Yes. For the large majority of CPA practices and independent tax preparers, the FTC Safeguards Rule applies. The reason is that the Gramm-Leach-Bliley Act defines a "financial institution" by the activities a business performs, not by whether it is a bank, and preparing income tax returns is one of those activities. The FTC's regulation says so directly, and so does the IRS.
I am Hammad Arain, founder of Arain Systems, a Houston practice focused on security and compliance for small non-bank financial offices, including CPA and tax firms. Here is how the coverage logic works and what it means for your practice in practical terms.
Why a tax or accounting firm is a "financial institution"
The Safeguards Rule lives at 16 CFR Part 314. Under 16 CFR 314.2(h)(1), a financial institution is any business engaging in an activity that is financial in nature or incidental to one, drawing on the activities described in the Bank Holding Company Act. That definition is far broader than the word "bank" suggests. It turns entirely on what you do, not on a license or a category you would normally call yourself.
The FTC then gives concrete examples. The regulation at 16 CFR 314.2(h) states that an accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution. Tax preparation firms also appear in the FTC's published list of covered example businesses (see the FTC business guidance, "FTC Safeguards Rule: What Your Business Needs to Know").
The IRS reaches the same conclusion. IRS Publication 4557, "Safeguarding Taxpayer Data," states that the financial institutions definition includes professional tax preparers, and that under the FTC Safeguards Rule tax return preparers must create and enact security plans to protect client data. IRS Publication 5708 (Rev. 8-2024) puts it even more plainly: under the GLBA and the Safeguards Rule, tax and accounting professionals are considered financial institutions, regardless of size. So this is not a gray area for most firms. If you prepare returns or handle clients' nonpublic financial information, plan on being covered.
A note on who enforces it
The Safeguards Rule is issued and enforced by the Federal Trade Commission under the authority of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 through 6809; 16 CFR Part 314). There is no separate third-party body that polices it on the FTC's behalf, and there is no government "certification" of compliance. I want to be clear about that last point because vendors sometimes sell a "certified compliant" badge. No such regulatory designation exists. Compliance means actually building and running the program the rule requires, and it is assessed through FTC enforcement, not a certificate.
What the rule actually asks you to do
The heart of the rule is 16 CFR 314.4, which requires a written information security program built from nine elements. In plain terms:
- Designate a Qualified Individual (314.4(a)) to oversee and enforce the program. This person does not need a particular degree or title, and the role can be filled by an employee or by a service provider. If you use an outside provider, your firm keeps responsibility and names a senior person of your own to direct that work.
- Base the program on a risk assessment (314.4(b)).
- Implement safeguards to control the risks you find (314.4(c)). The rule names specific ones, including access controls, encryption of customer information both in transit over external networks and at rest, and multi-factor authentication for anyone accessing an information system. Where encryption is not feasible, the Qualified Individual can approve equivalent compensating controls in writing; the same written-approval path exists for access controls used in place of multi-factor authentication.
- Test or monitor the effectiveness of your safeguards (314.4(d)).
- Train your staff (314.4(e)).
- Oversee your service providers (314.4(f)).
- Evaluate and adjust the program as things change (314.4(g)).
- Maintain a written incident response plan (314.4(h)) designed to respond to and recover from a security event affecting customer information.
- Have the Qualified Individual report in writing, at least annually, to your board or equivalent governing body, or to a senior officer if you have no board (314.4(i)).
For most small firms, the practical work is less exotic than it sounds. It is account access discipline, encryption that is actually turned on, multi-factor authentication everywhere, a written record of the risks you looked at, and a plan for the bad day.
The "under 5,000 consumers" point, and what it does not do
Many small practices ask whether they are exempt. There is a partial relaxation, not an exemption from the rule. Under 16 CFR 314.6, four specific requirements do not apply to a firm that maintains customer information on fewer than 5,000 consumers: the requirement that the risk assessment be written (314.4(b)(1)), the continuous-monitoring-or-annual-penetration-testing-plus-six-month-vulnerability-assessment requirement (314.4(d)(2)), the written incident response plan (314.4(h)), and the Qualified Individual's periodic written report to the board (314.4(i)).
Read that carefully. It relaxes the formal, written, and periodic-testing pieces. It does not remove your duty to assess risk, to put safeguards in place, or to be ready to respond to an incident. Everything else in 314.4 still applies. I have seen owners assume "small firm" means "the rule does not apply to me," and that is the wrong takeaway.
One related distinction for advisory firms
If your practice includes investment advisory work, jurisdiction matters. The FTC's covered examples include investment advisors that are not required to register with the SEC. Advisers who are SEC-registered fall instead under the SEC's Regulation S-P (17 CFR Part 248, with the safeguards provision at 17 CFR 248.30), which the SEC administers. The two regimes both implement GLBA but are enforced by different regulators. Most local CPA and tax firms sit on the FTC side.
Where to start
If you want to know exactly how the rule maps to your firm, I offer a free 14-Point Safeguards Gap Report. I review what client data you hold, where it lives, and how it is protected today, then give you a written findings report and a prioritized fix list. It is a gap report and remediation, not a certification, an audit, or a guarantee of compliance. If you want the broader context first, I also keep a plain-English guide to the FTC Safeguards Rule. To talk it through, call or text me at 832-907-5594.