FTC Safeguards Rule for Small CPA Firms: A Practical Document Handling Guide
What the revised FTC Safeguards Rule actually requires for accounting firms, including the document handling requirements that matter for digitization and storage.
The FTC's revised Safeguards Rule, which took effect in 2023 and continues to evolve, applies to every CPA firm in the country regardless of size. Many small firms still operate under the assumption that the rule is meant for big institutions. It is not. The rule covers any financial institution under GLBA, and the FTC has been clear that tax preparers and CPA firms qualify.
This post is a practical reference for the document-handling parts of the rule. It does not cover the technical security stack in detail.
Who has to comply
The Safeguards Rule applies to "financial institutions" as GLBA defines them. The FTC has explicitly clarified that this includes:
- Tax preparation services
- CPA firms
- Bookkeeping services
- Other firms that significantly engage in financial activities
A two-person CPA firm preparing returns for individual clients is a financial institution under this rule. There is no small-firm exemption.
What the rule actually requires
The Safeguards Rule requires a written information security program (WISP) that includes specific elements. The ones most relevant to document handling:
- Designate a qualified individual to oversee and implement the security program.
- Risk assessment that identifies foreseeable internal and external risks to customer information.
- Access controls to limit access to customer information to authorized users.
- Encryption of customer information at rest and in transit.
- Multifactor authentication for any individual accessing customer information.
- Secure disposal of customer information no later than two years after the firm's last use, unless retention is otherwise required.
- Periodic monitoring and testing of the security program.
- Vendor management for service providers with access to customer information.
The disposal requirement is the one that most directly intersects with scanning projects.
The "two years after last use" rule
The Safeguards Rule requires customer information to be disposed of no later than two years after the firm's "last use" of that information, unless the firm has a separate legal or business reason to keep it longer.
For accounting firms, that "legal or business reason" usually exists. IRS audit periods, state audit periods, statute of limitations rules, and the firm's own malpractice exposure all argue for longer retention. The practical retention period for CPA firms is usually seven years for general work and longer for fraud-related matters where the statute of limitations extends.
What the two-year rule actually means in practice: the firm must be able to defend why it is still holding any given piece of customer information. Once the legitimate retention reason ends, the firm has a maximum of two years to dispose of the data.
Vendor management
The vendor management requirement is where scanning services enter the picture. The Safeguards Rule requires firms to:
- Conduct due diligence on service providers
- Require service providers to implement appropriate safeguards by contract
- Periodically assess the service provider's adequacy
For a scanning vendor, that means at minimum: a signed agreement covering security obligations, encryption requirements, retention, and disposal of any temporary copies. CPA firms should be able to produce that agreement on demand if asked by a regulator or in the course of their own audit.
IRS Publication 4557 alignment
The IRS publishes Publication 4557, "Safeguarding Taxpayer Data," which describes the practical security expectations for tax professionals. The Publication aligns closely with the Safeguards Rule and is often the reference document used during IRS audits of tax preparers.
A WISP that satisfies the Safeguards Rule will generally also satisfy IRS Pub 4557 expectations. The two are designed to be compatible.
How scanning intersects with the rule
A document scanning project for a CPA firm touches several Safeguards Rule requirements simultaneously:
- Access controls: physical paper is converted to access-controlled digital files.
- Encryption at rest: scanned files can be encrypted in storage in a way paper cannot.
- Disposal: digitization is often the precondition for disposing of paper originals.
- Vendor management: the scanning vendor must operate under a written agreement.
A well-run scanning project leaves the firm in a stronger Safeguards Rule posture than where it started, provided the vendor is set up to support it.
What ArchiveBridge does about this
ArchiveBridge digitizes accounting firm archives onsite under a signed Service Provider Agreement that aligns with the FTC Safeguards Rule and IRS Pub 4557. Records are indexed by client and tax year, delivered into Karbon, TaxDome, Canopy, or other firm software, and any temporary processing storage is wiped after delivery.
If you are working on your WISP or have an upcoming IRS review and the archive needs to be in a defensible state, request a quote and we will walk through your specific situation.
More from the blog
California Medical Record Retention: HIPAA + CMIA Requirements for 2026
How long medical practices in California are required to keep patient records, what HIPAA and CMIA each demand, and what changes when records move from paper to scanned.
ComplianceHow Long Do California Dentists Need to Keep Patient Charts?
The actual record retention rules dental practices in California operate under, including the special cases that come up at practice sale, retirement, and Medicare/Medi-Cal participation.
ComplianceClosed Legal File Retention Under ABA Rule 1.6: A California Checklist
What ABA Rule 1.6 and California Rule of Professional Conduct 1.16(e) actually require for retention and disposition of client files, with practical guidance for chart cleanup and digitization.