top of page

PTIN Renewal Season 2025: What Every Accounting Firm Must Know About the FTC Safeguards Rule

Each year, tax preparers across the United States renew their Preparer Tax Identification Number (PTIN) with the IRS. It’s a routine part of doing business.


But, there’s a second regulatory requirement that demands your immediate attention: the FTC Safeguards Rule (16 CFR § 314).


Many firms mistakenly treat PTIN renewal and cybersecurity compliance as separate matters. In reality, they’re deeply connected — and failure to comply with the FTC Safeguards Rule can expose your firm to regulatory penalties, data breaches, and reputational damage.


This blog explains what the FTC Safeguards Rule requires, why it matters during PTIN renewal season, and how to meet the requirements efficiently.

 

Accountant PTIN renewal cybersecurity

Why the FTC Safeguards Rule Applies to Tax Preparers


The Federal Trade Commission (FTC) enforces the standards for safeguarding customer Information, commonly referred to as the Safeguards Rule.


The rule applies to “financial institutions” as defined by the Gramm-Leach-Bliley Act (GLBA) and this includes tax preparers, accounting firms and other businesses that handle consumer financial information.


In short:

If your firm prepares taxes, handles client financial records, or provides accounting services to individuals, you are covered by the FTC Safeguards Rule.


The Connection to PTIN Renewal


Every year, the IRS requires tax preparers to renew their PTIN by 31 December to continue practising in the following tax year.


Alongside this renewal, firms must also affirm their compliance with applicable federal regulations, which increasingly includes cybersecurity and privacy obligations.


The FTC Safeguards Rule is a key part of this compliance landscape. Firms that fail to implement appropriate safeguards are at risk of:


  • Regulatory enforcement actions from the FTC

  • Civil penalties for non-compliance

  • Loss of client trust and reputational harm following a breach


With renewal deadlines approaching, now is the time to make sure your firm is compliant.


What the FTC Safeguards Rule Requires


The Rule sets out a structured, risk-based framework for protecting customer information. At a minimum, firms must:


  1. Designate a Qualified Individual

    Appoint someone to oversee and enforce your information security program. This can be an internal staff member or a trusted third party — but the firm remains legally responsible.

  2. Conduct a Written Risk Assessment

    Identify and assess internal and external risks to customer information, document how you will mitigate them, and keep the assessment up to date.

  3. Implement Safeguards

    This includes:

    • Access controls and user authentication

    • Encryption of data in transit and at rest

    • Multi-factor authentication (MFA)

    • Secure development practices

    • Monitoring and logging of authorised users

    • Procedures for secure data disposal


  4. Train Your Personnel

    Provide regular, documented security awareness training tailored to the risks your firm faces.

  5. Test and Monitor Your Program

    Conduct regular vulnerability assessments and penetration testing — or continuous monitoring — to ensure your controls work.

  6. Oversee Service Providers

    Assess third-party vendors, include security clauses in contracts, and review their safeguards periodically.

  7. Have an Incident Response Plan

    Develop and maintain a written plan to respond to and recover from security incidents.

  8. Report Annually

    Your Qualified Individual must provide a written report to your board or senior officer at least annually, covering the security program’s status and material matters.



Practical Steps to Take Now


With PTIN renewal season underway, firms should act early to avoid a year-end scramble. Here’s a simple checklist to get started:


  • Identify or appoint your Qualified Individual

  • Obtain or create a written WISP (Written Information Security Program)

  • Conduct and document a risk assessment

  • Train all staff on cybersecurity awareness

  • Review service provider contracts for security clauses

  • Ensure MFA, encryption, and monitoring are implemented

  • Prepare your annual board/senior officer report


How ComplyWise Online Can Help

ComplyWise specialises in helping accounting and tax firms meet these obligations quickly, clearly, and cost-effectively.


We offer:


  • 🧑‍💼 Qualified Individual training or QI-as-a-Service

  • 📄 A comprehensive WISP Compliance Pack aligned to FTC requirements

  • 🧠 Staff security training designed for accountants

  • 🔐 Optional managed security services for patching, scanning and 24/7/365 security monitoring


Everything is designed to help small and mid-sized firms comply without hiring a full-time security team.


Conclusion


PTIN renewal season isn’t just about filling out forms. It’s a reminder that handling taxpayer information carries regulatory responsibility.


By taking action now to meet the FTC Safeguards Rule, firms can avoid penalties, strengthen client trust, and renew their PTIN with confidence.


Next Step


Learn how ComplyWise can help your firm get compliant before the PTIN deadline


 
 
bottom of page