WISP, IRS 4557, and the FTC Safeguards Rule: A Plain-English Guide for Accounting Firms

Three acronyms, one goalThree acronyms, one goal

If you run a tax or accounting firm in 2026, you have heard these three terms in some combination for years. You may have a WISP saved somewhere. You have definitely heard of IRS Publication 4557. And the FTC Safeguards Rule may or may not ring a bell, depending on when you last looked at your CPE.

Here is the thing nobody tells you in a clean way: these three things are not competing requirements. They describe the same outcome from three different angles. Satisfy one correctly and you are most of the way to the other two.

This is the plain-English guide. What each one is, what they actually require, and how to produce a single body of evidence that satisfies all three.

The three documents in 60 seconds

WISP

A Written Information Security Plan. A document your firm produces describing how you protect client data.

IRS Publication 4557

The IRS's safeguards guidance for tax professionals. Mandates a WISP and outlines the specific protections it expects.

FTC Safeguards Rule

A federal regulation (16 CFR Part 314) that imposes specific security program requirements on financial institutions, which includes tax preparers and accounting firms.

Think of it this way. The FTC Safeguards Rule is the federal law. IRS Publication 4557 is the tax-professional-specific playbook for meeting it. The WISP is the physical artifact that proves you did.

What the FTC Safeguards Rule actually requires

This is the big one. Most small firms do not realize they qualify as a financial institution under this rule. They do. If you prepare tax returns for compensation, you are in scope. Period.

The rule mandates nine program elements. Here they are in plain English:

1. Designate a qualified individual. You have to name one person responsible for the security program. It can be the owner. It can be an outsourced provider.

2. Conduct a written risk assessment. Identify the foreseeable internal and external risks to customer data.

3. Implement safeguards. Encryption, access controls, multi-factor authentication, secure disposal, change management.

4. Monitor and test. Continuously monitor your systems. Test penetration annually, or continuously monitor with equivalent coverage.

5. Train employees. Security awareness training, updated to reflect the current threat landscape.

6. Oversee service providers. Require contracts with your vendors that obligate them to protect data, and periodically reassess them.

7. Keep the program current. Review and update the program regularly.

8. Have an incident response plan. A written plan addressing assessment, containment, notification, and recovery.

9. Report to the board or senior leadership annually. The qualified individual reports on the program to leadership each year.

If your firm is below the threshold of 5,000 consumers, some elements are simplified. Even so, the fundamentals (qualified individual, risk assessment, safeguards, incident response, and a written plan) apply to every firm that handles customer financial information.

What IRS Publication 4557 adds

Publication 4557 is the IRS's translation of FTC Safeguards Rule requirements into tax-preparer specifics. It focuses on the actual workflows in a tax practice: returns, PTINs, e-filing credentials, client portals, and client communications.

Specific things the IRS calls out:

- Strong passwords and multi-factor authentication on every system with client data.

- Drive encryption on laptops. Locked file cabinets for paper records.

- Secure email or a client portal for exchanging tax documents. Never email sensitive data in plain text.

- Virus protection, firewalls, and prompt software updates on every device.

- A process for reporting compromised EFINs and PTINs to the IRS immediately.

- Documentation of data loss prevention practices.

The IRS expects you to have these controls and to have written them down in your WISP. Enforcement comes through e-Services monitoring, IRS Security Summit audits, and, if something goes wrong, the Return Preparer Office can suspend or revoke your EFIN.

What a real WISP looks like

The WISP is the artifact. It is a written document, specific to your firm, that covers the following. If your WISP does not, it is a template. Templates do not pass scrutiny.

- Firm profile. Business name, EFIN, size, and scope of client data handled.

- Qualified individual. The person responsible for security.

- Risk assessment. The specific threats to your firm, documented.

- Administrative safeguards. Employee training, background checks, access controls, vendor management.

- Technical safeguards. Endpoint protection, encryption, network security, monitoring.

- Physical safeguards. Office access control, device storage, clean-desk practices.

- Incident response procedures. What happens when something goes wrong, step by step.

- Breach notification plan. Who you call, in what order, and what you tell clients.

- Annual review record. Signatures and dates showing you update it at least once a year.

Most firms that fail an audit fail on two things: the WISP is generic, or the WISP exists but nothing in it actually reflects reality. An auditor's favorite question is: show me where your WISP says X, and then show me the evidence you are actually doing X.

How the three fit together

Stop thinking of these as three separate projects. They are one project with three evidence packets.

- The FTC Safeguards Rule sets the 9 program elements. Your firm must cover all of them.

- IRS Publication 4557 translates those elements into the specific controls a tax firm uses. Your implementation should match the 4557 list.

- The WISP is the document that proves you did both.

Build the WISP correctly and the FTC compliance and IRS compliance follow. Not the other way around.

What to do this quarter

1. Pull your current WISP out. If it is more than 12 months old, it does not count. If you do not have one, start with a real template (not a generic Google result).

2. Name your qualified individual in writing. Put it in the WISP.

3. Walk through the nine FTC program elements. Mark each one as covered, partially covered, or not covered.

4. Fix the gaps with real controls, not documentation. If your WISP says you run phishing simulations, you should have actual simulation results to show.

5. Set a calendar reminder for the annual review. Not an optional tip. An explicit requirement.

A compliant firm is not the firm with the thickest document. It is the firm that can produce the document, the controls, and the evidence in the same breath.

If you want a WISP template that is actually shaped like what the IRS and FTC expect, we will send you ours. It is the same template we use with our managed-security clients, and it includes the evidence checklist that most generic WISPs leave out.

Get a free 15-minute compliance readout

‍

If you run a tax or accounting firm in 2026, you have heard these three terms in some combination for years. You may have a WISP saved somewhere. You have definitely heard of IRS Publication 4557. And the FTC Safeguards Rule may or may not ring a bell, depending on when you last looked at your CPE.

Here is the thing nobody tells you in a clean way: these three things are not competing requirements. They describe the same outcome from three different angles. Satisfy one correctly and you are most of the way to the other two.

This is the plain-English guide. What each one is, what they actually require, and how to produce a single body of evidence that satisfies all three.

The three documents in 60 seconds

Term What it is WISPA Written Information Security Plan. A document your firm produces describing how you protect client data.IRS Publication 4557The IRS's safeguards guidance for tax professionals. Mandates a WISP and outlines the specific protections it expects.FTC Safeguards RuleA federal regulation (16 CFR Part 314) that imposes specific security program requirements on financial institutions, which includes tax preparers and accounting firms.

Think of it this way. The FTC Safeguards Rule is the federal law. IRS Publication 4557 is the tax-professional-specific playbook for meeting it. The WISP is the physical artifact that proves you did.

What the FTC Safeguards Rule actually requires

This is the big one. Most small firms do not realize they qualify as a financial institution under this rule. They do. If you prepare tax returns for compensation, you are in scope. Period.

The rule mandates nine program elements. Here they are in plain English:

1. Designate a qualified individual. You have to name one person responsible for the security program. It can be the owner. It can be an outsourced provider.
2. Conduct a written risk assessment. Identify the foreseeable internal and external risks to customer data.
3. Implement safeguards. Encryption, access controls, multi-factor authentication, secure disposal, change management.
4. Monitor and test. Continuously monitor your systems. Test penetration annually, or continuously monitor with equivalent coverage.
5. Train employees. Security awareness training, updated to reflect the current threat landscape.
6. Oversee service providers. Require contracts with your vendors that obligate them to protect data, and periodically reassess them.
7. Keep the program current. Review and update the program regularly.
8. Have an incident response plan. A written plan addressing assessment, containment, notification, and recovery.
9. Report to the board or senior leadership annually. The qualified individual reports on the program to leadership each year.

If your firm is below the threshold of 5,000 consumers, some elements are simplified. Even so, the fundamentals (qualified individual, risk assessment, safeguards, incident response, and a written plan) apply to every firm that handles customer financial information.

What IRS Publication 4557 adds

Publication 4557 is the IRS's translation of FTC Safeguards Rule requirements into tax-preparer specifics. It focuses on the actual workflows in a tax practice: returns, PTINs, e-filing credentials, client portals, and client communications.

Specific things the IRS calls out:

• Strong passwords and multi-factor authentication on every system with client data.
• Drive encryption on laptops. Locked file cabinets for paper records.
• Secure email or a client portal for exchanging tax documents. Never email sensitive data in plain text.
• Virus protection, firewalls, and prompt software updates on every device.
• A process for reporting compromised EFINs and PTINs to the IRS immediately.
• Documentation of data loss prevention practices.

The IRS expects you to have these controls and to have written them down in your WISP. Enforcement comes through e-Services monitoring, IRS Security Summit audits, and, if something goes wrong, the Return Preparer Office can suspend or revoke your EFIN.

What a real WISP looks like

The WISP is the artifact. It is a written document, specific to your firm, that covers the following. If your WISP does not, it is a template. Templates do not pass scrutiny.

• Firm profile. Business name, EFIN, size, and scope of client data handled.
• Qualified individual. The person responsible for security.
• Risk assessment. The specific threats to your firm, documented.
• Administrative safeguards. Employee training, background checks, access controls, vendor management.
• Technical safeguards. Endpoint protection, encryption, network security, monitoring.
• Physical safeguards. Office access control, device storage, clean-desk practices.
• Incident response procedures. What happens when something goes wrong, step by step.
• Breach notification plan. Who you call, in what order, and what you tell clients.
• Annual review record. Signatures and dates showing you update it at least once a year.

Most firms that fail an audit fail on two things: the WISP is generic, or the WISP exists but nothing in it actually reflects reality. An auditor's favorite question is: show me where your WISP says X, and then show me the evidence you are actually doing X.

How the three fit together

Stop thinking of these as three separate projects. They are one project with three evidence packets.

• The FTC Safeguards Rule sets the 9 program elements. Your firm must cover all of them.
• IRS Publication 4557 translates those elements into the specific controls a tax firm uses. Your implementation should match the 4557 list.
• The WISP is the document that proves you did both.

Build the WISP correctly and the FTC compliance and IRS compliance follow. Not the other way around.

What to do this quarter

1. Pull your current WISP out. If it is more than 12 months old, it does not count. If you do not have one, start with a real template (not a generic Google result).
2. Name your qualified individual in writing. Put it in the WISP.
3. Walk through the nine FTC program elements. Mark each one as covered, partially covered, or not covered.
4. Fix the gaps with real controls, not documentation. If your WISP says you run phishing simulations, you should have actual simulation results to show.
5. Set a calendar reminder for the annual review. Not an optional tip. An explicit requirement.

A compliant firm is not the firm with the thickest document. It is the firm that can produce the document, the controls, and the evidence in the same breath.

If you want a WISP template that is actually shaped like what the IRS and FTC expect, we will send you ours. It is the same template we use with our managed-security clients, and it includes the evidence checklist that most generic WISPs leave out.

Get a free 15-minute compliance readout