Accounting
Confused about IRS Pub 4557 vs FTC Safeguards Rule, and Which Applies to Your Firm?
Practitioners who fall under the ruling may be subject to an investigation by the FTC which could result in steep penalties and fines for not complying - up to $43,000 per day.
Jun. 20, 2023
As of June 9, 2023, the FTC Safeguards Rule (part of the Gramm-Leach-Bliley Act) has entered the enforcement stage. Practitioners who fall under the ruling may be subject to an investigation by the FTC which could result in steep penalties and fines for not complying – up to $43,000 per day. While that part seems clear, there is confusion as to WHO this ruling applies to. Is it tax firms only, or, do firms who do CAS (with or without Payroll) need to comply as well?
The great news is that since there is considerable overlap between IRS Publication 4557 and the FTC Safeguards Rule, tax prep firms who already comply with Pub 4557 requirements will likely be in good shape and may only need to add a few additional security measures to comply with the FTC Safeguards Rule. The concern will be for firms who have been attesting they have a Written Information Security Plan (WISP) in place for their PTIN renewal, but have not taken steps yet to get it in place.
So that we can understand how they work together, IRS Publication 4557 sits “under” the FTC Safeguards Rule. All firms who provide tax prep services for their clients are subject to both because providing paid tax preparation services is called out specifically in both publications.
Under both, firms must designate a person to be in charge of security overall and ensure that all related security policies are adhered to. The designate will first assess overall risk, and then design policies to ensure that all Personally-Identifiable Information (PII) and Customer Information is encrypted, transmitted, and stored safely. Access is limited to only those who need it, and background checks are required before hiring employees or contractors. Security software must be used, all hardware is encrypted and inventoried, network protections are put in place, strong password policies adhered to, and Multi-Factor Authentication used. A WISP is created to document that the firm is adhering to all recommended security requirements, and has the necessary policies and procedures in place to keep all client data safe. Annually, staff are trained, and the WISP is reviewed for updates needed.
However – the FTC Safeguards Rule (on its own) also applies to firms who only provide CAS or Payroll Services (or both) to their clients, provided that they have 5,000 or more clients/entities in their data banks. If a firm provides payroll services for example, it’s possible to achieve that number because of individual employee SSNs and PII held in the firm’s payroll processing software. Additionally, firms need to take into account that the 5,000-threshold number doesn’t refer only to current clients – past clients are included if their records are retained by the firm.
Regardless of the threshold requirements, experts recommend that ALL firms adhere to the FTC Safeguards Rule because it’s good business practice to keep client data safe. Complying with Pub 4557 is a great place to start because it gets a firm most of the way there. There are 3 notable differences between the two documents that firm leaders should be aware of:
- Under the FTC Safeguards Rule, firms must choose a QUALIFIED individual to assess the security risk in the firm’s operations, create a Written Risk Assessment, and then create policies and procedures to mitigate the risks. Those policies form the firm’s WISP and will be used to ensure that all staff are trained to prevent and spot security risks. Additionally, that person must report annually to the firm’s Board of Directors.
Therefore, if a firm does tax prep services and is compliant with 4557 already, they now need to consider whether their designated individual in charge of WISP compliance is qualified to do so. Smaller firms who do not have a qualified IT person working in-house or under contract should consider engaging a Managed Service Provider (MSP) to manage the firm’s overall data and network security infrastructure and to assist in creating the policies required and rolling them out to staff.
- The FTC Safeguards Rule requires firms to ensure that all service providers and software vendors implement reasonable security standards.
- The FTC Safeguard Rule has a broader definition of what data needs to be protected. In addition to the list of Personally Identifiable Information specified in Pub 4557 the following Customer Data is added:
- List of business client’s customers and their information
- List of business client’s vendors and suppliers
- Client business asset lists, financial results and all financial statements
Because the combined lists essentially comprise everything firms know about their clients and hold in their records, experts recommend that firms take the approach that all client data be considered sensitive and therefore protected.
It’s good business to comply with the FTC Safeguards Rule and IRS Publication 4557. It only takes one breach to destroy a firms’ good name. Additionally, the pain imposed on staff and clients resulting from a breach, not to mention the sheer financial cost of remediation, makes complying one of the best things a firm leader can do.
Next steps – Tax firms who have not taken steps to comply with IRS Publication 4557 need to do so right away. To help firm leaders fast-track their compliance, Randy Johnston, CPA, Dawn Brolin, CPA, Steve Perkins, CIO of HoganTaylor, LLP and Andrew Lasisse, CEO of Tech4Accountants have collaborated with The Grove to create practical training on HOW to comply with IRS Publication 4557, including all policies and resources needed.
Firms who are already in compliance with Publication 4557 should take steps to address the three main additional requirements under FTC Safeguards Rule.
——
Chris Farrell, CPA is cofounder of Liscio, Inc. and serves as its Chief Executive Officer. Chris has more than 25 years of experience in the accounting, finance and software industries. Prior to Liscio, he co-founded and led SpringAhead and Tallie where he served as Chief Executive Officer. He also served as the Chief Financial Officer of Occam Networks, the Corporate Controller of C-Cube Microsystems and as an auditor for Arthur Andersen. He holds a Masters degree in Business Administration from UCLA’s Anderson School of Management and received his CPA license in California.