FTC Safeguards Rule compliance checklist
A complete, step-by-step checklist for tax firms to achieve and maintain compliance with the FTC Safeguards Rule. Covers everything from designating your Qualified Individual to ongoing monitoring and annual reporting.
Overview
What the FTC Safeguards Rule requires
The FTC Safeguards Rule (16 CFR Part 314) applies to all “financial institutions” as defined under the Gramm-Leach-Bliley Act, which explicitly includes tax return preparers. The amended rule, effective June 9, 2023, introduced significant new requirements including mandatory encryption, multi-factor authentication, penetration testing, and the designation of a Qualified Individual.
Non-compliance is not just a regulatory risk. In the event of a data breach, failure to comply with the Safeguards Rule can result in FTC enforcement actions, state attorney general investigations, civil lawsuits from affected taxpayers, and loss of your PTIN and ability to practice.
This checklist is organized into four phases that mirror the structure of the rule itself. Work through each phase in order, and use the detailed tasks to build or audit your compliance program.
Designate a Qualified Individual
Conduct a Risk Assessment
Implement Safeguards
Monitor, Test, and Update
Designate a Qualified Individual
Required as of June 9, 2023Section 314.4(a) of the amended Safeguards Rule requires you to designate a single Qualified Individual (QI) responsible for overseeing, implementing, and enforcing your information security program. This person does not need to be an employee. You may designate an outside service provider, but your firm retains ultimate responsibility for compliance.
Identify and formally designate a Qualified Individual in writing
Create a written appointment letter specifying the QI's name, title, responsibilities, authority, and effective date. The QI must have sufficient authority to direct resources and make decisions.
Verify the QI has appropriate expertise or access to expertise
The QI must understand information security risks relevant to tax preparation. If using an outside provider, verify their credentials and document the engagement agreement.
Establish a reporting structure to senior management
The QI must report in writing at least annually to the board of directors, a senior officer, or the firm owner. Reports must cover program status, risk assessment findings, and material security events.
Define the QI's scope of authority and budget
Document that the QI has authority to approve security expenditures, mandate policy changes, and escalate critical issues to firm leadership.
Conduct a Risk Assessment
Initial assessment required; reassess periodicallySection 314.4(b) requires a written risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. The assessment must evaluate the sufficiency of existing safeguards and be updated whenever there are material changes to your operations.
Inventory all systems that store, process, or transmit taxpayer data
Include tax preparation software, email systems, file servers, cloud storage, printers, scanners, mobile devices, and backup systems. Note the physical location of each.
Identify internal threats to taxpayer data
Consider employee error, insider theft, inadequate training, weak passwords, unauthorized software installation, and loss or theft of devices.
Identify external threats to taxpayer data
Consider phishing attacks, ransomware, malware, brute force attacks, social engineering, physical break-ins, and compromised third-party vendors.
Assess the likelihood and potential damage of each identified threat
Use a consistent rating methodology (e.g., High/Medium/Low) for both likelihood and impact. Document your reasoning for each rating.
Evaluate the sufficiency of existing safeguards for each threat
For each identified risk, document what controls are currently in place and whether they adequately mitigate the risk to an acceptable level.
Document remediation plans for gaps identified
For any risk where existing safeguards are insufficient, create a remediation plan with specific actions, responsible parties, and target completion dates.
Implement Safeguards
Ongoing based on risk assessment findingsSection 314.4(c) and (d) require you to design and implement safeguards to control the risks identified in your assessment. The rule specifies several mandatory safeguards that apply to all covered financial institutions, including tax preparers.
Implement access controls based on the principle of least privilege
Restrict each employee's access to only the taxpayer data and systems they need to perform their job. Use role-based access control and review permissions quarterly.
Deploy multi-factor authentication on all systems with customer data
MFA is mandatory for any individual accessing customer information on your systems. This includes tax software, email, cloud storage, and remote access.
Encrypt all customer information in transit and at rest
Use TLS 1.2 or higher for data in transit. Use AES-256 or equivalent for data at rest. This includes email attachments, file transfers, database storage, and backups.
Develop and maintain a data retention and disposal policy
Define how long you retain different types of taxpayer data, and implement secure disposal methods (cross-cut shredding, cryptographic wiping) when retention periods expire.
Implement change management procedures
Document procedures for evaluating the security impact of changes to your systems, networks, or operations before implementing them.
Maintain audit trails and logging
Configure systems to log user access, authentication attempts, data modifications, and administrator actions. Retain logs for a minimum of three years.
Establish a security awareness training program
Train all employees upon hiring and at least annually thereafter. Cover phishing recognition, password security, social engineering, physical security, and incident reporting.
Develop a written incident response plan
Document procedures for detecting, containing, investigating, and recovering from security incidents. Include notification procedures for the IRS, FTC, state regulators, and affected taxpayers.
Monitor, Test, and Update
Continuous monitoring or annual testing requiredSection 314.4(d)(2) requires you to either implement continuous monitoring or conduct annual penetration testing and semi-annual vulnerability assessments. Beyond testing, you must regularly evaluate and adjust your program.
Conduct annual penetration testing by a qualified professional
Engage an independent security firm to attempt to breach your defenses. The test should cover network, application, and social engineering attack vectors. Document the scope, findings, and remediation.
Perform vulnerability assessments every six months
Run automated vulnerability scans against all systems in scope. Compare results against previous scans to identify new vulnerabilities and verify previously identified issues were resolved.
Or implement continuous monitoring as an alternative to annual testing
Deploy a Security Information and Event Management (SIEM) system or managed detection and response (MDR) service that continuously monitors for threats and anomalies.
Review access logs and user activity regularly
At minimum, conduct quarterly reviews of user access privileges and monthly reviews of authentication logs for anomalies such as logins from unusual locations or after-hours access.
Reassess your security program after material changes
Trigger a reassessment when you add new software, change vendors, open new offices, experience a security incident, or undergo significant staffing changes.
Produce an annual written report from the Qualified Individual
The QI must report to the board or senior management on the overall status of the program, compliance with the rule, material events, risk assessment results, and recommendations.
Evaluate and oversee service providers
Select service providers capable of maintaining appropriate safeguards. Require them by contract to implement and maintain safeguards. Periodically assess them based on the risk they present.
Consequences
Penalties for non-compliance
The FTC has enforcement authority and has pursued action against tax preparers who fail to maintain adequate safeguards.
| Violation | Potential Consequence |
|---|---|
| Failure to implement a written security program | Up to $100,000 per violation |
| Failure to designate a Qualified Individual | Up to $100,000 per violation |
| Inadequate risk assessment documentation | Up to $50,000 per violation |
| Failure to encrypt customer information | Up to $100,000 per violation |
| Missing or inadequate incident response plan | Up to $50,000 per violation |
| Failure to monitor and test safeguards | Up to $100,000 per violation |
Compliance is not optional. We make it achievable.
Our team has helped hundreds of tax firms achieve full FTC Safeguards Rule compliance. We handle everything from your risk assessment to ongoing monitoring so you can focus on your clients.