The Tax Preparer's IT Compliance Checklist: WISP, FTC Safeguards, and What the IRS Now Requires

Tax and accounting firms are legally 'financial institutions,' and the rules got stricter for the 2026 filing season. Here's what a Written Information Security Plan actually has to cover, and the IT controls behind each requirement.

The Tax Preparer's IT Compliance Checklist: WISP, FTC Safeguards, and What the IRS Now Requires

Most accountants know they handle sensitive data. Fewer realize that, in the eyes of the law, a tax practice is a financial institution, and has been on the hook for a specific, written security program for a while now. The requirements got stricter for the 2026 filing season, and the enforcement teeth are real.

Here’s the plain-English version of what’s required, and the IT work behind each piece.

Why this applies to your firm

Tax preparation is a “financial activity” under the Gramm-Leach-Bliley Act, which puts tax and accounting firms under the FTC Safeguards Rule. The IRS has said it bluntly: tax and accounting professionals are considered financial institutions regardless of size. If you hold a PTIN and e-file, you need a Written Information Security Plan (WISP), no exceptions for firm size, seasonal status, or return volume.

The IRS even provides the templates: Publication 5708 is a sample WISP, Publication 5709 walks you through building one, and Publication 4557 lays out the safeguards themselves.

The compliance checklist

A defensible security program for a tax firm needs all of the following. Each is a regulatory requirement, and each maps to concrete IT work:

  • A designated Qualified Individual. Someone accountable for the security program. For most firms this is where an IT partner formally steps in.
  • An annual written risk assessment. A documented look at where client data lives, how it’s protected, and what could go wrong, refreshed every year, not written once and forgotten.
  • Multi-factor authentication, everywhere. As of the 2026 filing season, Publication 5708 expects MFA for every user accessing any system that holds client information, including in-office workstations, not just remote logins. Keeping your data on a local server does not exempt you; it means the MFA is yours to implement.
  • Access controls and least privilege. Staff should reach only the data their role requires, with accounts promptly disabled when someone leaves.
  • Encryption of sensitive data, at rest and in transit.
  • Modern password practices. Guidance has shifted away from forced 90-day rotations toward longer minimum intervals, following current NIST recommendations, fewer forced changes, stronger and better-managed credentials.
  • A 30-day breach notification process. Since May 2024, a breach exposing the unencrypted information of 500 or more people must be reported to the FTC as soon as possible, and no later than 30 days after discovery. That means you also need the monitoring to know a breach happened.
  • Tested backups and a recovery plan. Protecting multi-year financial archives, and being able to restore them, is part of safeguarding client data, not a separate nicety.

The stakes

This isn’t box-checking. The IRS can revoke a PTIN. The FTC can levy civil penalties exceeding $46,000 per violation, per day. A breach with no documented WISP can void professional liability coverage and open the door to civil suits. And since 2023, you affirmatively attest at PTIN renewal that you maintain a data security plan, falsely certifying that is treated as federal fraud.

Where an IT partner fits

Almost every line on that checklist is something an IT provider does day to day, MFA rollouts, access controls, encryption, monitoring and breach detection, backup and recovery, and the documentation that ties it together into a plan you can hand a regulator. The compliance language is the accountant’s world; the controls underneath it are ours.

For firms that keep client data on-premise, there’s an added advantage worth naming: when the data lives in your building and your IT partner runs a private, on-premise AI and security stack, you can meet these obligations without ever handing taxpayer information to a third-party cloud you don’t control. Same principle the rule is chasing, know where the data is, and control who can touch it.

If you’re not certain your firm could hand the IRS a current WISP and prove the controls behind it, that’s the conversation to have before the next filing season starts, not during it.

Frequently asked questions

Does a small tax firm really need a Written Information Security Plan?

Yes. The IRS is explicit that tax and accounting professionals are considered financial institutions under the law regardless of size, and any PTIN holder who e-files needs a WISP. There's no exemption for small firms, seasonal preparers, or low return volume.

What changed for the 2026 filing season?

The August 2024 update to IRS Publication 5708 tightened the requirements. Most notably, multi-factor authentication is now expected for every user accessing systems that hold client data, including in-office workstations, and password-change guidance shifted toward longer minimum intervals in line with current NIST recommendations.

What happens if we don't have a WISP?

The exposure is real: the IRS can revoke a PTIN, the FTC can levy civil penalties, and a breach without a documented plan can void professional liability coverage and invite civil suits. Since 2023, PTIN renewal also requires attesting that you maintain a data security plan, and a false attestation is treated as federal fraud.