Skip to main content
All resources
Compliance

Do Bookkeepers and Enrolled Agents Need a WISP?

Bookkeepers and Enrolled Agents are both covered by the FTC Safeguards Rule, and EAs are covered by the IRS WISP requirement for every PTIN holder. Here's exactly what each role has to do in 2026 — with a compliance checklist, common misconceptions, and breach-response guidance.

May 31, 202616 min read
Written by Alfonso LovoLinkedInReviewed by WISPWolf Compliance TeamLast Updated: May 31, 2026 · Verified July 19, 2026
Short answer

Yes. Bookkeepers fall under the FTC Safeguards Rule as financial institutions, and every Enrolled Agent with a PTIN must have a Written Information Security Plan under IRS Publication 5708. Both roles need a current WISP, a designated coordinator, and a documented annual review.

In a hurry? Get your free Compliance Score, then come back to this guide.

Take the Free Quiz View Sample WISP

The short answer is yes — both bookkeepers and Enrolled Agents need a Written Information Security Plan in 2026, but for slightly different reasons and with slightly different documentation tracks. This guide is the long-form reference: who is covered, what the IRS and the FTC actually require, the client-data responsibilities that flow from those rules, and what happens when a covered professional has a breach without a WISP.

Table of contents

Who qualifies as a covered professional

The relevant federal rules don't draw lines along credentials — they draw them along activities. Two questions determine whether a WISP is required:

  1. Do you prepare federal returns for compensation? If yes, you must have a PTIN and you fall under the IRS WISP requirement, regardless of whether you are an Enrolled Agent, a CPA, an attorney, or an unenrolled preparer.
  2. Do you provide a "financial activity" as defined in the Gramm-Leach-Bliley Act? Bookkeeping, accounting, tax preparation, payroll, financial planning, and similar services all qualify. If yes, you are a "financial institution" subject to the FTC Safeguards Rule (16 CFR Part 314).

For Enrolled Agents the answer is almost always both. For bookkeepers it is generally the second — the Safeguards Rule alone — but the practical document is still a WISP.

Enrolled Agents

An EA who prepares returns is a PTIN holder, so the IRS WISP requirement applies directly. An EA who performs only representation work (audits, collections, appeals) without preparing returns may not need a PTIN, but is still very likely a "financial institution" for Safeguards Rule purposes because they handle taxpayer financial information in the course of paid services. Either way, a WISP is the deliverable.

Bookkeepers

Bookkeepers — independent QuickBooks ProAdvisors, Xero advisors, Sage practitioners, full-service firms — are squarely within the FTC's definition of "financial institution." Categorization, reconciliation, bank-feed management, payroll, accounts payable, and management reporting all touch customer financial information. The Safeguards Rule applies regardless of whether the bookkeeper holds any credential and regardless of whether they ever touch a tax return.

IRS WISP requirements for Enrolled Agents

The IRS expresses its WISP expectations through two main documents — IRS Publication 5708 (Creating a Written Information Security Plan for Your Tax & Accounting Practice) and the older IRS Publication 4557 (Safeguarding Taxpayer Data) — and the PTIN renewal attestation. For an Enrolled Agent in 2026, that means:

  • A WISP that follows the Pub 5708 structure — Data Security Coordinator, data inventory, administrative/technical/physical safeguards, vendor management, incident response, and annual review.
  • A signed and dated annual review attestation.
  • The PTIN renewal attestation truthfully checked — i.e., backed by the actual WISP.
  • An incident response plan that includes notifying the IRS Stakeholder Liaison for client-data incidents.

Through 2025, the PTIN attestation was effectively a checkbox. In 2026 the IRS Stakeholder Liaison program is sampling attestations and requesting documentation as part of routine outreach and post-incident follow-up. A false attestation can create exposure under 18 U.S.C. § 1001 in addition to the underlying Safeguards Rule violation. For the section-by-section drafting walkthrough, use the tax preparer security plan guide.

FTC Safeguards Rule implications for bookkeepers

The Safeguards Rule organizes its substantive requirements into nine elements at 16 CFR § 314.4. Every WISP a bookkeeper or EA produces is built around them:

  1. Designate a Qualified Individual — for a solo bookkeeper or EA, that person is you.
  2. Conduct a risk assessment, in writing if you maintain information on 5,000+ consumers.
  3. Design and implement safeguards — access controls, data inventory, encryption, secure development, MFA, secure disposal, change management, monitoring and logging.
  4. Test or monitor the safeguards — continuous monitoring or annual penetration testing plus biannual vulnerability assessments.
  5. Train your staff (and yourself).
  6. Oversee service providers with due diligence, contracts, and reassessment.
  7. Evaluate and adjust the program based on testing and material changes.
  8. Maintain a written incident response plan.
  9. Report at least annually to the governing body (for solo practitioners, the report still has to be produced and signed by the Qualified Individual).

For the element-by-element walkthrough with the specific evidence each item expects, see the FTC Safeguards Rule checklist. For the full statutory framing, see the GLBA Safeguards Rule pillar.

Free Compliance Starter Kit

Free WISPWolf Compliance Starter Kit

Built for bookkeepers, Enrolled Agents, and small CPA firms: the IRS WISP starter template (not a completed customized WISP), the FTC Safeguards Rule checklist, the GLBA checklist, a risk-assessment worksheet, the cyber-insurance questionnaire guide, and the tax preparer compliance checklist.

Client data protection responsibilities

The WISP isn't an abstract document — it describes how you actually handle client data day to day. Five operational responsibilities are common to every covered bookkeeper and EA:

  • Know what data you have. Maintain a current inventory of every system that touches client information — tax software, document portals, email, cloud accounting (QuickBooks Online, Xero, Sage), payroll, practice management, e-signature, backup, and any AI tools.
  • Control who can access it. Least-privilege access. No shared logins. Quarterly review of who has access to which client.
  • Encrypt it. At rest on every workstation and mobile device. In transit through TLS. No client data on unencrypted USB drives, ever.
  • Authenticate properly. MFA enforced on email, tax software, portals, accounting platforms, payroll, remote access, and admin consoles. Phishing-resistant factors are the 2026 baseline.
  • Dispose of it. A documented retention schedule and a secure-disposal procedure for both paper and digital. The Safeguards Rule's default is no later than two years after the last legitimate business use, unless a longer retention period is legally required.

Risk assessment requirements

Section 314.4(b) requires a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. A defensible risk assessment for a bookkeeper or EA contains six sections:

  1. Data inventory. Every system, classified by data type, volume, and retention.
  2. Threat catalog. Phishing of credentials, business email compromise, ransomware, lost or stolen devices, malicious insiders, vendor compromise, accidental disclosure.
  3. Vulnerability analysis. Where current controls are weakest — MFA not enforced on accounting software, encryption not enabled on a laptop, no recent backup test, shared portal logins.
  4. Risk scoring. Likelihood × impact, expressed as a simple high/medium/low matrix.
  5. Treatment plan. For each material risk, the control, the owner, and the target date.
  6. Review cadence. Annual at minimum; quarterly review of the treatment plan is recommended.

A solo bookkeeper or EA can produce a credible first-pass risk assessment in three to four hours. A multi-person firm should expect one to two business days for the first iteration and a half-day annually thereafter.

Common misconceptions

"I'm too small for the FTC to care."

The Safeguards Rule has no small-business exemption. The under-5,000-customer relief is narrow and only touches a few documentation requirements. Enforcement actions against solo and very small practices are uncommon — but breach notifications and insurance audits are not, and either one will surface a missing WISP immediately.

"My CPA firm has a WISP, so I'm covered."

Only if their WISP includes you in scope and you actually follow it. An EA or bookkeeper who works under a firm and takes independent clients on the side is responsible for a WISP covering that independent work.

"My software vendor (or hosting provider) handles security."

Vendor controls satisfy part of the rule — typically the infrastructure layer — but they do not satisfy the firm-level responsibilities (Qualified Individual, risk assessment, training, incident response, annual attestation). The FTC has consistently held that you cannot outsource accountability for the program.

"A downloaded template is good enough."

A template is a starting point, not a compliant program. The Safeguards Rule explicitly requires you to keep the program current as your environment changes and to monitor or test safeguards on a continuing basis — neither of which a static PDF can do.

"Cyber insurance is my WISP."

Insurance transfers financial risk; it doesn't satisfy a regulatory duty. Carriers in 2026 require evidence of a WISP before they bind coverage, and they deny claims when the application misrepresented the firm's posture.

What happens if there's a breach

A bookkeeper or EA who experiences a data breach without a defensible WISP faces a stacked exposure:

  1. FTC enforcement under the Safeguards Rule. Civil penalties currently up to $51,744 per violation, consent decrees lasting up to 20 years with mandatory third-party audits, and injunctive relief.
  2. IRS exposure (for PTIN holders). A breach is the most common trigger for a Stakeholder Liaison inquiry into the WISP, and a checked-but-unsupported attestation can be treated as a false statement under 18 U.S.C. § 1001.
  3. State-level enforcement. State attorneys general can act independently under UDAP and state breach-notification statutes. State-level private rights of action exist in California (CCPA/CPRA), New York (SHIELD Act), and a growing list of others.
  4. Cyber insurance non-renewal or claim denial. Carriers review the WISP after an incident; misrepresenting controls on the application is the most common reason a claim is denied.
  5. Notification obligations. FTC within 30 days for 500+ consumers; IRS Stakeholder Liaison for client-data incidents (generally within 24–72 hours); state AGs per state law; cyber carrier per policy (usually 48–72 hours); affected clients per state breach-notification statutes.
  6. Reputational and client impact. Breach notification letters reach every affected client. For a referral-driven bookkeeping or EA practice, this is often more consequential than the regulatory exposure itself.

See the cyber insurance questionnaire walkthrough for the specific carrier questions you will be asked at renewal and after an incident.

Bookkeeper & Enrolled Agent compliance checklist

Use this as a triage tool. A "no" to any item is either an unaddressed regulatory obligation or an audit-trail gap.

  1. Qualified Individual / Data Security Coordinator named in writing (yourself, if solo).
  2. Written WISP exists, reviewed within the last 12 months, signed and dated.
  3. Risk assessment documented (or, under 5,000 customers, performed and reflected in the WISP narrative).
  4. MFA enforced on email, tax software, document portal, cloud accounting, payroll, practice management, remote access, and any admin console.
  5. Workstations and mobile devices encrypted at rest; client data in transit TLS-protected.
  6. Vendor inventory current; top vendors covered by due-diligence files and contractual safeguards language.
  7. Security awareness training completed by every staff member (and yourself) in the last 12 months, with completion logged.
  8. Incident response plan exists, was tested in the last 12 months, includes FTC 30-day notification and IRS Stakeholder Liaison workflow.
  9. Backups tested at a defined cadence; the most recent test is documented.
  10. Annual review attestation signed by the Qualified Individual.
  11. PTIN attestation (for EAs) aligned to actual WISP status — never checked without supporting documentation.
  12. Three-year archive of training logs, attestations, and incident documentation.

Use the free IRS WISP template as the structural starting point for the document.

Where to go from here

Three steps move a bookkeeper or Enrolled Agent from "I don't know if I'm covered" to defensible compliance:

  1. Take the free 15-question compliance quiz to get a personalized scorecard.
  2. Download the Tax Professional Compliance Starter Kit and walk each item with evidence in hand.
  3. Move from a static WISP to a continuously-monitored program so the document stays current with the systems you actually use.

WISPWolf is purpose-built for this work — a Living WISP for bookkeepers, Enrolled Agents, and small firms that ties live evidence from Microsoft 365 and Google Workspace to each FTC Safeguards Rule element, generates the Pub 5708-aligned plan, and produces the annual review attestation the IRS and your carrier both want to see. Start with the free compliance score, or generate your WISP now.

Frequently asked questions

Do Enrolled Agents need a WISP?

Yes. Enrolled Agents hold a PTIN and prepare federal returns for compensation, so they fall under both the IRS WISP requirement and the FTC Safeguards Rule. The PTIN renewal form requires every EA to attest annually to having a written data security plan in place.

Do bookkeepers need a WISP if they don't prepare tax returns?

In almost every case, yes. The FTC has consistently held that bookkeeping services are 'financial activities' under the Gramm-Leach-Bliley Act, which makes the bookkeeper a financial institution subject to the FTC Safeguards Rule (16 CFR Part 314). The Safeguards Rule requires every covered institution to maintain a written information security program — a WISP — regardless of whether the bookkeeper holds a PTIN.

What if I'm a bookkeeper who only does QuickBooks cleanup and categorization?

Categorization and reconciliation involve customer financial information, which triggers the Safeguards Rule. A bookkeeper handling client bank feeds, payroll data, or vendor payment information is squarely within scope.

Does the Safeguards Rule apply to bookkeepers under the 5,000-customer threshold?

Yes — the rule still applies. Firms under 5,000 customers are exempt from a few documentation requirements (written risk assessment, written incident response plan, annual report to the governing body), but the core nine elements — MFA, encryption, training, vendor oversight, and the rest — apply in full.

Does an Enrolled Agent who works under a CPA firm need their own WISP?

Usually the firm's WISP covers the EA in their capacity as an employee or contractor of that firm, provided the WISP names them in scope and they follow it. An EA who also takes on independent clients under their own PTIN is responsible for a WISP covering that independent work.

What MFA does an EA or bookkeeper need to enforce?

Multi-factor authentication is required on every system that touches customer information — email, tax software, document portals, cloud accounting (QuickBooks Online, Xero, Sage), payroll platforms, practice management, remote access, and any admin console. Phishing-resistant factors (authenticator apps or FIDO2 keys) are the 2026 baseline; SMS-only MFA is increasingly flagged as a weak control.

What happens if a bookkeeper or EA has a data breach without a WISP?

Three things stack: FTC enforcement under the Safeguards Rule with penalties currently up to $51,744 per violation; for EAs and other PTIN holders, IRS exposure including a potentially false PTIN attestation under 18 U.S.C. § 1001; and cyber insurance non-renewal or claim denial because the application materially misrepresented controls. State attorneys general can also bring independent actions.

How quickly do I have to notify regulators after a breach?

The FTC requires notification within 30 days of discovering a security event affecting the unencrypted information of 500 or more consumers. The IRS Stakeholder Liaison should be notified for any client-data incident affecting tax data, generally within 24–72 hours. State breach-notification statutes have their own timelines, typically 30–60 days. Cyber insurance carriers usually require notice within 48–72 hours per the policy.

Can I share my CPA firm's WISP if I'm an independent EA contracted to them?

You can reference and rely on it for the work you do under the firm's umbrella, but it has to clearly include you in scope and you have to actually follow it. If you also serve clients independently, that independent practice needs its own WISP.

Where do bookkeepers and EAs start?

Take the free 15-question compliance quiz to find your specific gaps, then use the free IRS WISP template as the structural starting point. Move to a continuously-monitored platform if the document needs to stay current with a real-world environment that changes through the year.

This guide is informational and does not constitute legal advice. Regulatory interpretation evolves; verify current requirements directly with the FTC and IRS, and engage qualified counsel for firm-specific questions.

References

Sources & References

Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.

  1. IRS Publication 5708 — Creating a Written Information Security Plan
  2. IRS Publication 4557 — Safeguarding Taxpayer Data
  3. FTC Safeguards Rule (16 CFR Part 314)
  4. Gramm-Leach-Bliley Act (GLBA) Safeguards
  5. IRS Tax Security — Protect Your Clients, Protect Yourself
  6. NIST Cybersecurity Framework
  7. Microsoft Security Documentation
Free Compliance Starter Kit

Get the free WISPWolf Compliance Starter Kit

Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.

Free WISP Compliance Score

Get Your Free WISP Compliance Score

See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.

IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required