safeguardsmonitor.com/who-needs-a-wisp· printed from the live page · figures carry their own as-of dates
Who Needs a WISP? The Full Segment Map for Tax and Accounting Professionals
Checked against the primary record: July 18, 2026 · Definitions last amended: November 13, 2023 (88 FR 77508)
The short answer
If your firm is in the business of completing income tax returns, it needs a written information security plan (WISP). The FTC Safeguards Rule says so by name, whatever your credential and whatever your size. The real questions live at the edges: bookkeepers, audit-only CPAs, payroll, volunteers. Here is the full map, every row from the primary record.
This maps who the WISP requirement covers, profession by profession. It is general information, not legal advice for your specific situation. For that, consult a qualified professional.
Who is covered by the Safeguards Rule?
A covered firm is a "financial institution" as the FTC Safeguards Rule defines one: any institution significantly engaged in activities that are financial in nature. That definition sounds like it was written for banks, and it was, but the rule resolves the question for this profession itself, in an example it wrote into the regulation. Here are the two operative passages, exactly as the Code of Federal Regulations carries them:
Primary record
Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). [...] An accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution because tax preparation services is a financial activity listed in 12 CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G).
86 FR 70304, Dec. 9, 2021, as amended at 88 FR 77508, Nov. 13, 2023 · Verified July 18, 2026
Read the highlighted clause again, because the whole map hangs on it: "in the business of completing income tax returns." Not e-filing. Not holding a credential. Not passing a headcount. The business of completing returns is what makes a practice a financial institution here, and the FTC's own compliance guidance (revised December 2024) repeats the point in plain words, listing "tax preparation firms" alongside mortgage brokers, check cashers, and collection agencies among its examples of covered businesses.
For credentialed practitioners there is a second layer on the same duty. In June 2025 the IRS Office of Professional Responsibility addressed its WISP bulletin to attorneys, certified public accountants, enrolled agents, enrolled retirement plan agents, and Annual Filing Season Program participants, and grounded the duty in Circular 230's competence and compliance-procedures standards on top of the FTC rule (OPR Issue 2025-8, June 9, 2025). Coverage under the rule attaches to the activity; the credential adds a professional-responsibility edge. Once the duty attaches, what the WISP requirement actually says is its own subject, walked from the primary sources.
The segment map
One table, ten working situations. Where the record answers, the row says yes or no and cites it. Where coverage turns on facts the record does not settle, the row says "it depends" and the sections below walk the reasoning. No row here stretches the rule to inflate its audience; an honest no is worth more than a manufactured yes.
| Practice or role | Covered? | Why | Source |
|---|---|---|---|
| Paid tax return preparer (any credential or none) | Yes | In the business of completing income tax returns: the rule's own example, word for word. | 16 CFR 314.2(h)(2)(viii) |
| Enrolled agent preparing returns | Yes | Same example. The EA credential adds Circular 230 exposure on top; it changes nothing about coverage. | 314.2(h)(2)(viii); OPR 2025-8 |
| CPA firm with a tax practice | Yes | The example opens "an accountant or other tax preparation service." A CPA firm completing returns is its core case. | 314.2(h)(2)(viii) |
| CPA firm, audit or attest only (no returns) | It depends | Outside the example. Coverage turns on the general definition: significant engagement in activities financial in nature. | 314.2(h)(1), (h)(3)(iv) |
| Bookkeeping-only practice (no returns) | It depends | Bookkeeping is named neither in the rule's examples nor in the listed activity behind the tax example. The general definition governs; see below. | 314.2(h); 12 CFR 225.28(b)(6)(vi) |
| Payroll services | It depends | Payroll is likewise not named. Same definitional test, same unsettled edge. | 314.2(h); 12 CFR 225.28(b)(6) |
| Solo or seasonal preparer | Yes | Covered because preparing returns is the business, at any size. Under 5,000 consumers four duties are waived, never the written plan. | 314.2(h)(2)(viii); 16 CFR 314.6 |
| Firm that does not e-file (paper only) | Yes | The example turns on completing returns as a business, not on how the returns reach the IRS. | 314.2(h)(2)(viii) |
| PTIN holder not currently preparing | Not while inactive | Coverage follows the activity, not the credential (our reading of the definition). The renewal form still records a signed awareness attestation either way. | 314.2(h)(1); Form W-12 (Rev. October 2025) |
| VITA/TCE volunteer | Different regime | A free volunteer site is not in the business of completing returns (our reading of the definition). IRS program rules require an annual site security plan instead. | Pub 4299 (Rev. 2-2025); Pub 5450 (Rev. 10-2025) |
The it-depends rows turn on facts specific to your practice: what services you sell, how much of the business they are, and whose data you hold. If your situation sits on one of those edges, have a qualified professional confirm your coverage before you rely on either answer.
Do bookkeepers need a WISP if they don't do taxes?
Not automatically, and this is the map's most misstated row. A bookkeeping-only practice is covered by the Safeguards Rule only if it meets the general definition of a financial institution, because the rule's tax example does not reach it. Three facts from the record frame the honest answer. First, the example that captures tax practices has a condition: being "in the business of completing income tax returns." A firm that keeps books and never completes returns is not that firm. Second, the activity list the example rests on names "tax-planning and tax-preparation services" at 12 CFR 225.28(b)(6)(vi); bookkeeping appears nowhere in that item. Third, the rule's own exclusions say entities that engage in financial activities "but that are not significantly engaged in those financial activities" are not financial institutions at all (16 CFR 314.2(h)(3)(iv)).
What that leaves is a judgment the text does not make for you: whether the services a bookkeeping practice actually sells amount to significant engagement in activities financial in nature. That is our reading of the definition, stated as one; the rule text nowhere answers "bookkeeping" by name, and we label the edge unsettled rather than pretend it is decided. Two things are decided. A bookkeeping practice that also completes returns for even part of its clients sits inside the tax example, and the whole duty attaches. And a practice outside the federal rule can still owe a written plan to a state; the FAQ below covers that layer.
The field mostly answers this row with a blanket "everyone needs one." That answer happens to be safe advice and bad law: safe because a written plan is worth having, bad because it reads a scoped federal rule as if it had no scope. This page keeps the two apart. What a covered firm must actually build is walked, element by element, in the full rule, element by element.
What about VITA volunteers?
VITA and TCE volunteers get a different answer, because they answer to a different regime. The Safeguards Rule's example reaches those "in the business of completing income tax returns," and a free volunteer site sponsored under the IRS's VITA/TCE program is not in that business; that is our reading of the definition, and we could find no FTC statement addressing volunteer sites either way (we checked the rule text and the FTC's Safeguards business guidance, and ran a public web search, on July 18, 2026). What governs a VITA site instead is the IRS's own program rulebook, and it is specific: "All VITA/TCE sites, except Facilitated Self Assistance (FSA) remote sites, must prepare an annual security plan to safeguard taxpayer data" (Publication 4299, Rev. 2-2025). The instrument even has a form number: Form 15272, VITA/TCE Security Plan, which Publication 4299 names directly and Publication 5450 (Rev. 10-2025) builds site procedures around.
So the volunteer's honest row reads: no WISP under the FTC rule, a mandatory annual security plan under IRS program rules. One nuance matters in practice. A volunteer who also runs a paid practice on the side carries the full Safeguards duty for the paid side, because that side is in the business. The site's plan covers the site; it does not cover your firm.
Am I covered? The three-question self-test
Three questions settle most practices. Answer them in order:
- Does your practice complete income tax returns for compensation? If yes, stop here: you are the rule's named example, and the WISP duty applies. Every paid preparer lands on this row, EAs and tax CPAs included, solo and seasonal too.
- If no: are the services you do sell financial in nature, and are they the business, not a sideline? This is the general definition's test, and it is where bookkeeping-only, payroll, and audit-only practices live. The record does not settle these edges by name; the sections above give the reasoning, and an unsettled edge is a question for a professional, not a guess.
- Either way: how many consumers' information do you maintain? This question never decides coverage; it sizes the program. A covered firm under 5,000 consumers is excused from four listed duties and still owes the written plan itself. The exact split is the exemption page's subject.
Covered but tiny: what changes?
Nothing about coverage, everything about workload. Being small does not move a practice out of the rule; it moves four duties off its list. A covered firm that maintains customer information on fewer than 5,000 consumers is excused from the written risk assessment, continuous monitoring or penetration testing, the written incident response plan, and the annual written report to leadership (16 CFR 314.6), and the count runs on what you maintain, former clients included, not on what you filed this season. The written plan itself is never waived, and neither is the FTC's breach-notification clock. The full waived-versus-required table, including the two rows where the exception splits a duty rather than removing it, is on the exemption guide.
FAQ
Does every PTIN holder need a WISP?
Every PTIN holder signs about one; the duty itself belongs to those in the business. Line 11 of Form W-12 (Rev. October 2025) has each applicant attest awareness that paid preparers "are required by law to create and maintain a written information security plan," and the form is signed under penalties of perjury. It is an awareness attestation, not a certification that a plan exists. A holder actively preparing returns owes the plan because of the Safeguards Rule, not because of the checkbox; a holder not currently preparing signs the same awareness statement while the duty waits for the activity.
My software vendor handles security. Am I covered?
No vendor can hold your WISP for you. The Safeguards Rule makes service providers a section of your program, not a substitute for it: a covered firm must take reasonable steps to pick providers "capable of maintaining appropriate safeguards," bind them "by contract to implement and maintain such safeguards," and keep "periodically assessing" them (16 CFR 314.4(f)). Your tax software belongs inside the plan as a vendor you oversee. The plan itself, and the vendor-oversight element inside it, stays your firm's; the requirement's contents walk all nine elements against the text.
I only prepare a few returns a year. Does the rule still apply?
The rule's example carries no return count: it reaches a service "in the business of completing income tax returns," and a small paid sideline is still paid preparation. The definition's sizing valve is significance, not volume: it covers institutions "significantly engaged" in financial activities and excludes those that are not (16 CFR 314.2(h)(1), (h)(3)(iv)), and the rule does not say where a handful of paid returns falls on that line, so we will not pretend it does. What is certain: a few clients' worth of files keeps a covered firm comfortably under the 5,000-consumer threshold, which shortens the program without removing the plan.
Does state law reach me even if the federal rule doesn't?
It can, and Massachusetts is the clearest case: 201 CMR 17.00 requires every person that "owns or licenses personal information about a resident of the Commonwealth" to "develop, implement, and maintain a comprehensive information security program" in writing, and it has applied since March 1, 2010, wherever the firm sits (201 CMR 17.00). New York's SHIELD Act runs the same direction: any person or business that owns or licenses computerized data including a New York resident's private information "shall develop, implement and maintain reasonable safeguards" (N.Y. Gen. Bus. Law 899-bb). So a bookkeeping practice outside the federal rule can still owe a written program to a state its clients live in; the regulation and the statute linked above are the primary texts.
The bottom line
Coverage is not a mystery; it is a definition with your profession written into it. If your firm completes income tax returns as a business, the WISP duty is yours, at any size, e-filing or not. The edges (bookkeeping, payroll, audit-only) turn on a significance test the record leaves open, and the honest move there is a professional read, not a vendor's blanket yes. Volunteers answer to the IRS program rulebook instead. Wherever your row landed, the next step is the same document.
Next in this guide
WISP for Tax Preparers: Written Information Security Plan
The WISP requirement for tax preparers: the FTC Safeguards Rule requires the written plan and the IRS presses it. What it says, who imposes it, how to build one.
Related
- How we verify
The method behind every figure on this site: primary sources, as-of dates, and dated corrections.