Accountants, Bookkeepers & Tax Pros
The FTC Safeguards Rule applies to every firm that handles consumer financial data — regardless of size. There is no small business exemption. What the rule requires is a written, documented security program — specific to your firm, actively maintained, and ready to show when asked.
Your clients trust you with their money, with their data, with their identity.
We build the program that protects that trust. After we've done our work, you can honestly tell your clients that you take the security of your financial data seriously. Protection is the promise. Compliance is the proof.
What the FTC Actually Requires
Nine requirements. Every one of them written.
The FTC Safeguards Rule mandates specific, documented controls — not a general sense of being careful. Here is what the rule actually requires, in plain language.
Designate a qualified individual now
Name someone responsible for your security program. The FTC requires a designated qualified individual — employee or service provider — with clear authority and documented responsibility for overseeing your entire security operation.
A Formal Risk Assessment — Written, Not Assumed
A formal assessment identifies threats to your client data, evaluates existing controls, and maps out what needs fixing. This document becomes your roadmap for compliance and your defense against negligence claims.
Control access with multi-factor authentication
Who Gets In — and How — Is a Compliance Decision. Access to client financial data must be role-based, and every system that touches that data requires multi-factor authentication. No carve-outs, no workarounds — the rule doesn't make exceptions for small firms or legacy software.
Data Inventory & Classification
You should know what customer data you hold, where it lives, how it's collected, and who can access it. The FTC requires a current, documented inventory of every type of customer data your firm holds — what it is, where it lives, how it enters your systems, and who has access to it. If you don't know the answer, neither will a regulator.
Client Financial Data Must Be Encrypted — In Transit and at Rest
Encryption is required across every medium where customer data lives or travels: email, cloud storage, backups, and portable devices. This isn't optional hardening — it's a specific, enumerated requirement of the rule.
Annual Security Training — With Documentation to Prove It
Every staff member with access to customer information must receive security awareness training at least once a year, covering phishing, social engineering, and password practices. Completion must be documented — a verbal walkthrough is not enough.
Third-Party Access to Client Data Is Your Responsibility
Every outside service provider that touches your customer data requires written due diligence and a contract that includes explicit security requirements. "They handle their own security" is not a documented oversight program.
A Written Incident Response Plan — Before You Need It
Your firm must have a documented plan covering how you detect, contain, and recover from a breach — including breach notification procedures and tested escalation paths. A plan you write after an incident isn't a plan.
Your WISP Has to Be Built for Your Firm — Not Downloaded From the Internet
The Written Information Security Plan is the governing document your entire security program answers to. It must be specific to your firm, reviewed annually, and signed by leadership. A generic template with your name typed in will not hold up to scrutiny — and examiners know the difference.
Why Do You Needs a WISP?
The WISP Isn't Just a Compliance Box. It's the Document Everything Else Answers To.
The nine requirements above only hold up if they're governed by a single, firm-specific master document. That's your Written Information Security Plan (or WISP for short) — and without it, you don't have a real security program. You have a pile of unconnected policies.
For tax preparers, the stakes are doubled: the IRS won't renew your PTIN without one. IRS Publication 5708 makes a firm-specific WISP a condition of continued practice — not a suggestion, not a best practice. A requirement.
For accountants and bookkeepers, the WISP is what stands between you and personal liability when something goes wrong. It's what your insurance carrier asks for when you file a claim. It's what an attorney needs to defend you if a client sues. It's what demonstrates — in writing — that you took your obligation seriously before the breach, not after.
A template with your firm's name typed in doesn't satisfy any of that. It has to be yours.
Policies & Procedures
Employee training
How your firm handles data — in writing. Employee roles, access controls, password policies, training requirements, and internal procedures. The rules your people follow and the documentation that proves it.
Systems & Controls
System Security
Encryption, multi-factor authentication, firewalls, antivirus, and patch management. These aren't add-ons — they're enumerated FTC requirements your WISP must document and verify.
Premises & Documents
Security Doesn't Stop at the Screen
Locked filing cabinets, clean desk policies, visitor controls, and secure disposal of paper and hardware. Client data in physical form carries the same legal weight as digital — your WISP has to address both.
If Your Business Touches Consumer Financial Data, the FTC Safeguards Rule Applies to You — Regardless of What You Call Yourself
The FTC Safeguards Rule isn't limited to banks. It covers any business that provides financial products or services to consumers under the Gramm-Leach-Bliley Act (GLBA) — a definition that is broader than most business owners realize. The 2021 amendments to the rule even added "finders" to the list of covered entities, and a "finder" is defined as any businesses that bring together buyers and sellers.
The FTC does not offer a size exemption, a solo-practitioner exemption, or a "we only do this occasionally" exemption. If your business handles consumer financial information in any of the categories below, you are a covered financial institution under federal law.
CPA Firms
Bookkeeping Practices
Tax Preparers
Financial Planners
Registered Investment Advisors
Mortgage Lenders/Brokers
Auto Dealerships with Financing
Payday & Consumer Lenders
Check Cashing Businesses
Credit Counseling Services
Debt Collectors
Payroll Processing Firms
If You Think It Might Apply to You, I Likely Does!
Other businesses that frequently fall under the rule because of the activities they engage in include real estate appraisers (Tonkon Torp) and colleges and universities that extend student loans or administer financial aid programs (Brady Ware).
A key point: what matters are the activities a business undertakes, not how it categorizes itself Federal Trade Commission. Any business "significantly engaged" in financial activities or activities incidental to them can be covered, even if it isn't on the explicit list. Notable exclusions — businesses regulated elsewhere under the Gramm-Leach-Bliley Act
What's Included:
Good IT support isn't flashy. It's reliable. Your systems work. Your team stays productive. When incidents happen, we resolve them quickly and keep your business moving.
IT Strategy & Planning
A structured, ongoing technology strategy built around your business — so decisions get made proactively, not under pressure.
Compliance Reporting & Audit Preparation
Building and maintaining the evidence packages, reports, and documentation your firm needs to pass a regulatory exam — or an enterprise security questionnaire — with confidence.
Security Awareness Training & Phishing Simulations
Structured employee training programs paired with simulated phishing campaigns that turn your team into an active, documented layer of defense.
Email Security & Anti-Phishing
Layered protection at the inbox level, stopping phishing attempts, business email compromise, and malware before they reach your team.
Managed Backups & Immutable Storage
Automated, encrypted, offsite backups with immutable storage and documented recovery testing so your data is always recoverable — not just assumed to be.
Multi-Factor Authentication (MFA)
Deploying and enforcing MFA across every system that touches your data — a baseline control required by most insurers and every major compliance framework.
SIEM & Threat Detection
Log aggregation, anomaly detection, and real-time alerting that surfaces threats before they become incidents — and creates the audit trail regulators expect.
Network Security Monitoring
Continuous perimeter monitoring, firewall management, and intrusion detection keeping threats out of your network around the clock.
Endpoint Detection & Response (EDR)
Active monitoring and threat containment at every workstation so attacks are identified and stopped before they spread across your network.
Microsoft 365 Management
Complete administration of your Microsoft 365 environment — from user licensing and Exchange hardening to SharePoint security and Teams governance.
Help Desk & Remote Support
When systems fail. Resolution matters. We provide comprehensive technical support with full documentation and accountability. Your issues are tracked, prioritized, and resolved by professionals who understand that reliability is non-negotiable for your business.
What happens if something goes wrong?
A breach demands swift action. Contain it immediately, investigate what happened, notify the IRS and relevant authorities, inform your affected clients, and take corrective measures to prevent recurrence.
Contain it
Stop the breach immediately. Isolate affected systems and limit the damage before anything else happens.
Investigate fully
Determine what was compromised and how it happened. Document everything for the record.
Notify authorities
Report to the IRS and any other relevant agencies without delay. Inform your affected clients of what occurred.
Correct and prevent
Fix the vulnerability that allowed the breach. Update your procedures so it doesn't happen again.
FTC Safeguards FAQs
Get clarity on what the FTC Safeguards Rule demands from your firm.
The FTC Safeguards Rule — 16 CFR Part 314 — is a federal regulation that requires every firm that provides financial products or services to consumers to develop, implement, and maintain a written information security program. The rule was updated in 2023 with expanded requirements, including a designated qualified individual, annual risk assessment, documented access controls, encryption, monitoring, employee training, and vendor oversight.
Yes. There is no small-firm exemption. A solo bookkeeper with two clients is as covered by the FTC Safeguards Rule as a 50-person firm. If your firm provides financial products or services to consumers — including tax preparation, bookkeeping, or financial planning under the Gramm-Leach-Bliley Act definition — the full rule applies.
A WISP is a Written Information Security Program — the document the FTC Safeguards Rule requires. It describes your firm's specific security controls, who is responsible for them, and when they were last reviewed. It covers three domains: administrative safeguards (training, policies, procedures), technical safeguards (encryption, MFA, monitoring), and physical safeguards (locked files, secure disposal). A WISP is not a template; it must be specific to your firm.
The rule requires: (1) designation of a qualified individual to oversee the program; (2) documented annual risk assessment; (3) access controls including multi-factor authentication; (4) inventory of consumer financial information and where it is held; (5) encryption of data in transit and at rest; (6) secure disposal of data no longer needed; (7) monitoring for unauthorized activity; (8) written employee training program; (9) vendor oversight including written contracts and periodic review. An annual written report to leadership summarizing the program is also required.
Most firms assume so. In practice, most generalist IT providers do not. FTC Safeguards requires a written, firm-specific security program — not antivirus software and a password policy. A useful test: ask your IT provider whether they have ever shown you a WISP written specifically for your firm. If the answer is no, you likely do not have a compliant program.
For most small firms, the foundation phase — risk assessment, WISP development, access controls, documented training program — takes 30 to 60 days from engagement to delivery. After that, the program enters ongoing maintenance with quarterly reviews and annual reassessment. FTC Safeguards compliance is not a one-time project; it is a continuously maintained program.
A 30 to 45 minute assessment covering every applicable requirement of the rule. Before the call, you complete a short questionnaire about your firm's current environment. During the call, we walk through every requirement in plain language and identify gaps. Within five business days, you receive a written Gap Assessment Report mapping your firm against every requirement with findings and prioritized recommendations. The report is yours to keep with no obligation.
Increasingly, yes. Cyber insurance carriers have tightened underwriting standards significantly since 2023. Most carriers now require evidence of a written security program, documented MFA, access controls, backup testing, and incident response planning — closely mirroring the FTC Safeguards requirements. A firm that is FTC Safeguards compliant is generally also insurable at better rates.
Yes. The FTC Safeguards Rule applies to all firms handling consumer financial data. There is no exemption for size or client volume. Your WISP must be in place, documented, and ready for inspection.
Good. But compliance isn't static. The rule requires annual reviews and updates. Threats change, your business evolves, and your WISP must keep pace with both.
The IRS examines your written policies, your risk assessments, your training records, and your incident response procedures. They verify that your security officer is assigned, that your systems are monitored, and that your documentation is current.
You can try, but the requirements are specific and the stakes are high. Most firms find that professional guidance saves time, prevents costly gaps, and ensures every requirement is properly documented.
With Streamlined TSM 2.0, most firms complete their WISP within a few weeks. The timeline depends on your firm's size and how quickly you can gather the necessary information.
Need more guidance?
Our compliance team is ready to help you navigate this.
Know where you stand
before moving forward.
A free assessment tells you exactly what's missing. A written report is yours to keep — no strings attached, no pressure, no unwanted follow-ups. The report stays with you regardless of what you decide to do next.
Thirty minutes. One report. Everything you need to know.