Most accounting and tax professionals are surprised to learn that the federal government considers their firm a “financial institution” — and that a Federal Trade Commission rule requires them to protect client data in specific, documented ways. It sounds like something written for banks. It wasn’t. The FTC Safeguards Rule, which falls under the Gramm-Leach-Bliley Act, applies squarely to firms that prepare tax returns and provide accounting services. The IRS says the same thing: Publication 4557 notes that the Safeguards Rule’s “financial institutions” definition “includes professional tax preparers,” and Publication 5708 confirms that tax and accounting professionals are financial institutions “regardless of size.”
If your firm collects Social Security numbers, financial account details, and income information to do its work — and every tax and accounting firm does — the Safeguards Rule applies to you. The amended rule took full effect in June 2023, and enforcement is real. The good news: compliance is achievable, and most of it is simply good security practice written down.
At its core, the Safeguards Rule requires your firm to maintain a written information security program with a defined set of elements. In plain terms, that means:
Put someone in charge. You must designate a “Qualified Individual” responsible for your security program. This can be an employee or a qualified service provider — many small firms designate their managed IT and security partner for this role.
Know your risks. A written risk assessment identifies where client data lives, how it could be exposed, and what you’re doing about it. This isn’t a one-time checkbox; it’s the foundation everything else is built on.
Implement real safeguards. The rule names specific controls: access controls so only the right people reach client data, encryption of customer information both at rest and in transit, multi-factor authentication for anyone accessing systems with client data, and secure disposal of data you no longer need.
Test and monitor. You’re expected to monitor your systems for problems — either through continuous monitoring, or through annual penetration testing combined with vulnerability assessments at least every six months.
Train your people. Your staff are your first line of defense, and the rule expects them to be trained on security awareness.
Oversee your vendors. Any service provider that touches client data must be held to the same standard, in writing.
Have a plan for when something goes wrong. A written incident response plan means that if there’s a breach, your firm acts on a plan instead of panicking.
Report to leadership. Your Qualified Individual must report in writing to your board or senior leadership, at least annually, on the state of the program.
Firms that maintain customer information concerning fewer than 5,000 consumers get a carve-out under §314.6 — but it’s narrower than most summaries suggest. The carve-out exempts four specific provisions, and only those four: the requirement to put the risk assessment in writing with the criteria the rule spells out (§314.4(b)(1)); the specific monitoring regimen of continuous monitoring or annual penetration testing plus vulnerability assessments every six months (§314.4(d)(2)); the written incident response plan with the rule’s named elements (§314.4(h)); and the annual written report to the board (§314.4(i)).
What small firms still owe is more than most people assume. Every firm, regardless of size, must still base its program on a risk assessment (§314.4(b)) and periodically reassess (§314.4(b)(2)); must still regularly test or otherwise monitor the effectiveness of its safeguards (§314.4(d)(1)); and must still implement the core program — designating a Qualified Individual, access controls, encryption, multi-factor authentication, secure disposal, change management, staff training, vendor oversight, and ongoing evaluation and adjustment. The exemption reduces the paperwork, not the protection.
And don’t confuse that 5,000-consumer figure with the rule’s breach-notification trigger: a separate provision (§314.4(j)) requires firms to notify the FTC within 30 days of discovering a security breach affecting 500 or more consumers — and that obligation applies to small firms too.
The FTC isn’t the only authority here. IRS Publication 4557, “Safeguarding Taxpayer Data,” lays out the IRS’s own expectations for protecting taxpayer information — but the written data security plan (a WISP) your firm needs is mandated by the FTC Safeguards Rule itself. The IRS reinforces it — preparers acknowledge their data-security responsibilities when they renew their PTIN on Form W-12 — and Publication 4557 points firms to Publication 5708 for building that plan. In practice, a well-built security program satisfies both the FTC and the IRS at once, which is exactly why we recommend starting from a recognized framework rather than chasing each requirement separately.
Here’s the part that gets lost in the regulatory language: you don’t comply with the Safeguards Rule by reading the Safeguards Rule. You comply by running a real security program — and then documenting that you do. That’s why SmartWeb builds every client’s program on the CIS and NIST frameworks. Get the framework right, and FTC compliance, IRS Publication 4557, your cyber-insurance questionnaire, and your clients’ security reviews all fall out of the same work.
If you’re not sure where your firm stands today, that’s a normal place to start. A straightforward gap assessment will tell you exactly which of these requirements you already meet and which need attention — usually with far fewer surprises than firm owners expect.
Wondering where your firm stands on the Safeguards Rule? Schedule a call and we’ll walk through it together — no jargon, no scare tactics.
This article is general information, not legal or compliance advice. Confirm your firm’s specific obligations with qualified counsel or your tax-compliance advisor.