FTC Safeguards Rule: What St. Louis CPAs Need to Know

by Jon Lober | NOC Technology

The Safeguards Rule Isn't Just for Banks and Credit Unions

Your accounting firm handles some of the most sensitive information a person can share: Social Security numbers, income details, bank accounts, investment records. The Federal Trade Commission knows this, which is why the FTC Safeguards Rule exists, and why it applies directly to CPA firms, tax preparers, and bookkeepers.


Many accounting professionals either don’t know this rule applies to them or assume their current security practices are “good enough.” They’re often wrong on both counts. The Safeguards Rule is a federal requirement with real enforcement teeth, and non-compliance can cost your firm up to $50,000 per violation. Here’s what the rule actually requires and how to get your St. Louis practice into compliance.


Why the FTC Safeguards Rule Applies to Accounting Firms


Many CPAs assume the Safeguards Rule only applies to banks and credit unions. The FTC uses a much broader definition. Under Section 314.2(h) of the Safeguards Rule, “financial institution” explicitly includes tax preparation firms–and by extension, any business that handles financial records for clients, which covers most accounting practices.


If your firm prepares tax returns, provides bookkeeping services, handles payroll, or advises clients on financial matters, you’re almost certainly covered. The FTC doesn’t care whether you call yourself a CPA firm, a tax preparer, or an accounting consultant. What matters is the type of information you handle and the services you provide.


The rule originally took effect in 2003, but significant amendments in 2021 added much more specific technical requirements. A 2023 update added mandatory breach notification requirements that took effect in May 2024. If your firm hasn’t reviewed its security practices since before 2021, you’re likely out of compliance with the current version of the rule.


The Nine Elements of a Compliant Security Program


The Safeguards Rule doesn’t just tell you to “be secure.” It specifies nine distinct elements your information security program must include. This isn’t optional; You need all nine.


1. Designate a Qualified Individual

Someone has to be formally responsible for your security program. This can be an employee, or it can be an outsourced provider like your managed IT provider. The key word is “qualified"–this person needs real-world expertise appropriate to your firm’s size and complexity. For a small CPA practice in the St. Louis area, your MSP’s security lead often fills this role. But even if you outsource, a senior partner at your firm remains ultimately accountable.


2. Conduct a Written Risk Assessment

You can’t protect what you don’t understand. The rule requires you to inventory your systems, identify where client information lives, and assess the threats to that data. This isn’t a one-time exercise–you need to reassess periodically as your practice evolves and new threats emerge. The risk assessment must be documented in writing.


3. Design and Implement Safeguards

Based on your risk assessment, you implement controls to address the identified risks. The rule gets specific here: you must implement access controls (who can see what data), encrypt data both at rest and in transit, use multi-factor authentication for accessing client information, and regularly assess the security of any applications that touch client data.


4. Monitor and Test Your Safeguards

Having security controls is different from knowing they work. The rule requires continuous monitoring or annual penetration testing, plus vulnerability assessments at least every six months. For most accounting firms, continuous monitoring through a managed security provider is more practical than periodic penetration tests.


5. Train Your Staff

Everyone at your firm who handles client information needs security awareness training. This includes recognizing phishing attempts, understanding password hygiene, and knowing how to handle sensitive documents. One-time training isn’t enough, it needs to be ongoing and updated as threats change.


6. Monitor Your Service Providers

If you use cloud accounting software, a document management system, or any other vendor that touches client data, you’re responsible for ensuring they maintain adequate security. This means verifying their security practices before you sign up and monitoring them throughout the relationship.


7. Keep Your Program Current

Information security isn’t a set-it-and-forget-it proposition. The rule requires you to evaluate and adjust your program based on testing results, changes in your operations, or new security threats.


8. Create an Incident Response Plan

When something goes wrong, you need a documented plan for how your firm will respond. Who gets notified? How do you contain the breach? What’s your communication strategy? This plan needs to exist before you need it.


9. Report to Leadership Annually

Your Qualified Individual must provide a written report to your firm’s leadership at least once per year covering compliance status, risk assessment results, any security incidents, and recommendations for improvement.


What “Customer Information” Actually Means


The Safeguards Rule protects “nonpublic personal information” about your clients. For an accounting firm, this encompasses virtually everything in your files: Social Security numbers, dates of birth, bank account numbers, income records, employment information, and any financial details your clients share with you.


What many CPAs miss: the rule doesn’t just cover current clients. It covers former clients whose information you still retain. It covers the employees, owners, and customers of your business clients. If a business client shares W-2 information for their staff, you’re now protecting those employees’ data too.


The practical implication: you need to know exactly what client information you have, where it’s stored, and who has access to it. Most accounting firms underestimate how widely client data is scattered across their systems.


The Small Firm Exemption (And Why It’s Narrower Than You Think)


The Safeguards Rule does include an exemption for firms maintaining customer information for fewer than 5,000 consumers. Before you celebrate, understand what this exemption actually covers. It exempts you from some requirements like the formal written risk assessment, certain testing protocols, and the annual board reporting requirement.


It does not exempt you from having a security program. And that 5,000 threshold counts individual people, not just clients. If you prepare taxes for 500 small businesses and each business has 10 employees whose information you handle, you’ve already hit the threshold.


For most accounting firms doing any meaningful volume of work, the small firm exemption provides less relief than they initially think.


Practical Steps for Missouri CPAs


Here’s a realistic roadmap for a typical St. Louis-area CPA practice:


  • Start with an honest inventory of where client data lives. Check your servers, your cloud storage, your email archives, your accounting software, any portable devices staff use, and yes — the paper files too.

  • Designate your Qualified Individual. If you don’t have in-house IT expertise (and most small to mid-sized accounting firms don’t), this is typically your managed IT provider. Make sure they understand they’re filling a formal compliance role, not just keeping your computers running.

  • Implement the technical basics. Multi-factor authentication on everything that contains client data. Encryption for data at rest and in transit. Access controls that limit who can see what. Regular, tested backups. If any of these are missing, that’s your starting point.

  • Document everything. Your risk assessment, your security policies, your incident response plan, your training records — all need to be documented in writing.

  • Train your team continuously. The best technical controls fail when someone clicks a phishing link. Regular training keeps security top of mind.

  • Review and repeat annually. Your security program should evolve with your practice and with the threat landscape.


Build in annual reviews, update your risk assessments when things change, and adjust your safeguards accordingly.


The Cost of Getting It Wrong


Non-compliance with the Safeguards Rule can result in penalties of up to $50,000 per violation, per day. For most accounting firms, though, the bigger risk is what happens when you actually suffer a breach.


A data breach affecting your clients means regulatory notification requirements, potential lawsuits, professional liability claims, and reputational damage that can take years to recover from. Your clients trust you with their most sensitive information. Losing that trust often means losing those clients, along with the referrals they would have generated.


Beyond the penalties, consider the operational disruption. Ransomware can lock you out of your own systems during tax season. A compromised email account can be used to redirect client payments to attackers.


What This Means for Your IT Partnership


The Safeguards Rule essentially requires accounting firms to take IT security seriously, which means taking your IT partnership seriously. If your current IT provider treats security as an add-on service rather than a core function, that’s a red flag.


Your IT provider should be capable of serving as your Qualified Individual, or at least supporting whoever fills that role. They should be able to help you conduct risk assessments, implement required safeguards, monitor your systems, and document your compliance. For St. Louis-area CPAs, finding an IT partner who understands both the technical requirements and the regulatory landscape isn’t optional anymore, it’s a business necessity.


Moving Forward


The FTC Safeguards Rule isn’t going away, and enforcement is increasing as regulators focus on smaller financial institutions. Getting compliant now protects your firm from penalties, protects your clients from breaches, and positions your practice as one that takes data security seriously.


Start with an honest assessment of where you stand today. Most firms have gaps they haven’t identified. Find them, fix them, and build the security program your practice needs. Your clients are trusting you with their financial lives. Make sure your IT security is worthy of that trust.


See how we support St. Louis accounting firms with compliance-ready IT, and check our pricing page for transparent numbers, no sales call required.


Frequently Asked Questions

Does the FTC Safeguards Rule apply to solo tax preparers? +
Yes. The rule applies to anyone engaged in tax preparation services, regardless of firm size. Solo practitioners and small firms have the same fundamental obligations to protect client information, though certain documentation requirements are relaxed for firms serving fewer than 5,000 consumers.
Can my IT provider serve as the Qualified Individual? +
Yes, and for many small to mid-sized accounting firms, this is the most practical approach. The rule explicitly allows the Qualified Individual to be an employee of a service provider. However, your firm remains ultimately responsible for compliance, and a senior partner should still oversee the relationship.
What's the difference between the FTC Safeguards Rule and IRS Publication 4557? +
IRS Publication 4557 provides guidance on safeguarding taxpayer data and is referenced on PTIN renewal forms. The FTC Safeguards Rule is a federal regulation with specific compliance requirements and enforcement penalties. They overlap significantly in intent, but the Safeguards Rule has more detailed technical requirements and carries steeper penalties for violations.
How often do we need to conduct risk assessments? +
The rule requires periodic reassessment but doesn't specify an exact frequency. Best practice is to conduct a formal risk assessment annually and update it whenever significant changes occur — new software, staff changes, office moves, or emerging threats. Many Missouri CPA firms align this with their annual compliance review cycle.
Do we need encryption if we use cloud accounting software? +
Yes, encryption requirements apply regardless of where data is stored. Reputable cloud accounting platforms typically handle encryption for data they store, but you're responsible for ensuring encryption is in place for data in transit (email, file transfers) and for any client data stored locally on firm devices or servers.
What triggers the breach notification requirement? +
You must notify the FTC of a security event if it involves unauthorized acquisition of unencrypted customer information affecting 500 or more consumers. The notification must occur within 30 days of discovery. This requirement took effect in May 2024, so it's relatively new for many firms.
Is multi-factor authentication really required? +
Yes. The 2021 amendments made MFA a specific requirement for accessing customer information on your systems. This applies to your accounting software, email, file storage, and any other system containing client data. The only exception is if the Qualified Individual documents in writing why MFA isn't feasible and approves an equivalent alternative control — which is a high bar to meet.
AI for small business

Is Your Business Ready for AI

By Jon Lober April 27, 2026
Before investing in AI tools, assess your business across 5 key dimensions: data, process, team, budget, and security. Use this checklist to find out if you're ready
files

Client Confidentiality & IT

By Jon Lober April 24, 2026
Meet Missouri Rule 4-1.6 requirements with IT controls. Cloud security, email safeguards, device security, and breach response for protecting client confidentiality.
Laptop with business email open

Business Email Compromise

By Jon Lober April 23, 2026
BEC scams cost businesses $125K per incident. Learn how Missouri businesses can prevent wire fraud phishing with financial controls and email security.
More Articles