The phrase tends to arrive in someone else’s paperwork: a cyber-insurance renewal asking whether the firm has designated a Qualified Individual, a client’s vendor questionnaire requesting a copy of your information security program, and, at every PTIN renewal, Line 11 of the W-12. All of it points at one regulation, a rule written for financial institutions, which sounds like it means banks.
It means you. The rule’s own definitions say so:
“An accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution because tax preparation services is a financial activity.”
That’s 16 CFR Part 314, the Safeguards Rule, the FTC’s implementation of the Gramm-Leach-Bliley Act. The rewritten rule has applied in full since June 2023, and a breach-reporting provision took effect in May 2024. Its duties fall on any firm that prepares returns for a fee. One size concession exists: firms maintaining customer information on fewer than 5,000 consumers are excused from four of the rule’s written formalities. The details, and why we’d rather you not build on the exemption, get their own section near the end. Everything else applies at any size.
What follows is a working checklist of the rule’s core program requirements; the regulation itself remains the source for definitions, exceptions, and complete sub-elements. Each element gets two things: what the rule asks, and a floor, meaning the modest version a small firm can keep up all year. (Why you write the floor into the plan, rather than the ceiling, is a guide of its own: Line 11, in plain English.) One caution that covers every floor below: they are practical starting points, not safe-harbor language, and meeting one does not by itself satisfy the rule.
The rule, element by element
1. Name one person: the Qualified Individual
The rule requires a single designated person to oversee the program, and it gives the role a name: the Qualified Individual, QI from here on. Qualified is doing real work in that title. The person needs authority to change how the firm works and enough knowledge of the program to answer for it; a title alone supplies neither. This is an accountability role, not an IT role. The technical work can sit with an employee or a service provider, and responsibility stays with the firm either way. In most small firms the right name is a partner or the owner, with the technical detail delegated in writing to whoever runs it.
The floor: one name in the plan, chosen for authority as much as aptitude, with the delegation written down.
2. Base the program on a risk assessment
Know what you hold and what could plausibly go wrong with it.
The floor: one honest table: each system, what client data it holds, what failure would look like. Revisit it when something changes. If your firm is over the 5,000-consumer line, §314.4(b)(1) asks more of the written version: the rule’s stated assessment criteria, plus how each identified risk will be mitigated or accepted.
3. Put the safeguards in place
The longest element. The rule names eight:
- Access controls. Only people who need client data can reach it, and someone checks the list on a schedule. The rule doesn’t set the frequency; pick a cadence the firm can keep and write it down. Twice a year suits many small practices, with season’s end a natural moment, and the usual find is a seasonal login that outlived the season.
- Data inventory. Know where client information lives, including the overlooked locations: the scanner share, the retired server, the paper files.
- Encryption, in transit and at rest. The duty covers customer information wherever it sits, so work from the inventory: encrypt the laptops, prefer systems that encrypt storage, stop sending returns as email attachments, and note what encrypts each location. Where encryption is infeasible somewhere, the rule’s alternative is specific: an effective compensating control, approved in writing by the QI.
- Secure software development. Written for companies that build applications. A firm that builds nothing still owns the other half of the element: document how the security of externally developed applications you rely on gets evaluated. Vendor diligence (element 6) contributes to that answer; the rule lists the evaluation separately.
- Multi-factor authentication for anyone accessing client information. The rule allows a written, QI-approved alternative; the simpler path for a small firm is turning MFA on everywhere client data lives.
- Secure disposal. The default: dispose of customer information no later than two years after its last use, subject to the exceptions stated in §314.4(c)(6). Tax practices retain records the law requires them to retain, so the exceptions do real work here. Map each category you keep to an identified legal, regulatory, or business basis; don’t assume a general retention schedule qualifies every record.
- Change management. When systems change, someone approves the change and writes it down, with the paperwork in proportion to the risk.
- Logging and monitoring of user activity. Be able to answer who touched what, when. In Microsoft 365 much of this is configuration rather than new spending, but verify it in your actual tenant: what’s being logged, how long your licensing retains it, and who reviews it.
4. Test that it works
Continuous monitoring of your systems, or the fallback cadence: annual penetration testing plus vulnerability assessments at least every six months, and again after material changes. Before this element alarms anyone, two notes. The under-5,000 carve-out (below) excuses exactly this cadence, along with three other formalities, so check whether it applies to you first. Where the cadence does apply, ask whether your current IT provider performs qualifying testing or whether an independent specialist is needed, and record who tests, to what scope, and when the next one is due.
5. Train people
Security awareness training, kept current with the risks an accounting firm actually faces: phishing and client-impersonation email above all.
The floor: training at onboarding, a recurring cadence, updates when the risks change, and a dated note each time it happens. Don’t write “annual training for all staff” unless the January session survives your calendar every year.
6. Mind your vendors
Your tax software, your portal, your document system, your IT provider: anyone who touches client data. The rule asks for care across the vendor’s whole life with you: chosen with diligence, held to safeguards by contract, and reassessed periodically.
The floor: a list of who they are, where each contract’s security language lives, and a yearly pass to re-check. Most major tax-industry vendors publish security documentation, so collecting it into one folder is the easy part. The choosing, the contract terms, and the periodic second look still have to happen, and be noted when they do.
7. Keep the program current
When testing, an incident, or a change in the business says the program needs adjusting, adjust it. State in the plan which events trigger a review; update the document when one occurs.
8. Write the incident response plan
The bad-day script. What counts as an incident, who assesses it, who preserves evidence, who calls counsel and the insurance carrier, and who determines which notifications the incident and the applicable law actually require: affected clients, the IRS, law enforcement, the FTC, your state. The plan’s job is to assign those questions to named people in advance, with the phone numbers on the page. Writing it during the incident is the expensive version.
9. Report up, in writing, at least annually
The QI writes a report, at least yearly, to the board or, where there isn’t one, to a senior officer: in a small firm, the owner or a managing partner. The rule specifies the content: the program’s overall status and compliance, and the material matters it lists, testing results and incidents among them. In a two-partner shop the report can be brief. The year it earns its keep is the year something goes wrong and the file shows the program was alive and someone was watching it.
10. Tell the FTC if it goes wrong at scale
Since May 13, 2024: an unauthorized acquisition of unencrypted customer information involving 500 or more consumers must be reported to the FTC as soon as possible, and no later than 30 days after discovery. The FTC has said those reports will be publicly posted. Below 500 consumers, the federal rule requires no FTC notice, and that settles only the federal question: state breach-notification laws, contracts, professional obligations, and insurance policies keep their own thresholds and clocks.
The small-firm carve-out, and why not to build on it
Here is the concession promised at the top. A firm that maintains customer information on fewer than 5,000 consumers is excused from four specified requirements: the written risk-assessment elements of §314.4(b)(1), the continuous-monitoring and penetration-testing cadence of §314.4(d)(2), the written incident response plan of (h), and the annual written report of (i).
The shorthand we use for it: the carve-out excuses the paperwork, not the duties. That holds because the underlying obligations continue. An exempt firm still bases its program on a risk assessment and still monitors and tests its safeguards; what falls away is the formal written assessment, the fixed testing cadence, and, for (h) and (i), those two documents themselves.
Check the arithmetic before relying on any of it. The test counts consumers whose customer information you maintain, and “maintain” reaches what you retain: former clients and archived returns don’t drop out of the count when the engagement ends. Count against the rule’s definitions of “consumer” and “customer information,” with counsel if the answer is close. And a count that is under the line this year can cross it quietly as retained records accumulate; nothing notifies the firm.
Our advice: don’t design the program around the exemption. The W-12 expects awareness of a written plan from every paid preparer at any size, and insurers or larger clients may request the written documents whether or not the FTC requires them of you. Maintain them anyway, and treat that as risk management the rule happens not to demand.
How exposure arrives
The FTC can enforce the rule through administrative or court orders that impose ongoing compliance obligations, and since 2024 qualifying breaches generate reports the FTC has said it will make public. For a small practice, though, the rule mostly arrives through quieter doors: the insurance renewal asking its questions in Safeguards vocabulary, the client questionnaire, Line 11, and, after an incident, a carrier and a regulator both opening with a request to see the program. The pre-incident requests are the useful ones. Each gives the firm a chance to correct the paperwork before an incident forces the issue.
A sensible order to do it in
Nothing here needs a consultant to start. Begin with one hour: name the responsible partner, export the current user list, list the systems that hold client data. Over the following weeks, verify MFA and encryption everywhere on that list, run one access review, and write the floor down, claiming only what’s true. Put the re-read and the annual report on the calendar. Do it in that order; the inventory and the control checks stand on their own even before the full program is polished.
If you’d rather check the map against your own firm first, book fifteen minutes and bring two numbers: your headcount and a rough count of the client records you retain. You’ll leave knowing whether the under-5,000 carve-out applies to you and which two elements to start on. Book a call.
