safeguardsmonitor.com/safeguards-rule-exemptions· printed from the live page · figures carry their own as-of dates
The Safeguards Rule Exemption Under 5,000 Consumers: Exactly What Is Waived
Checked against the primary record: July 17, 2026 · Exception adopted: December 9, 2021 (86 FR 70308); unamended since
The short answer
Yes, the small-firm exemption is real. If your practice maintains customer information on fewer than 5,000 consumers, 16 CFR 314.6 switches off four requirements: the written risk assessment, the monitoring-or-penetration-testing regime, the written incident response plan, and the annual report. The written plan itself is not waived, and the count is stricter than it sounds.
This explains the FTC Safeguards Rule's small-firm exception: which requirements it waives and how its 5,000-consumer count works. It is general information, not legal advice for your specific situation. For that, consult a qualified professional.
What does the under-5,000 exemption actually say?
The entire exemption is one sentence of regulation. Section 314.6 of the Safeguards Rule, and the rule's own heading for it is the narrower word "Exceptions," switches off four listed paragraphs for any financial institution that maintains customer information concerning fewer than 5,000 consumers. Tax preparation firms are financial institutions under the rule, named in it directly, so a small practice can qualify like any other covered business. Here is the full text:
Primary record
Section 314.4(b)(1), (d)(2), (h), and (i) do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.
86 FR 70308, Dec. 9, 2021 · Verified July 17, 2026
Read it closely and three things stand out. It waives exactly four paragraphs, each named by letter and number, and nothing else. It conditions the relief on what you maintain, not on headcount, revenue, or return volume. And it says nothing about the written plan itself, which lives one section earlier in the rule and is untouched. The section was added in the 2021 overhaul, in which the Commission cited the impact of the new requirements on small businesses (86 FR 70272), and it has not been amended since.
Which requirements are waived, and which stay?
Here is the complete map, every requirement by its subsection letter. Two rows carry the word "split," because there the exception removes a sub-paragraph rather than a whole element, a difference that is easy to flatten and worth keeping. Even the FTC's own compliance guide (revised December 2024) describes the relief only as an exemption from "certain provisions"; the list below is the regulation's own.
| Requirement (16 CFR) | What it is | Under 5,000 consumers |
|---|---|---|
| 314.3(a) written program | The WISP itself: a written information security program | Required. The exception does not touch 314.3; the plan is never waived. |
| 314.4(a) Qualified Individual | The named person who oversees the program | Required. |
| 314.4(b) risk assessment | The risk analysis the program is based on | Split. The written assessment meeting (b)(1)'s three criteria is waived. Basing the program on a risk assessment, and (b)(2)'s periodic reassessment, still apply. |
| 314.4(c)(1) through (c)(8) safeguards | The eight concrete controls, encryption, MFA, and disposal among them | Required. All eight; none appears in 314.6. |
| 314.4(d) testing | Testing and monitoring of the safeguards | Split. The (d)(2) regime (continuous monitoring, or annual penetration testing plus vulnerability assessments at least every six months) is waived. The (d)(1) duty to regularly test or otherwise monitor key controls still applies. |
| 314.4(e) training | Security awareness training and qualified personnel | Required. |
| 314.4(f) service providers | Vendor selection, contractual safeguards, and oversight | Required. |
| 314.4(g) evaluate and adjust | Updating the program as testing and circumstances change | Required. |
| 314.4(h) incident response plan | The written plan for security events | Waived. The written document is excused; the FTC breach report below is not. |
| 314.4(i) annual report | The Qualified Individual's yearly written report to leadership | Waived. |
| 314.4(j) FTC notification | The breach report to the FTC: 500 or more consumers, 30 days | Required. Not in 314.6's list; in effect since May 13, 2024. |
The two split rows are where precision pays. On risk assessment, 314.6 waives paragraph (b)(1): the requirement that the assessment be written and meet three listed criteria. The surrounding duty survives. Your program must still be based on a risk assessment, and (b)(2) still requires you to reexamine your risks periodically. A qualifying firm can do that thinking without producing the formal document; it cannot skip the thinking. On testing, the waiver removes (d)(2), the prescriptive regime of continuous monitoring or annual penetration testing plus vulnerability assessments at least every six months. What survives is (d)(1): you still have to regularly test or otherwise monitor whether the safeguards you rely on actually work.
Do I still need a WISP if I'm exempt?
Yes. The written information security plan (the WISP) is required by 16 CFR 314.3(a), which tells every covered institution that "You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts," a sentence that continues into safeguards "appropriate to your size and complexity." No size threshold anywhere in Part 314 touches that requirement; we read the full part, 314.1 through 314.6, on July 17, 2026. Qualifying under 314.6 shortens what the plan must contain. It does not remove the plan.
Two opposite errors circulate about this section, and this page exists to correct both. The first treats nothing as waived: every requirement presented as binding on every firm, the threshold never mentioned. The second waves away too much: treating the incident-response waiver as if a small firm had no security-event duties at all (the FTC breach report stands, and so do the safeguards), folding the Qualified Individual into the exemption (314.4(a) appears nowhere in 314.6), or miscounting the rule itself into "seven elements" or "twelve requirements" (the program has nine, (a) through (i), plus the separate notification duty at (j)). Each claim in that catalog can be checked against the one sentence of regulation quoted above, which is why this page quotes it.
For a genuinely small practice, the honest reading is good news. What remains is the part a small firm can actually meet: a written plan scaled to your size, a named person responsible for it, and safeguards you mostly run anyway. The four heaviest process items are off your list.
How do you count 5,000 consumers?
The count is where the exemption is won or lost, and the rule's definitions do more work than summaries of them suggest. Three definitions from 16 CFR 314.2 govern. A "consumer" is "an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual's legal representative." "Customer information" means any record containing nonpublic personal information "about a customer of a financial institution," in paper, electronic, or other form, "handled or maintained by or on behalf of you or your affiliates." And the exception applies to a firm that "maintains" such information concerning fewer than 5,000 consumers. Maintain is present tense: the test is what you hold, not what you take in per year.
Applied to a tax practice, those definitions settle more than you might expect. Here is the count, step by step:
- Count what you maintain, not what you filed this season. The trigger is holding the information. Every individual whose records sit in your software, your cloud storage, or your file cabinets belongs in the count, whatever year the engagement was.
- Former clients stay in the count while their files do. A "consumer" is anyone who "obtains or has obtained" your service. Time does not remove them; disposal does. The rule's own disposal safeguard, 314.4(c)(6), sets a two-year default with exceptions; the exact timing is covered in our guide to the full rule.
- A joint return adds two. Each spouse is an individual who has obtained the service for personal or family purposes, so a married-filing-jointly engagement puts two consumers in the count, not one household.
- Entity work, by itself, does not add consumers. The definition reaches individuals obtaining a service "primarily for personal, family, or household purposes." A corporate or partnership return prepared for the business is not that. The owner whose personal return you also prepare is.
- Dependents are the honest open question. A dependent listed on a client's return did not obtain your service, so on the definition's plain terms the dependent is not a consumer, even though the file carries their information. The rule does not address dependents by name, and we could find no FTC statement that does (we checked the rule text and the FTC's business guidance on July 17, 2026). Treat this edge as unsettled rather than assumed.
- Re-run the count when the practice changes. Growth, a book-of-business purchase, or simple retention can push a firm past 5,000, and the four waived items apply in full once you no longer qualify. A dated count, refreshed beside your plan's regular review, is cheap insurance.
The count decides which duties bind your firm, and some of its edges (dependents above all) are not settled in the rule's text. If your practice sits anywhere near 5,000, or your answer turns on an unsettled edge, confirm your status with a qualified professional before you rely on the exemption.
Does the exemption change what happens if something goes wrong?
No. This is the boundary the word "exemption" obscures: 314.6 reduces what your program must contain, and changes nothing about what a failure can cost. Coverage is untouched, so the rule still applies to your firm. The breach-notification duty is untouched, so a reportable event still runs on the FTC's clock. And the civil-penalty exposure on the books is untouched: qualifying under 314.6 does not lower what a violation can cost. By site policy the verified figures live on one page, each with its source and as-of date. The exception edits your program; it is not a liability shield.
The breach-reporting arithmetic deserves one more sentence, because two different thresholds get conflated. Your 5,000-consumer status is about all the information you maintain; the FTC report is triggered by a single event. Under 16 CFR 314.4(j), a notification event involving the information of at least 500 consumers must be reported to the FTC no later than 30 days after discovery, and 314.6 does not except anyone from that duty. A practice holding 4,000 clients' files is excused from four program elements and still one stolen unencrypted backup away from a reportable event.
FAQ
Am I exempt if I'm a solo or seasonal preparer?
Not automatically. The exception has one test, and it is neither staff size nor season length: it is whether you maintain customer information on fewer than 5,000 consumers. A solo preparer who has kept every client file since 2010 can be over the line; a three-person firm that disposes of old records on schedule can be comfortably under it. Run the count before you assume either way.
Do former clients count toward the 5,000?
Yes, for as long as you still hold their information. The definition of "consumer" includes anyone who "obtains or has obtained" your service, and the exception turns on the customer information you "maintain." A client from 2019 whose return file still sits in your storage is in your count. The way out is the rule's own disposal element, not the passage of time.
Does the exemption remove the FTC breach-notification duty?
No. Section 314.6 waives exactly four paragraphs: 314.4(b)(1), (d)(2), (h), and (i). The notification duty is 314.4(j), it is not on that list, and it has been in effect since May 13, 2024. If an event involves unencrypted information of at least 500 consumers, the 30-day reporting clock runs for an exempt firm exactly as it does for anyone else.
Does the exemption change the penalties?
No. It narrows what your program must contain and leaves exposure where it was. Site policy keeps every penalty figure off this page; the penalties page carries each one with its source and its as-of date. The point that belongs here is shorter: 314.6 is not a defense, and a firm relying on it still owes everything the exception leaves standing.
Where is this exemption written?
In one sentence of the Code of Federal Regulations: 16 CFR 314.6, titled "Exceptions," quoted in full above. It was added on December 9, 2021 (86 FR 70308) and has not been amended since. We verified the text against the live eCFR on July 17, 2026; if it changes, the dates on this page will say so.
The bottom line
The under-5,000 exception is real relief, delivered in one precise sentence: four paragraphs off, everything else standing. A practice that qualifies escapes the written risk assessment, the monitoring-or-penetration-testing regime, the written incident response plan, and the annual report. It still owes the written plan, the Qualified Individual, all eight safeguards, staff training, vendor oversight, and the FTC's breach clock. Count honestly, date the count, and put what remains on paper.
Next in this guide
FTC Safeguards Rule for Tax Preparers
The FTC Safeguards Rule (16 CFR Part 314) applies to tax preparers as financial institutions under GLBA. What its nine elements require, who is covered, and who is exempt.
Related
- How we verify
The method behind every figure on this site: primary sources, as-of dates, and dated corrections.