Tax Preparers: No WISP Means No PTIN — What Miami Accountants and Tax Professionals Need to Know

Your PTIN Depends on Your WISP — Here's What That Means

Every paid tax preparer in the United States must renew their Preparer Tax Identification Number (PTIN) annually. Without a valid PTIN, you cannot legally prepare or sign federal tax returns. The IRS processes renewals for more than 800,000 tax professionals each year.

Since 2024, that renewal process includes a mandatory checkpoint that many tax preparers in Miami and across South Florida have not fully prepared for: Form W-12 Line 11 — a checkbox requiring you to certify, under penalty of perjury, that you maintain a current Written Information Security Plan (WISP) that complies with the FTC Safeguards Rule and IRS Publication 4557.

If you check that box without actually having a compliant WISP in place, you have committed a federal crime under 18 U.S.C. § 1001. If you don't check it, your PTIN renewal can be delayed or denied — effectively shutting down your practice during filing season.

What Exactly Is a WISP and Why Do Tax Preparers Need One?

A Written Information Security Plan is a documented cybersecurity program that describes how your practice protects sensitive client information — Social Security numbers, income data, financial account details, and other nonpublic personal information (NPI) — from unauthorized access, disclosure, or breach.

The requirement originates from the Gramm-Leach-Bliley Act (GLBA), which classifies tax preparers as "financial institutions" under federal law (15 U.S.C. § 6809(3)) — the same legal category as banks and credit unions. The FTC enforces GLBA requirements through its Safeguards Rule (16 CFR Part 314), and the IRS reinforces them through Publication 4557 and the more detailed framework in Publication 5708.

The full compliance deadline for the enhanced FTC Safeguards Rule requirements was June 9, 2023. If you haven't built a compliant WISP since then, you are currently out of compliance — regardless of how many clients you serve or how small your practice is.

The Misconception That Gets Small Practices Into Trouble

The most dangerous misunderstanding among independent tax preparers and small CPA firms in Miami is this: "I only have a few clients — the WISP requirement doesn't apply to me."

It does. Completely.

The FTC Safeguards Rule has no small-practice exemption. The only threshold in the regulation — firms with fewer than 5,000 consumers — reduces one specific documentation requirement (a written report to a governing body) but leaves all core security obligations fully intact: written risk assessment, multi-factor authentication, encryption, incident response plan, employee training, and vendor oversight. Solo preparers doing a handful of returns per year are subject to the same WISP requirements as a 50-person CPA firm.

What Happens If You Don't Have a WISP

The consequences operate at multiple levels simultaneously:

Federal Criminal Exposure

Certifying on Form W-12 that you have a WISP when you don't constitutes a false statement on a federal form under 18 U.S.C. § 1001 — a federal crime. Separately, improper handling of taxpayer data can trigger criminal penalties under Internal Revenue Code Section 7216: up to $1,000 in fines and one year of imprisonment per unauthorized disclosure or use.

Civil Penalties

The FTC can impose civil penalties of up to $50,120 per violation (2025 inflation-adjusted figure under 15 U.S.C. § 45) for Safeguards Rule non-compliance. Each missing security control can constitute a separate violation — a practice missing MFA, encryption, and an incident response plan simultaneously faces those penalties compounding across each deficiency. Under Internal Revenue Code Section 6713, civil penalties for prohibited disclosures of tax return information reach $250 per violation with a maximum of $10,000 per calendar year.

PTIN and EFIN Revocation

The IRS Office of Professional Responsibility can revoke or suspend your PTIN for failure to maintain adequate security safeguards. The IRS can also revoke your Electronic Filing Identification Number (EFIN) following a data breach — effectively preventing you from e-filing returns during peak tax season. Either outcome shuts down your practice.

Data Breach Liability

Without a documented WISP, you have no evidence of reasonable security measures. If a client's data is breached, you face: malpractice lawsuits from affected clients, voided professional liability insurance (carriers treat absence of a WISP as willful negligence), mandatory breach notification costs, and forensic investigation fees. The IBM 2024 Cost of a Data Breach Report found the average total cost of a data breach to be $4.88 million. For small tax practices, even a fraction of that figure is practice-ending.

FTC Breach Notification Requirements

Effective May 13, 2024, the FTC Safeguards Rule requires covered financial institutions — including tax preparers — to notify the FTC within 30 days of discovering a breach affecting 500 or more consumers. Failure to notify carries additional penalties on top of the underlying security violation.

What a Compliant WISP Must Cover for a Tax Practice

IRS Publications 4557 and 5708 define the required elements. A compliant WISP for a tax preparation practice must address:

1. Designated Qualified Individual — a named person responsible for the security program (can be the owner for solo practices)
2. Risk Assessment — documented identification of threats to client data and evaluation of existing controls
3. Data Inventory — where client NPI lives, how it's transmitted, and how long it's retained
4. Access Controls — unique user accounts, principle of least privilege, MFA on all systems accessing taxpayer data
5. Encryption — client data encrypted at rest and in transit using current standards
6. Incident Response Plan — written procedures for detecting, containing, and reporting a breach
7. Employee Training — annual security awareness training with signed acknowledgment records
8. Vendor Management — documented oversight of all service providers handling client data (tax software, cloud storage, email)
9. Annual Review — WISP updated at least annually and whenever significant operational changes occur

Other Professions With Similar WISP Requirements

Tax preparers are not the only professionals facing mandatory WISP requirements. The same FTC Safeguards Rule applies to any business classified as a financial institution under GLBA — a definition that extends well beyond banks:

• CPA firms and accounting practices — regardless of whether they prepare tax returns
• Bookkeepers and financial consultants handling client financial data
• Mortgage brokers and loan officers
• Financial advisors and investment professionals
• Insurance agents handling nonpublic personal financial information
• Law firms that handle financial transactions or tax-related matters for clients

For medical offices and healthcare providers, the HIPAA Security Rule creates an equivalent obligation through a different regulatory pathway — requiring a documented security program that functions like a WISP under HIPAA terminology.

What Wolf Tech Does for Tax Professionals and Accounting Firms in Miami

Wolf Tech IT Solutions builds custom Written Information Security Plans for tax preparers, CPA firms, bookkeepers, and financial professionals across Miami-Dade, Broward, and Palm Beach County. Our process covers the full IRS Publication 5708 and FTC Safeguards Rule framework — including risk assessment, policy documentation, employee training procedures, incident response planning, and vendor oversight documentation.

A Wolf Tech WISP isn't a downloaded template. It reflects your actual environment, your real systems, and your specific client data handling practices — which is what the IRS and FTC require when they ask to see it.

If your PTIN renewal is coming up and you don't have a current WISP in place, the window to get compliant before the next filing season is now.

People Also Ask

Is a WISP required for all tax preparers, including sole practitioners?
Yes. The FTC Safeguards Rule applies to all tax preparation businesses regardless of size, revenue, or number of clients. Even a sole practitioner preparing one return for compensation must maintain a compliant WISP. The 5,000-consumer threshold in the regulation reduces one specific documentation requirement only — it does not exempt small practices from the core WISP mandate.

Can I use a free WISP template from the IRS?
IRS Publication 5708 provides a sample framework that is a legitimate starting point. However, the IRS and FTC expect your WISP to reflect your actual systems and practices — not a generic template. A document that doesn't match your real environment offers limited protection in an audit or enforcement action and zero protection in a breach lawsuit.

What is the deadline to have a WISP for PTIN renewal?
PTIN renewal for the 2027 tax season will open in October 2026, with a December 31, 2026 deadline. You must have a current, compliant WISP in place before certifying on Form W-12. The IRS recommends completing renewal — and all security documentation — before the October opening of the renewal window.