The FTC Safeguards Rule for Accounting Firms

It applies to your firm. It is enforced. The penalty starts at $50,000 per violation. Here is what you actually have to do.

Yes, the rule applies to your firm

The FTC Safeguards Rule (16 CFR Part 314) was rewritten in 2021 and the new version took effect in June 2023. It governs how "financial institutions" handle customer information. Most accounting firm owners read that and assume it does not apply to them. It does.

Under the rule, a financial institution is any business "significantly engaged in financial activities." The FTC has confirmed this definition includes tax preparers, CPAs, enrolled agents, bookkeepers, and accounting firms of every size. If you handle a 1099, a W-2, or a Schedule C for a paying client, the rule applies.

There is no small-firm exemption. A solo preparer working from a home office is held to the same standard as a regional firm with 200 employees. The rule scales the controls to the size of the operation, but the requirement to have controls does not flex.

The 9 elements you have to produce

The rule lists nine required elements of a security program. You do not get to pick five. You produce all nine, and you have to be able to prove each one if asked.

1. Designate a qualified individual

One named person is responsible for the security program. They do not have to be a full-time employee. They do not have to be technical. They have to be accountable. For a small firm, this is usually the owner or an outsourced provider with a written agreement.

2. Conduct a written risk assessment

Document the threats your firm faces, the systems and data those threats touch, and the controls you have in place. Update it every time something material changes (new software, new staff, new vendors).

3. Design and implement safeguards

Your safeguards must address access controls, data inventory, encryption, secure development practices for any custom apps, multi-factor authentication, secure disposal, change management, and monitoring of authorized user activity. That is the minimum list.

4. Regularly test and monitor those safeguards

Continuous monitoring or, if that is not feasible, annual penetration testing plus vulnerability assessments at least every six months. For most small firms, this means hiring a managed security provider with a 24/7 operations center, because no two-person firm runs continuous monitoring on its own.

5. Train your staff

Security awareness training for every employee, with documentation. Plus specialized training for anyone with security responsibilities. The IRS audits this. They will ask for the records.

6. Oversee your service providers

You are responsible for the security of any vendor that touches your client data. That means contracts that require security controls, periodic assessments of those vendors, and documented evidence that you have done both.

7. Keep your program current

When something changes (a new threat, a new system, an employee leaves) you update the program. The plan is a living document, not a PDF you sign once and shelf.

8. Maintain a written incident response plan

A specific, written plan covering goals, roles, communication, internal and external coordination, documentation, post-incident analysis, and program adjustments. If a breach happens, you should be reading from this plan, not writing it on the fly.

9. Report to the board (or the equivalent)

Your qualified individual must report annually to the firm owner or governing body on the state of the program. For a 3-person firm where the owner is the qualified individual, this looks like a documented annual review meeting with the partners.

The "qualified individual" question for small firms

This is where most small-firm owners get stuck. The rule says you must designate someone qualified. It does not define what qualified means. The FTC has explicitly stated that the qualified individual can be an employee, an affiliate, or a service provider, and they can work part-time. A solo CPA can serve as their own qualified individual if they are willing to take on the responsibility.

In practice, most small firms outsource this role to a managed security provider. The reason is liability. If you are the qualified individual and you miss a control, you are personally on the hook in an FTC enforcement action. If your provider is the qualified individual under contract, that liability shifts.

The penalty math owners do not run

The FTC can pursue civil penalties up to $50,120 per violation under the Safeguards Rule (the figure adjusts annually for inflation). A single breach can produce dozens of violations. The FTC has settled cases against small businesses for amounts ranging from $250,000 to several million dollars, plus 20-year monitoring requirements.

On top of FTC penalties, every state has its own breach notification law. A firm with 800 clients across 4 states is looking at four separate notification regimes, each with its own timing requirements, attorney general filings, and credit monitoring offers.

The honest comparison is this. The cost of compliance for a 5-person firm is around $300 to $700 per month for a managed security program that covers most of the nine elements. The cost of one Safeguards Rule enforcement action starts at six figures and can end careers.

What proof actually looks like

If the FTC opens an inquiry, they will not ask whether you have a program. They will ask you to produce the artifacts. Specifically:

• A current written risk assessment, dated and signed.
• The WISP itself, with the qualified individual named.
• Training records for every employee, current within the last 12 months.
• A vendor list with security agreements on file.
• Continuous monitoring logs or recent penetration test results.
• An incident response plan.
• An annual board report.

If you cannot produce these in under an hour, you have a paperwork problem, not a security problem. Most firms fail at the documentation step long before they fail at the controls.

What to do this week

Start with the three items that close the most exposure fastest.

1. Name your qualified individual in writing. If you are using a managed provider, make sure your contract explicitly names them.
2. Write or refresh your WISP and date it within the last 12 months. A WISP older than that does not count.
3. Pull your vendor list and confirm you have a signed data processing agreement with every vendor that touches client data. If your tax software, your payroll system, or your portal vendor cannot produce a SOC 2 Type II report, that is a finding.

Compliance with the FTC Safeguards Rule is not optional, and it is not negotiable. It is the cost of practicing in 2026. The firms treating it as a one-time project are the ones who get hit with surprise enforcement actions. The firms treating it as a recurring operational discipline are the ones who keep their licenses, their clients, and their reputations.

Book a 15-minute WISP and security review