but not from the plan itself (section 314.6).
Breach notice
Report a breach involving at least 500 consumers to the FTC within 30 days (section 314.4(j)), in effect since May 13, 2024.
Key dates
Original rule 2002. The nine-element program's compliance date was June 9, 2023.
Prepared by Safeguards Monitor from 16 CFR Part 314 (eCFR) and the Federal Register, current as of July 2026.

Does the FTC Safeguards Rule apply to tax preparers?

The FTC Safeguards Rule is the federal standard that requires financial institutions to protect customer information. It sits under the Gramm-Leach-Bliley Act, and the Federal Trade Commission enforces it against the financial institutions in its jurisdiction. The reason it reaches tax preparers is the definition. The rule's scope section names the covered businesses directly, and the list includes "tax preparation firms" (16 CFR 314.1).

The rule also gives an example that removes any doubt: "an accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution," because tax preparation is a financial activity under the Bank Holding Company Act. The test is whether you are "significantly engaged" in that activity, and a firm that prepares returns for compensation is. It does not matter that your office looks nothing like a bank. The rule defines "financial institution" by what you do with customer data, not by a sign on the door.

A few businesses fall outside it. Banks and credit unions that answer to a different federal regulator are covered by that regulator's version of the standard, not the FTC's. And a business that only incidentally touches financial data, without being significantly engaged in a financial activity, is not a financial institution under the rule. For a working tax-preparation firm, though, coverage is the default, not the exception.

Whether your specific firm is covered, and which parts of the rule apply to you, can depend on the details of your practice. If you are unsure, or you plan to rely on the small-firm exception below, confirm it with a qualified professional before you count on it.

What does the Safeguards Rule require? The nine elements

At its core, the rule requires one thing: a written information security program that is appropriate to your size and complexity and to the sensitivity of the data you hold (16 CFR 314.3). That program has to include nine specific elements, set out in section 314.4. The table states each one in plain terms.

The nine elements of the FTC Safeguards Rule
Element (16 CFR 314.4)What the rule requires
(a) Qualified IndividualName one person to oversee, implement, and enforce your security program. You can use an employee, an affiliate, or a vendor, but you keep responsibility.
(b) Risk assessmentBase the program on a written risk assessment that identifies the risks to customer information and how you will address them.
(c) SafeguardsPut eight specific safeguards in place, from access controls through activity logging. Each is its own numbered subsection; the list below the table walks all eight.
(d) TestingRegularly test the safeguards, through continuous monitoring or, absent that, annual penetration testing plus vulnerability assessments at least every six months.
(e) TrainingGive staff security awareness training and use qualified security personnel to run the program.
(f) Service-provider oversightSelect vendors that can protect customer data, require safeguards by contract, and reassess them over time.
(g) Evaluate and adjustUpdate the program as your testing, your business, and new risks require.
(h) Incident response planKeep a written incident response plan for security events that affect customer information.
(i) Report to leadershipHave your Qualified Individual report in writing, at least once a year, to your board or a senior officer.
Prepared by Safeguards Monitor from 16 CFR 314.4 (eCFR), current as of July 2026.

Element (c) is the operational core of the program: eight specific safeguards, each with its own subsection of the rule. In the rule's order:

  1. Access controls, (c)(1): authenticate the people who use your systems, and limit each user to the customer information their work actually needs.
  2. Inventory, (c)(2): identify and manage the data, personnel, devices, systems, and facilities that run the practice, weighted by importance and risk.
  3. Encryption, (c)(3): encrypt customer information both in transit over external networks and at rest. Where encryption is infeasible, the rule allows effective alternative compensating controls reviewed and approved by your Qualified Individual.
  4. Secure development, (c)(4): use secure development practices for applications you build in-house, and assess the security of outside applications you rely on to handle customer information.
  5. Multi-factor authentication, (c)(5): require it for any individual accessing any information system, unless your Qualified Individual has approved, in writing, reasonably equivalent or more secure access controls.
  6. Secure disposal, (c)(6): dispose of customer information securely on the rule's own timeline, and periodically review your data retention policy to minimize unnecessary retention; the exact two-year formulation is in the Disposal Rule section below.
  7. Change management, (c)(7): adopt procedures that govern changes to your systems.
  8. Monitoring and logging, (c)(8): monitor and log what authorized users do, and detect unauthorized access to, use of, or tampering with customer information by those users.

The Safeguards Rule contains nine program-design elements plus a separate breach-notification duty added in 2023. People often fold that duty in with the nine, but it is separate and newer. Section 314.4(j) requires you to notify the FTC of a breach involving at least 500 consumers' unencrypted information, no later than 30 days after you discover it. That requirement took effect on May 13, 2024. It is a reporting obligation, not one of the program-design elements, and it is worth tracking on its own.

Do small firms get a break? The under-5,000 exemption

Yes, partly. The rule takes four of its heavier requirements off the smallest firms. Under 16 CFR 314.6, "Section 314.4(b)(1), (d)(2), (h), and (i) do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers." In plain terms, if you hold information on fewer than 5,000 consumers, you are excused from the written risk assessment, the continuous-monitoring-or-penetration-testing requirement, the written incident response plan, and the annual report to leadership.

Primary record

16 CFR § 314.6 · Exceptions

Section 314.4(b)(1), (d)(2), (h), and (i) do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.
Prepared by Safeguards Monitor from 16 CFR 314.6 (eCFR), current as of July 2026.
86 FR 70308, Dec. 9, 2021 · Verified July 17, 2026

Here is the part the field gets wrong. The exemption does not remove the plan. The requirement to have a written information security program still stands, and so do the Qualified Individual, the safeguards themselves (encryption, multi-factor authentication, and access controls among them), staff training, vendor oversight, and the breach-notification duty. "Exempt" means four requirements come off, not that a small firm can skip the WISP. Which items actually apply to your firm turns on that 5,000 count, and how the counting actually works is worth getting right.

Prepared by Safeguards Monitor from 16 CFR 314.4 and 314.6 (eCFR), current as of July 2026.

The Safeguards Rule vs. IRS Publication 4557 vs. the W-12 checkbox

This is where a lot of confusion starts, because three different things all point at the same written plan, and only one of them is the law. Keeping them straight tells you what you actually have to do, and why.

The rule, the IRS guidance, and the PTIN attestation compared
SourceWhat it isIs it the legal source of the WISP duty?
FTC Safeguards Rule (16 CFR 314)A federal regulation under the Gramm-Leach-Bliley Act, enforced by the FTC.Yes. This is the rule that requires the written program.
IRS Publications 4557 and 5708IRS guidance. Publication 4557, "Safeguarding Taxpayer Data," explains the duty and gives a checklist; Publication 5708 is a fill-in template.No. They explain and point to the requirement; they are not the requirement.
Form W-12, Line 11An awareness attestation you check when you renew your PTIN.No. Checking it confirms you are aware of the duty; it does not create it, and it is not a certification that you have a compliant plan.
Prepared by Safeguards Monitor from 16 CFR 314, IRS Publication 4557, and the current Form W-12 (Rev. October 2025).

Line 11 of the current Form W-12 is labeled "Data Security Responsibilities," and it asks you to check a box against one sentence. That sentence rewards a careful read:

Primary record

IRS Form W-12, Line 11 · Data Security Responsibilities

I am aware that paid tax return preparers are required by law to create and maintain a written information security plan that provides data and system security protections for all taxpayer information.
Prepared by Safeguards Monitor from the current Form W-12 (irs.gov), current as of July 2026.
Form W-12, Rev. October 2025 · Verified July 17, 2026

Notice the phrasing. The operative words are the first three: you attest that you are aware of the requirement. The line does not ask you to swear that your plan exists or that it meets any standard, though the form around it is signed under penalties of perjury, so the awareness should be real. A common misreading treats that checkbox as proof of compliance, or treats the WISP as an IRS invention. Neither holds up: the box records awareness, and the comprehensive written-program requirement traces back to the FTC's Safeguards Rule.

One more FTC rule: proper disposal (16 CFR Part 682)

One related rule is easy to miss. The FTC's Disposal Rule (16 CFR Part 682) comes from the Fair and Accurate Credit Transactions Act, and it requires anyone who holds "consumer information" for business purposes, meaning data that is or comes from a consumer report, to dispose of it in a way that protects against unauthorized access. Its reach is narrower than the Safeguards Rule: it covers consumer-report data specifically, while the Safeguards Rule covers all of your customer information and sets its own deadline. Under section 314.4(c)(6), you must dispose of customer information securely no later than two years after the last date it is used in connection with providing a product or service to the customer it relates to, unless you still need it for business operations or another legitimate business purpose, a law or regulation requires you to keep it, or targeted disposal is not reasonably feasible in the way the information is maintained. The same subsection also tells you to review your data retention policy periodically, to minimize unnecessary retention. If the Safeguards Rule applies to you, the two rules meet in one document: the Disposal Rule itself names incorporating proper disposal into your Safeguards program as a reasonable way to comply, so in practice you handle both in one place.

FAQ

Are tax preparers really "financial institutions"?

Yes. The Safeguards Rule's scope section lists "tax preparation firms" among the covered businesses, and a separate example in the rule states that an accountant or tax preparation service in the business of completing income tax returns is a financial institution. It is not a stretch or an interpretation; the rule names them.

Does the rule apply to a solo or seasonal tax practice?

Generally yes. Coverage turns on whether you are significantly engaged in preparing returns for compensation, not on your headcount. Size affects how much of the rule applies, through the under-5,000 exemption, rather than whether it applies at all.

Is the WISP an IRS requirement or an FTC requirement?

The comprehensive written information security program is required by the FTC's Safeguards Rule, under the Gramm-Leach-Bliley Act. The IRS points you to it through Publications 4557 and 5708 and asks you to attest awareness of the duty on Form W-12, but the rule itself is the FTC's. Our guide to the WISP requirement for tax preparers maps both layers in full.

What is the difference between the Safeguards Rule and IRS Publication 4557?

The Safeguards Rule is binding law. Publication 4557, "Safeguarding Taxpayer Data," is IRS guidance that explains the duty and offers a checklist. Following Publication 4557 helps you comply, but the enforceable requirement is the rule.

When did the current requirements take effect?

The Safeguards Rule dates to 2002. The FTC added the detailed nine-element program in 2021, and the compliance deadline for those provisions was June 9, 2023. The separate breach-notification duty took effect on May 13, 2024.

Does the Safeguards Rule require multi-factor authentication and encryption?

Yes. Section 314.4(c) requires encryption of customer information in transit and at rest, and multi-factor authentication for anyone accessing an information system. Each has a narrow exception that runs through your Qualified Individual: encryption that is infeasible may be replaced by effective alternative compensating controls the Qualified Individual reviews and approves, and MFA may be set aside only where the Qualified Individual has approved, in writing, reasonably equivalent or more secure access controls.

What happens if a firm ignores the Safeguards Rule?

Two levers exist, and they are not equally active. On paper, the FTC can enforce the rule; what enforcement can cost, with every figure's source and as-of date, belongs on a dedicated penalties page, not here. The closest public record is a 2017 settlement with TaxSlayer, an online tax preparation service charged under the rule's earlier form; it ended in a consent order, not a fine. Against a tax-preparer practice, we can find no public FTC Safeguards Rule enforcement action; we last checked the FTC's public listings for the rule on July 17, 2026. The lever with documented teeth belongs to the IRS, which can suspend or expel an e-file provider at its own discretion; for a practice built on e-filing, that is the risk that matters. And ignoring the rule leaves the quieter duty standing: a reportable breach still runs on the FTC's 30-day clock, whether or not a written plan exists.

The bottom line

The FTC Safeguards Rule is real, it is the law, and it applies to tax-preparation firms because the rule says so by name. It requires a written information security program with nine elements; it excuses the smallest firms from four of them but not from the plan itself; and it is a separate thing from the IRS guidance and the W-12 checkbox that point at it. Knowing which is which is what keeps you from either overpaying for a scare or skipping a requirement you actually have. The first concrete step is the written plan.