Do Tax Preparers Need a WISP? The FTC Safeguards Rule & IRS Form W-12, Explained

Yes—if you prepare tax returns, federal law treats you as a "financial institution," and the FTC Safeguards Rule requires you to develop, implement, and maintain a Written Information Security Plan (WISP). Here is where that obligation comes from and what your plan has to cover.

The short answer: yes, and it is a federal requirement

If your practice prepares tax returns for clients, the answer is yes—you are expected to develop, implement, and maintain a Written Information Security Plan, usually called a WISP. This is not an IRS best-practice suggestion you can take or leave. It traces back to a federal regulation that applies to your firm regardless of how small you are.

The requirement catches a lot of preparers by surprise because it does not come from the tax code at all. It comes from a consumer-protection rule written for banks and lenders—one that, by its own terms, reaches professional tax preparers. A solo Enrolled Agent working from a home office is covered by the same rule as a large multi-office firm. There is no headcount or revenue floor that exempts you from having a security program.

Below is where the obligation actually lives, why the IRS keeps reminding you about it, and the six areas a WISP has to cover. As always, this is general information rather than legal or tax advice, and you should confirm the current specifics for your situation at irs.gov, ftc.gov, or with a qualified professional.

Where the rule comes from: the FTC Safeguards Rule and GLBA

The legal source of the WISP requirement is the FTC Safeguards Rule, which implements the Gramm-Leach-Bliley Act (GLBA) and is codified at 16 CFR Part 314. GLBA applies to "financial institutions," and the FTC interprets that term broadly—broadly enough to include businesses "significantly engaged" in financial activities, which the agency reads to cover professional tax-return preparers, accountants, and similar firms that handle customer financial information.

That single interpretation is the whole ballgame. Because a tax preparer is treated as a financial institution under GLBA, the Safeguards Rule's core mandate applies directly: develop, implement, and maintain a written information security program appropriate to your size, the nature of your activities, and the sensitivity of the customer information you handle. That "written" security program is what the tax-prep world calls a WISP.

The FTC strengthened the Rule in recent years, adding more prescriptive requirements—a named individual to run the program, encryption, multi-factor authentication, vendor oversight, and a written incident response plan, among others. A firm that maintains customer information on fewer than 5,000 consumers qualifies for a limited exemption (under 16 CFR 314.6) from a handful of the most formal documentation paragraphs—such as putting the risk assessment in writing and the written incident-response plan—but even those firms must still run a real, written security program. Because the Rule has been amended more than once and thresholds can change, confirm the current text directly in 16 CFR Part 314 at ftc.gov before you rely on a specific detail.

Why the IRS keeps reminding you: Pub 4557 and the Security Summit

If the legal requirement is the FTC's, why does it feel like an IRS rule? Because the IRS has spent years amplifying it. The IRS works with state tax agencies and the tax industry through the Security Summit, and it has made WISPs a centerpiece of its data-security outreach to preparers.

Two IRS resources matter most here. IRS Publication 4557, "Safeguarding Taxpayer Data," walks preparers through their obligations and points squarely at the GLBA/FTC requirement to have a security plan. And the IRS Security Summit publishes a sample WISP template (issued as Publication 5708) specifically so that small preparers have a realistic starting point instead of a blank page.

The takeaway: the IRS does not create the WISP obligation, but it reinforces it, explains it in plain language for tax professionals, and gives you a model to work from. Treating the IRS materials as the friendly explanation and 16 CFR Part 314 as the binding source is the right mental model.

The Form W-12 question: awareness, not certification

Here is a point that causes real confusion. When you apply for or renew your PTIN on IRS Form W-12, the form includes a data-security item in which the preparer confirms awareness of their responsibility to have a data-security plan and to protect taxpayer information.

Read that carefully, because the distinction matters. Affirming that item is an attestation that you are aware of your data-security responsibilities. It is not a certification that a WISP exists, that it has been audited, or that anyone has reviewed your safeguards. No one issues you a "WISP certificate" for renewing a PTIN.

The practical implication is straightforward: confirming awareness on Form W-12 while having no actual written plan leaves you exposed on both fronts—you have acknowledged the duty without meeting the underlying FTC requirement. The responsible path is to have a genuine, working WISP standing behind that attestation, not to treat the acknowledgment as the finish line.

What a WISP has to contain

A WISP is a program, not a single form, and it should be tailored to how your office actually operates. Drawing on the Safeguards Rule and the IRS sample WISP, a workable plan covers six core areas:

1) A designated coordinator. Name one person (often called the Qualified Individual under the FTC Rule) who is accountable for the security program. In a solo practice, that is usually the owner.

2) A risk assessment. Inventory where taxpayer data is created, stored, and transmitted, then identify the reasonably foreseeable internal and external risks to it. This assessment drives every safeguard you choose.

3) Safeguards. Document and implement the technical and administrative controls your risk assessment calls for—access controls, encryption of customer data in transit and at rest, multi-factor authentication, secure disposal, and logging, among others.

4) Vendor oversight. Apply due diligence to the service providers who touch client data (your tax software, cloud storage, document portals, IT support) and require them by contract to protect it.

5) Incident response. Maintain a written plan for what happens after a suspected breach—who is notified, how you contain it, and the specific IRS, FTC, and state reporting steps that apply.

6) Employee training. Train everyone with access to taxpayer data on the plan and on recognizing threats like phishing, and keep a record that the training happened.

A plan that addresses these six areas, kept current and actually followed, is what "having a WISP" means in practice.

How to get a plan in place without starting from scratch

You have three realistic routes, and the right one depends on your time and budget. The figures below are typical, illustrative estimates—not quotes—and actual costs vary widely by firm and region.

First, do it yourself from the free IRS sample WISP (Publication 5708). The cost is your time, and the trade-off is real: the sample is essentially a skeleton, so you can expect to spend roughly two to six weeks drafting the workbooks, logs, and procedures that turn it into a functioning program.

Second, start from an editable toolkit. A structured WISP toolkit gives you the plan, a risk-assessment workbook, the training and vendor-oversight documents, and an incident runbook as fill-in-the-blank files you tailor to your firm—typically getting you from a blank page to a working draft in an afternoon or two rather than weeks.

Third, hire a security consultant or vCISO to draft and tailor a plan for you, which can run into the low four figures and take several weeks.

Whichever route you pick, be clear about what a document set can and cannot do. No template, by itself, makes your firm "compliant" with the Safeguards Rule. Compliance comes from designating your coordinator, completing your own risk assessment, implementing the safeguards, training your staff, and keeping the program current. A good toolkit removes the slowest part—the drafting—so you can focus on the parts only your firm can do. To confirm exactly what applies to you right now, check Publication 4557 and the sample WISP at irs.gov and the Safeguards Rule at ftc.gov, or talk to a qualified professional.

Frequently asked questions

Is a WISP legally required for a small or solo tax practice?
Yes. The requirement comes from the FTC Safeguards Rule (16 CFR Part 314), which implements the Gramm-Leach-Bliley Act and applies to tax preparers of every size because the FTC interprets "financial institution" to include them. There is no small-business or solo exemption from having a security program. A firm that maintains customer information on fewer than 5,000 consumers qualifies for a limited exemption (under 16 CFR 314.6) from a few of the most formal documentation paragraphs, but it still must maintain a written security program. Confirm current specifics at ftc.gov and irs.gov.
Does the IRS or the FTC require the WISP?
The binding legal requirement comes from the FTC Safeguards Rule under GLBA, not the IRS. The IRS reinforces and explains it: Publication 4557 ("Safeguarding Taxpayer Data") describes the obligation, and the IRS Security Summit publishes a free sample WISP (Publication 5708). So the FTC is the source, and the IRS is the most visible messenger to tax professionals.
I confirmed my data-security responsibility on Form W-12. Doesn't that cover it?
No. The Form W-12 data-security item is an awareness attestation—you are confirming that you know you are responsible for protecting taxpayer data. It is not a certification that a WISP exists or that anyone has reviewed it. The responsible approach is to have a real, working WISP standing behind that attestation.
What does a WISP actually have to contain?
At a minimum: a designated coordinator (the FTC's "Qualified Individual"), a risk assessment, documented safeguards (such as access controls, encryption, and multi-factor authentication), vendor oversight, a written incident response plan, and employee training—each tailored to how your office handles taxpayer data and kept current over time. Confirm the current required elements in 16 CFR Part 314 at ftc.gov.
Does buying a WISP template make my firm compliant?
No. No document set by itself makes a firm "compliant" with the Safeguards Rule. Compliance comes from designating your coordinator, completing your own risk assessment, implementing the safeguards, training staff, and operating and reviewing the program over time. A template accelerates the documentation—usually the most time-consuming part—but your firm has to put the plan into practice.

Related guides: WISP

Toolkits that help

FTC Safeguards Rule + IRS Pub 4557 (WISP)

WISP Toolkit for Tax Professionals

Complete Written Information Security Plan package for tax preparers, CPAs and accounting firms — FTC Safeguards Rule (16 CFR 314) crosswalk, IRS Pub 4557-aligned policies, risk assessment workbook, training logs and incident response — everything Pub 5708 doesn't operationalize.

$5930% off with codeView toolkit

← All articles

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.