MYCPE ONE

Compliance requirements for outsourcing stem primarily from three key regulations: FTC guidelines, AICPA standards, and IRS mandates. The IRS specifically outlines compliance requirements related to outsourcing, while the FTC and AICPA focus on regulations concerning the use of third-party services, which extend to outsourcing practices. 

These requirements are equally applicable when engaging independent contractors. In this blog, we will delve into these regulations in detail to provide a comprehensive understanding of their implications.

Taking a client’s consent under IRC 7216 or as per AICPA Professional code of Conduct requirement might feel like stumbling through a nightmare, but it isn't as daunting as it appears. This consent is pivotal for safely handling and sharing taxpayer information in today's data-driven accounting world. 

Post-COVID, as firms adjust to new normals and pre-COVID when practices were different, understanding and applying Section 7216 remains a constant necessity.

If you're hesitant to ask your clients for 7216 consent or AICPA Professional code of Conduct , you might be surprised to learn that it's simpler than you think, even when you're considering offshore outsourcing to manage heavy workloads.

We’ll cover everything your firm needs to know about Section 7216 and AICPA Professional Code of Conduct requirements for obtaining client consent that will help you navigate through the hurdle you might expect in obtaining such consent.

When is 7216 consent required? 

Breaking the perception, What would my client think about offshoring? Read our full blog here to unleash your concern, providing detailed guidance on this question. 

Since its introduction in 2009, the client consent process has been streamlined. There have been zero IRS enforcement actions reported under this section to date. Notably, tax services aren't subject to peer reviews, which focus on audits, not tax work. 

Post-pandemic, the landscape for offshoring has broadened significantly, further allaying initial concerns within the tax community. 

Offshoring has not only persisted but flourished, debunking early apprehensions about client resistance.

 

Regulation Consent & DisclosureDue Diligence & SupervisionIT & Data Security
IRS  ✅ ✅ ✅ 
AICPA ✅ ✅ ✅ 
FTC -✅ ✅ 

Detailed Comparison

What IRS, AICPA, and FTC Expect When You Outsource

What are the AICPA Requirements?  

Technical Requirements

1. AICPA 1.150.040 USE OF A THIRD-PARTY SERVICE PROVIDER: The "Transparency" Rule  

If you hire an outside company (a Third-Party Service Provider, or TPSP) to help do the actual work (like tax prep or bookkeeping), the client has a right to know. You cannot pretend you are doing it all yourself. You generally must tell the client in writing before you share their files.  

"Clients might not have an expectation that a member would use a thirdparty service provider to assist the member in providing the professional services. Therefore, before disclosing confidential client information to a third-party service provider, the member should inform the client, preferably in writing, that the member may use a third-party service provider."  

Which means, Clients hire you. They expect you (or your direct employees) to do the work. If you plan to send their work to an outside company (a third party), you need to tell them. Therefore, you must be transparent. You should tell the client, preferably in writing, that an outside team is helping. 

If the client says "No, I don't want my data going to a third party," you have to respect that. You have two choices: either do the work yourself without the third party, or tell the client you cannot take the job (decline the engagement). 

The "Administrative Exception" 

You do not need to tell the client if you are using a third party just for "back office" tech support, like storing files in the cloud (Dropbox/Google Drive) or using a tax software (like Lacerte or UltraTax) to e-file. This is considered a tool, not an outsourced employee. 

"A member is not required to inform the client when he or she uses a third-party service provider to provide administrative support services to the member (for example, record storage, software application hosting, or authorized e-file tax transmittal services)" 

2. AICPA 1.700.001 CONFIDENTIAL CLIENT INFORMATION (GENERAL RULE) The "Golden Rule" of Privacy 

As a CPA or accountant, you are like a doctor or a lawyer. Everything a client gives you is secret by default. You cannot tell anyone anything about the client's business unless the client explicitly says "Yes" (gives specific consent). 

"A member in public practice shall not disclose any confidential client information without the specific consent of the client." 

The "Official" Exceptions 

There are very few times you are allowed to break this secrecy without asking the client first. These are mostly for "regulatory" reasons so the accounting industry can police itself. 

  • Peer Review: If another CPA firm is auditing your firm's quality control (peer review), you can show them client files. 
  • Legal/Board Orders: If the State Board of Accountancy or a court investigates you, you have to comply. 

"With few exception like peer review under AICPA or state CPA society or Board of Accountancy authorization etc" 

3. AICPA 1.700.040: The "Protection" Rule  

To actually send the client's data to the outside team, you have two choices to stay legal: 

  • Option A: Enter into a contractual agreement with the third-party service provider to maintain the confidentiality of the information and provide reasonable assurance 
  • Option B: If you don't have a contract (or if the law requires it), you must get Specific Consent from the client.

"Therefore, before disclosing confidential client information to a third-party service provider, the member should do one of the following: Enter into a contractual agreement with the third-party service provider to maintain the confidentiality... OR Obtain specific consent from the client before disclosing confidential client information to the third-party service provider." 

CTA

Other Requirements 

1. Regulatory Clause 1.300.040 Use of a Third-Party Service Provider (The "Vetting" Rule)  

Due Diligence Documentation : 

Before using a third-party service provider, the member should ensure that the third-party service provider has the required professional qualifications, technical skills, and other resources.  

Factors that can be helpful in evaluating a prospective third-party service provider include business, financial, and personal references from banks, other CPAs, and other customers of the third-party service provider; the third-party service provider’s professional reputation and recognition in the community; published materials (articles and books that he or she has authored); and the member’s personal evaluation of the third-party service provider.   

AICPA Recommended Due Diligence Checklist (Link

Adequate Supervision :  

The member must adequately plan and supervise the third-party service provider’s professional services so that the member ensures that the services are performed with competence and due professional care. The member must also obtain sufficient relevant data to support the work product and comply with all technical standards applicable to the professional services.   

IT Infrastructure and Data Security:  

Members must ensure that the third-party service provider adheres to robust IT infrastructure and data security protocols. This includes implementing secure data transmission methods, establishing user rights management systems, and deploying incident response plans. 

The service provider should also follow cybersecurity best practices, conduct regular audits, and maintain compliance with relevant data protection regulations.  

Additionally, members should ensure that cloud-based solutions meet AICPA-recommended security standards and that the provider has the capacity to safeguard confidential client data against unauthorized access, breaches, or loss. 

These measures are critical to upholding professional and ethical responsibilities when outsourcing.  

AICPA Recommended IT Set up & Security Guidelines (Link)  

"Third-party service provider has the required professional qualifications, technical skills, and other resources... Evaluating a prospective third-party service provider include business, financial, and personal references... Adequately plan and supervise the third-party service provider’s."

Rule / Clause What it covers What this means for the Accounting Firm (Action Item) 
Requirement 1 (1.150.040)Getting Permission You must ask the client (in writing) before outsourcing. 
General Rule (1.700.001) Total Secrecy Unless you have a signed paper saying otherwise, you cannot share client data with anyone outside your firm. 
Requirement 2 (1.700.040) The "Safety Net"Contract OR Consent. You generally want Option A: Sign an Agreement with your vendor, so you don't have to ask the client for permission every single time (unless state law requires it). 
1.300.040 (Qualifications) Hiring Standards Don't just hire based on price. Ensure that third-party service provider has the required professional qualifications, technical skills, and other resources. 
1.300.040 (Due Diligence Documentation) Background Checks Check References. Evaluating a prospective third-party service provider include business, financial, and personal references from banks, other CPAs, and other customers of the third-party service provider; the third-party service provider’s professional reputation and recognition in the community; published materials.
1.300.040 (Adequate Supervision)Quality Control Review the Work. You cannot just "pass through" the work. You must review the return/books as if your own junior staff did it. You own the final product. 

 

NYS CODE OF PROFESSIONAL CONDUCT FOR CPA – CONFIDENTIAL INFORMATION RULE 

Confidential Information Rule 301- Confidential Information. 

A member who practices public accountancy shall not disclose any confidential client information, nor disclose any confidential employer information, obtained in the course of performing professional services without the specific consent of the client or employer, unless specifically required or authorized by law, subject to the exceptions outlined below. 

A member shall take reasonable measures to protect confidential client and employer information.

Sample Language by AICPA

(AICPA Sample Client Disclosure Language for Outsourcing Rules)

The firm may from time to time, and depending on the circumstances, use third-party service providers in serving your account. We may share confidential information about you with these service providers, but remain committed to maintaining the confidentiality and security of your information. 

Accordingly, we maintain internal policies, procedures and safeguards to protect the confidentiality of your personal information.

In addition, we will secure confidentiality agreements with all service providers to maintain the confidentiality of your information and we will take reasonable precautions to determine that they have appropriate procedures in place to prevent the unauthorized release of your confidential information to others. 

In the event that we are unable to secure an appropriate confidentiality agreement, you will be asked to provide your consent prior to the sharing of your confidential information with the third-party service provider. Furthermore, the firm will remain responsible for the work provided by any such third-party service providers. 

View AICPA Sample Language Guidance 

What are the Requirements for 7216 compliance?

Basic Consent Requirement

1. Separate Written Document:

Consent for each separate disclosure or use must be in a distinct written document. Can be provided on paper or electronically. May be included as an attachment to an engagement letter.

2. Paper Consent Requirements:

Must use 8.5" x 11" (or larger) paper. All text must solely address the authorized disclosure or use. Font size must be at least 12-point (no more than 12 characters per inch). Must include all elements specified in section 5.04 (and section 5.06, if applicable).

3. Electronic Consent Requirements:

Presented on one or more computer screens, with text only related to the consent (except navigation tools). Text size must match or exceed standard body text size on the website or software. Must include:

  •  All required elements from section 5.04 (and section 5.06, if applicable).
  • Signature and date fields for taxpayer compliance with section 6.
  • A readable and printer-friendly format.

4. Identification of Parties: 

The consent must include the names of both the tax return preparer and the taxpayer.

5. Purpose and Recipient of Disclosure:

For disclosures, the consent must specify the intended purpose. The consent must identify the specific recipient(s) of the information. For uses beyond tax preparation, each type of product or service (e.g., loans, insurance) must be identified.

6. Specific Information to Be Disclosed or Used: 

The consent must clearly specify the tax return information that will be disclosed or used.

7. Disclosure to International Recipients:

If the information is disclosed to a preparer located outside the U.S., prior taxpayer consent is required under § 301.7216-3, per § 301.7216-2(c) and (d).

8. Signature and Date:

The consent must be signed and dated by the taxpayer.

Additional Requirements for 1040 Outsourcing

1. Form & Content: 

Form & Content of the disclosure shall be as prescribed in the 7216. (View Sample Consent Prescribed by AICPA)

2. Prior Consent: 

Taxpayer consent should be obtained prior to any disclosure of their information.

3. Affirmative consent:  

All consents must require the taxpayer’s affirmative consent to a tax return preparer’s disclosure or use of tax return information. A consent that requires the taxpayer to remove or deselect disclosures or uses that the taxpayer does not wish to be made (i.e., an “opt-out” consent) is not permitted.

4. Adequate data protection safeguard: 

Pursuant to § 301.7216-3(b)(4), a tax return preparer located within the United States, including any territory or possession of the United States, may disclose a taxpayer’s SSN to a tax return preparer located outside of the United States or any territory or possession of the United States with the taxpayer’s consent only when both the tax return preparer located within the United States and the tax return preparer located outside of the United States maintain an adequate data protection safeguard at the time the taxpayer’s consent is obtained and when making the disclosure. 

An adequate data protection safeguard is a management-approved and implemented security program, policy, and practice that includes administrative, technical, and physical safeguards to protect tax return information from misuse, unauthorized access, or disclosure and that meets or conforms to one of the following privacy or data security frameworks:

  • The United States Department of Commerce “safe harbor” framework for data protection (or a successor program);
  • A foreign law data protection safeguard that includes a security component (e.g., the European Commission’s Directive on Data Protection);
  • A framework that complies with the requirements of a financial or similar industry-specific standard that is generally accepted as best practices for technology and security related to that industry (e.g., the BITS, Financial Services Roundtable, Financial Institution Shared Assessment Program);
  • The requirements of the AICPA/CICA Privacy Framework;
  • The requirements of the most recent version of IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities; or
  •  Any other data security framework that provides the same level of privacy protection as contemplated by one or more of the frameworks described in (1) through (5).

5. Disclosure of the Name of Company Located Outside the U.S.: 

The provision requires disclosing the name of the company or tax preparer located outside the U.S. who is involved in handling your information.

6. Electronic Consent: If electronic consent is taken then

  • Taxpayer affirmatively enters 5 or more characters unique to the taxpayer that the tax return preparer uses to verify the taxpayer’s identity. For example, entry of a response to a question regarding a shared secret could be the type of information by which the taxpayer authorizes disclosure or use of tax return information.
  • Have the taxpayer type in the taxpayer’s name and then hit “enter” to authorize the consent. The software must not automatically furnish the taxpayer’s name so that the taxpayer only has to click a button to consent.

7. Validity of Consent: 

Your consent remains valid for the duration you specify. If no duration is specified, the consent is valid for one year from the date of signature. We typically recommend that clients obtain multi-year consents, with many opting for a 5- or 10-year term. However, a consent stating that it remains valid as long as you remain a client may not meet IRS requirements.

CTA

For Non-1040 work

Non-1040 taxpayers – Consent to disclosure of tax return information

Taxpayers who are not filers of returns in the Form 1040 series may use language prescribed in this revenue procedure or consents whose formats and content do not conform to this revenue procedure as long as the consents otherwise meet the requirements of Treas. Reg. § 301.7216-3. 

For non-1040 work, such as payroll, sales tax, or corporate tax returns, write up work the following content can be added to the engagement letter for 1099-related services. 

While the form and content haven’t been specified, all Section 7216 regulations still apply to non-1040 work. This includes obtaining prior, affirmative consent signed by the client, ensuring adequate data protection safeguards from service providers, and disclosing the name of the third-party service provider.

If the consent is obtained electronically, it must also comply with electronic consent regulations. All other requirements, including consent validity, remain applicable. So all basic requirement of the consent shall be followed.

Foreign Outsourcing Disclosure Engagement Letter Sample Langauge as prescribed by AICPA for Non-1040 work

“The taxpayer authorizes that any and all information furnished to us for or in connection with the preparation of tax returns under this engagement letter may, for a period of up to [insert number of years] years from the date of this engagement letter, be disclosed to [insert name], located outside the United States, engaged directly or indirectly in providing tax planning or preparation of tax returns.

Disclosures under this paragraph may consist of all information contained in tax returns. If the taxpayer wishes to request a limited disclosure of tax return information, the taxpayer must inform us. The taxpayer acknowledges that their tax return information may be disclosed to our affiliates, related entities or subcontractors located outside the United States.”

Recommendation to Include General Disclosure Consent in Engagement Letters

Although content and form haven’t been specified in regulation, to ensure compliance, we recommend including a general consent as prescribed by AICPA for disclosure within engagement letters for all clients. This consent should identify the service provider explicitly, addressing any potential claims or violations proactively. 

While Section 7216’s requirements leave room for interpretation, our discussions with insurance providers and legal counsel support this approach as a best practice. This consent should apply firm-wide to maintain consistency and compliance, with possible exceptions for a small subset (1-2%) of high-value clients, as needed.

Comparison

IRS 7216 Consent Requirement
Applicable Rules
For 1040's Non 1040 Work
Form & Content 
PrescribedNot - Prescribed
Separate Written Document  Basic  
Purpose of the ConsentBasic  ✅
Paper Consent Requirement Rules Applicability Basic ✅
Electronic Consent Requirements Rules ApplicabilityBasic ✅
Specific Tax Return Information To be DisclosedBasic ✅ ✅
Identification of Parties Basic ✅ ✅
Signature and Date Additional  ✅ ✅
Form & Content as Prescribed Additional  ✅ ⛔
Separate Engagement Letter Additional  ⛔
Additional Electronic Consent Requirements Rules ApplicabilityAdditional  ✅ ✅
Prior Consent Additional  ✅ ✅
Affirmative consent Additional  ✅ ✅
Adequate data protection safeguard. Pursuant to § 301.7216-3(b)(4)Additional  ✅
Disclosure of the Name of Company Located Outside the U.S. Additional  ✅ ✅
Validity of ConsentAdditional  ✅


Penalty 

IRS Section 7216 (Criminal Penalties):  

Reference: Internal Revenue Code § 7216; Treasury Regulation § 301.7216-1 

This is not just a fine; it is a criminal statute. 

Penalty: Up to 1 year in prison and a fine of up to $1,000 per violation (per client/return). 

Read: 26 U.S. Code § 7216(a)

IRC Section 6713 (Civil Penalties): 

Reference: Internal Revenue Code § 6713 

Even if they don't pursue criminal charges, the IRS can hit you with civil fines. 

Penalty: $250 per disclosure, up to a maximum of $10,000 per year. 

Read:  26 U.S. Code § 6713(a)

Revocation of E-File Privileges:  

Reference: IRS Publication 3112 (IRS e-file Application and Participation) and Revenue Procedure 2007-40 

 Beyond fines, the IRS can suspend your EFIN (Electronic Filing Identification Number). For a modern firm, losing the ability to e-file is effectively a death sentence for the business 

What is the FTC Safeguards Rule and how does it apply to CPA firms?

The Federal Trade Commission (FTC) enforces the privacy and safeguard provisions of the GLBA for non-banking financial institutions, including CPA and Accounting firms. 

What's Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data."

The Gramm-Leach-Bliley Act establishes the framework for protecting consumer financial information, while the FTC enforces these provisions. 

Understand the FTC Safeguards Rule

Under the Safeguards Rule, financial institutions must protect the consumer information they collect. The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of this type of information. The “financial institutions” definition includes professional tax preparers. 

Are CPA Firms Really Financial Institutions?

The definition of “financial institution” is broader than one may think. Per the Safeguards Rule “an entity is a ‘financial institution’ if its business is engaging in an activity that is financial in nature or incidental  my client think about outsourcing? Practical Strategies for taking client consent for outsourcing. to such financial activities.

” Per federal regulations referenced in the Safeguards Rule, this includes any number of financial and investment advisory activities, including providing tax planning and preparation services to any person for personal, family, or household purposes.

An accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution because tax preparation services is a financial activity listed in 12 CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G)."

The FTC Safeguards Rule is a critical piece of compliance, especially when you're working with offshore partners. Let's dive into what it means for your CPA firm: 

Why Applicable to Outsourcing ? 

Outsourcing Company falls within definition of "Service Provider" : Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.

CPA & Tax Firms Responsibility is to oversee service providers, by :  

  • Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue.  
  • Requiring your service providers by contract to implement and maintain such safeguards.
  • Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

FTC Compliance

Under FTC regulations, CPA and tax firms that outsource services must ensure their outsourcing partner meets specific compliance requirements. As per the FTC Safeguards Rule, outsourcing companies fall within the definition of a “Service Provider”, meaning they have access to customer information and must adhere to strict data security standards. 

Firms’ Responsibilities When Outsourcing 

  • CPA and tax firms are directly responsible for overseeing their outsourcing partners and must: 
  • Select and retain service providers capable of maintaining appropriate safeguards for customer information. 
  • Ensure compliance through contractual obligations, requiring outsourcing firms to implement and maintain FTC-mandated security safeguards. 
  • Conduct periodic risk assessments, evaluating the adequacy of their outsourcing partner’s safeguards and addressing potential risks.

FTC Requirements

Ref: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314?toc=1&nbsp

Under FTC Safeguards Rule Section 314.4, (§ 314.6 Exceptions) specific security requirements apply based on the number of consumers a financial institution serves. Firms maintaining customer information for fewer than 5,000 consumers are exempt from certain requirements, including written risk assessments, periodic penetration testing, written incident response plans (WIRP), and annual reporting by the designated individual (DI). 

As a service provider handling sensitive financial data, we ensure full compliance with all FTC Safeguard requirements, regardless of exemptions. Our policies include comprehensive risk assessments, continuous security monitoring, WISP implementation, and breach notification protocols, ensuring that our clients meet the highest security and regulatory standards.




No. of ClientsMYCPE ONE Compliance
ClausePointersDescription>5000<5000
ADesignate Individual (DI)Designate a qualified individual responsibleTRUETRUETRUE
BWISP - Risk AssessmentsBase your information security program on Potential risk assessment TRUETRUETRUE
B1WISP - Risk AssessmentsRisk assessment shall be written & include identified security riskTRUETRUE
B2WISP - Risk AssessmentsYou shall periodically perform additional risk assessments that reexamine Potential RiskTRUETRUETRUE
CImplements SafeguardsDesign and implement safeguards to control the risks you identify through risk assessmentTRUETRUETRUE
D1Test & MonitorRegularly test or otherwise monitor the effectiveness of the safeguardsTRUETRUETRUE
D2Test & MonitorContinuous monitoring or periodic penetration testing and vulnerability assessments.TRUETRUE
EEmpower - DIImplement policies and procedures to ensure that personnel are able to enact WISPTRUETRUETRUE
FService ProvidersOversee service providersTRUETRUETRUE
GAdjust WISPEvaluate and adjust your information security program in light monitoring resultsTRUETRUETRUE
HWIRPEstablish a Written Incident Response Plan (WIRP)TRUETRUE
IReporting of DIRequire your Qualified Individual to report in writing, regularly and at least annuallyTRUE ⛔TRUE
JNotify FTC in case of BreachNotify the Federal Trade Commission about notification events inTRUETRUETRUE


Key Requirements Your Offshore Partner Must Meet

Under the FTC Safeguards Rule, your offshore partner must have a comprehensive security program in place. This includes designating a qualified individual to oversee the information security program and conducting regular risk assessments to identify potential threats to client data. The partner must also implement safeguards to address these risks, such as encryption, secure data disposal practices, and multi-factor authentication for anyone accessing customer information. 

Employee management is a key aspect of compliance. Offshore partners should conduct background checks on employees who have access to sensitive customer information and provide regular security awareness training. Access to customer information should be restricted based on job necessity to minimize the risk of unauthorized access. 

Service provider oversight is another requirement under the FTC Safeguards Rule. You must ensure that your offshore partner is capable of maintaining appropriate security safeguards and regularly assess their compliance with these standards. The rule also mandates that offshore partners develop and maintain a written incident response plan, covering data backup, recovery, and emergency operations in the event of a security breach.

Your Responsibilities: 

  • Ensure your offshore partner understands and complies with the FTC Safeguards Rule 
  • Regularly assess your partner's security measures

FTC Insights: "The Safeguards Rule requires companies to develop, implement, and maintain a comprehensive information security program." (FTC Safeguards Rule, 16 CFR Part 314

Consequences Of Non-Compliance?

  • Under Title 18 of the United States Code, firms can face fines of up to $100,000 per violation  
  • Firm leaders can be personally liable for up to $10,000 per violation.  
  • There’s even the potential for a prison sentence of up to five years for non-compliance.

We suggest conducting an annual joint review with your offshore partner to assess FTC Safeguards Rule compliance and identify areas for improvement. 

Which AI tools trigger IRC § 7216 Consent Requirements?

Artificial intelligence has arrived in the accounting profession — not as a future possibility, but as a daily operational reality. Platforms like ChatGPT, Claude, Google Gemini, Intuit Assist, SurePrep TaxReaderAI, Botkeeper, Vic.ai, and dozens of other AI-assisted products are now used by CPA firms to categorize transactions, identify deductions, reconcile accounts, extract data from tax documents, and even draft return schedules. 

This is not a technology story. It is a compliance story. And the compliance framework that governs it has existed for decades — it just has not yet been applied, explicitly, to AI.

Does § 7216 Apply to AI?

IRC § 7216 prohibits any tax return preparer from disclosing or using tax return information — for any purpose other than return preparation — without the taxpayer's affirmative consent. The statute was enacted in 1971 and contains no reference to technology. That is precisely what makes it applicable to AI: the language is technology-neutral and does not require a specific AI carve-out to apply. 

The operative question is not whether the recipient of client data is human or automated. It is whether the CPA firm submitted client-identifiable tax return information to a third party. If it did, a disclosure under § 7216 occurred — regardless of whether that third party is a human preparer in India or an AI platform operated by a technology company. 

The Test: Did client-identifiable tax return information leave your firm's systems and enter a third-party platform? If yes: § 7216 requires consent — and no published IRS exemption covers AI tool use as of April 2026. 

Which AI Tools Are Covered? 

The following categories all fall within the § 7216 analysis when used with client tax data: 

  • General-purpose AI (ChatGPT, Claude, Gemini): When used with client data pasted in, these platforms receive a § 7216 disclosure to their operators (OpenAI, Anthropic, Google). 
  • Tax-specific AI SaaS (Intuit Assist, SurePrep TaxReaderAI, TaxDome AI, Canopy AI): Purpose-built tax AI products are still third-party processors. The fact that they are designed for tax work does not create a § 7216 exemption
  • AI bookkeeping platforms (Botkeeper, Vic.ai, Docyt, Dext Precision): When bookkeeping data is part of the tax preparation chain, processing that data through a third-party AI platform triggers § 7216. 
  • AI document extraction (Adobe Acrobat AI, AWS Textract, Microsoft Copilot with tax documents): Extracting data from W-2s, 1099s, and bank statements via AI directly processes the most sensitive return information. 

No Exemption Exists

Treasury Regulation § 301.7216-2 lists permissible disclosures that do not require consent. None of them cover AI tool use. The closest — the 'administrative exception' for software hosting and e-file transmission — does not reach AI tools performing substantive analytical work. The exception covers infrastructure (storage, transmission); AI that categorizes, analyzes, or generates tax output is performing substantive work, not administrative support.

Consent Requirements

Under Rev. Proc. 2013-14 and § 301.7216-3, consent must name the recipient, describe the purpose, specify the information disclosed, and be affirmatively signed by the taxpayer. For AI use, this means: 

  • The AI platform must be identified (by name or by category — e.g., 'AI-assisted preparation tools used by [firm] and its service providers') 
  • The function must be described ('to assist in categorizing financial transactions and identifying applicable deductions') 
  • If the AI processes data on servers outside the U.S., the additional 'adequate data protection safeguard' requirement under § 301.7216-3(b)(4) applies 
  • Opt-out consent is expressly prohibited — each client must affirmatively consent 

AICPA Rules

AICPA ethics rules impose parallel and in some ways broader — obligations. ET § 1.700.001 prohibits disclosure of confidential client information without specific consent. ET § 1.150.040 requires written disclosure to the client before using a third-party service provider for substantive client work. ET § 1.700.040 requires either a confidentiality contract with the TPSP or specific client consent. All three rules apply to AI platforms performing substantive tax or bookkeeping work on client data.

FTC Safeguards Rule 

CPA and accounting firms are 'financial institutions' under the FTC Safeguards Rule (16 CFR Part 314) because tax preparation is a listed financial activity under 12 CFR § 225.28(b)(6)(vi). Under § 314.4(f), firms must require their service providers — by contract — to implement appropriate data security safeguards. An AI platform receiving client data is a service provider. A consumer AI subscription (ChatGPT Plus, Gemini Standard) is not a contract satisfying this requirement. Only an enterprise-grade Data Processing Agreement meets the standard.

Model Engagement Letter Language 

The following paragraphs are designed to be inserted into CPA firm engagement letters to satisfy § 7216 consent, AICPA ET §§ 1.150.040 and 1.700.040, and FTC Safeguards Rule § 314.4(f) requirements for AI tool use. Counsel should review before adoption. State-specific requirements may impose additional obligations. Adapt bracketed fields to your firm's specific AI tools and practices.

Option A: Broad AI Disclosure

Use when firm uses or may use AI tools but prefers not to name specific vendors in the engagement letter (which would require amendment each time a new tool is adopted).

Use of Artificial Intelligence and Technology Service Providers 

In providing services under this engagement, [Firm Name] may use artificial intelligence (AI) tools and AI-assisted software platforms as part of our work processes. These tools may be used to assist with transaction categorization, document processing, data analysis, schedule preparation, and other functions related to the professional services described in this engagement letter. 

Your consent: In accordance with Section 7216 of the Internal Revenue Code and Treasury Regulation § 301.7216-3, your signature below constitutes your affirmative consent for [Firm Name] and its service providers — including AI and software tools used in our work processes — to receive, process, and use your tax return information as necessary to provide the services described in this engagement. 

AI tools used in our practice operate under enterprise-grade data agreements that prohibit the use of your information for the training of AI models and that require appropriate data security safeguards. [If offshore staff are used: Some services may be performed by staff or service providers located outside the United States, including [name of offshore provider], located in [country]. All such service providers are contractually required to maintain data security safeguards that meet the requirements of § 301.7216-3(b)(4) of the Treasury Regulations.] 

We remain responsible for all work product produced under this engagement, including work assisted by AI tools. You may withdraw this consent at any time by notifying us in writing, in which case we will notify you whether we are able to continue the engagement on that basis. 

This consent is valid for a period of [five (5) years] from the date of your signature below, or for the duration of our engagement, whichever is shorter. 

Option B: Named AI Vendor Disclosure  

Use when a specific AI platform (e.g., an AI bookkeeping tool) is integral to the engagement and naming it provides greater transparency. Requires amendment if the vendor changes.

Section 7216 Consent — AI-Assisted Services 

[Firm Name] uses [Name of AI Platform, e.g., Botkeeper, Vic.ai, or similar] to assist with [describe function: e.g., automated transaction categorization and bookkeeping services / AI-assisted tax document processing]. In providing these services, your financial and tax return information, including [describe: e.g., bank transaction records, income and expense information, payroll data], will be shared with [Name of AI Platform], operated by [Vendor Company Name], located at [Address / Country of operation]. 

By signing this engagement letter, you affirmatively consent to this disclosure pursuant to IRC § 7216 and Treasury Regulation § 301.7216-3. [If outside U.S.: [Vendor Name] is located outside the United States. [Vendor Name] maintains an adequate data protection safeguard as required by § 301.7216-3(b)(4) under [specify framework: e.g., the EU-U.S. Data Privacy Framework / ISO 27001 / IRS Publication 1075 equivalent].] This consent is valid for [five (5) years] from the date of signature. 

Electronic Consent — Additional Requirements

  • If consent is obtained electronically (via DocuSign, client portal, or similar), the following additional requirements under Rev. Proc. 2013-14 apply for 1040 engagements: 
  • The taxpayer must affirmatively enter 5 or more unique characters to authorize consent (e.g., typing their name — the system must not pre-populate it) 
  • Consent text must be presented on the screen with no other content, and must be readable and printer-friendly 
  • Electronic signature and date must be captured 
  • For non-1040 work, electronic consent requirements are somewhat more flexible but must still satisfy § 301.7216-3 and be affirmative

MYCPE ONE's Recommendation 

Do not wait for the IRS to issue specific AI guidance before acting. The existing § 7216 framework, AICPA ethics rules, and FTC Safeguards Rule collectively require action now. Firms that update their engagement letters, transition to enterprise AI with signed DPAs, and document AI use in their WISP will be ahead of the curve when formal guidance arrives and will avoid the enforcement exposure that builds for those who do not. 

For offshore staffing specifically: your offshore service provider agreement must explicitly govern AI tool use by offshore staff. Offshore staff using unapproved AI platforms with U.S. client data creates a double-exposure — two separate § 7216 disclosures without consent — that is among the highest-risk compliance gaps in the current environment. 

Challenges with Freelancers and Mom & Pop Shops:

When working with mom-and-pop shops or freelancers, there are typically compliance challenges under Section 7216.

1. Adequate data protection safeguard:

First, adequate data protection and safeguards required by section Pursuant to § 301.7216-3(b)(4) may not be met.

2. Foreign Company Name on the Consent: 

It’s essential to specify the name of the company handling your information. As a U.S.-based company with an Indian counterpart, we offer the advantage of legal recourse within the U.S., meaning that if an issue arises, you can pursue action here. In contrast, working directly with a freelancer or foreign counterpart often leaves you without legal recourse and without assurance that required safeguards under Section 7216 are in place.

3. Contractual Agreement: 

Additionally, the AICPA's professional code of conduct requires a formal contractual agreement, which may not always be adequately in place when working with freelancers or small, independent providers.

4. Adequate Due Diligence: 

Furthermore, the code mandates thorough due diligence to assess the third-party service provider’s competence. This includes gathering documentation, obtaining reasonable assurances, and evaluating their credibility through references, community recognition, and published materials available online. Such due diligence can be challenging when dealing with third-party providers, particularly smaller or less established ones or freelancers.

Getting Next Year’s Engagement Signed Before Thanksgiving

We always recommend that once the October 15 deadline has passed, clients should send out engagement letters, tax organizers, and consent letters within the following week. The goal is to have all signed documents returned by Thanksgiving. To ensure timely completion, it is crucial to follow up with clients and emphasize the benefits of early engagement.  

 Why This Matters?

  • Avoiding Tax Season Pressure – Let clients know that finalizing engagement letters early allows for better planning and ensures their tax filings receive detailed attention without the last-minute rush. 
  • Tracking Client Consent – Sending engagement letters early provides clarity on which clients have given consent and which have not. This enables proactive follow-ups, allowing firms to address any concerns and secure commitments. 
  • Optimizing Resource Planning – Early responses help firms determine labor requirements both onshore and offshore, especially for tax-related work. This allows for strategic workforce planning and ensures sufficient staffing. 
  • Utilizing Offshore Capacity Efficiently – After the October 15 deadline, offshore staff typically experience a lighter workload. This period can be effectively used for engagement follow-ups, tax estimations, and other preparatory tasks. 

`By implementing this approach, firms can streamline operations, reduce last-minute stress, and optimize both client experience and internal efficiency.  

Industry Expertise Matters

There are numerous outsourcing providers specializing in engineering, IT, medical billing etc who often expand into accounting services under the assumption that these fields are similar. However, the accounting industry demands specialized expertise, which is why the AICPA’s Professional Code of Conduct mandates that firms working with third-party service providers conduct thorough due diligence to evaluate their professional competence. 

CPAs and accounting firms, in particular, should ensure they do not engage with third-party providers that are incompetent. In such cases, as per AICPA requirements, members must ensure that any third-party provider has the necessary professional competence, technical skills, and credibility before engaging their services. Without this assurance, you may face additional challenges in meeting these standards.

WHY MYCPE ONE

1. Name Change Clarification: 

As we transition from Entigrity to MYCPE ONE through our merger, we understand that some clients have questions regarding the impact of this change on previously obtained consents under Section 7216, particularly those with consent terms of 5 to 10 years. In 2024, the merger occurred at the parent level. 

The entity that previously operated under the name Entigrity remains intact, with no immediate change to its legal entity status or name. In 2025, we anticipate name change of the company. 

However, our existing DBA (Doing Business As) name, Entigrity, will continue to be recognized and valid, even after the rebranding process. If you have already obtained client consent under Section 7216 that references Entigrity, there is no need to renew or amend this consent. 

The DBA Entigrity will remain valid, and all consents referring to Entigrity will continue to comply with disclosure requirements. All prior consents remain legally effective, eliminating the need for additional consents solely due to our name change or merger activities at the parent level.

2. Our Due Diligence Checklist: 

We provide comprehensive documentation to support your due diligence, ensuring compliance with AICPA, IRS, FTC requirements. This includes references from existing clients, testimonials, our IT and data security policies, contractual agreement, and cybersecurity and professional liability insurance policies etc. Additionally, we offer certifications, including Great Place to Work, ISO 27001, and GDPR compliance from a third party. 

Our active participation in community initiatives—such as webinars, events, conferences, and outsourcing awareness initiatives (including this blog)—further supports our commitment to transparency and compliance. (Please email us chris@my-cpe.com and we shall share with you the complete documentation about our company for you due diligence)

3. Our Expertise of working with CPA & Accounting firms: 

For the past ten years, we have been exclusively dedicated to the accounting industry, building deep expertise in supporting accounting and CPA firms—not only through outsourcing but also in continuing education. This specialized focus aligns with AICPA professional code of conduct requirements and gives our clients a distinct advantage, allowing us to serve them more effectively than any competitor.  

particulars

Resources

ParticularsTopicLink
How the FTC Safeguards Rule may affect your CPA firm FTC Requirements Click here
Can your firm complete the FTC Safeguards Rule checklist? FTC RequirementsClick here
Written Information Security Plan (WISP) IRS RequirementsClick here
AICPA resources and articles IRS RequirementsClick here
Creating a Written Information Security Plan for your Tax & Accounting Practice IRS RequirementsClick here
AICPA Outsourcing Toolkit - PCPSAICPA Requirements Click here
Safeguarding Taxpayer Data A GUIDE FOR YOUR BUSINESSIRS Requirements Click here
Section 7216 Guidance and Sample Consent Forms IRS RequirementsClick here
Section 7216 Frequently Asked Questions IRS RequirementsClick here
Rev. Proc. 2013-19IRS RequirementsClick here
Rev. Proc. 2013-14IRS RequirementsClick here
Treasury Regulations IRS RequirementsClick here
Outsourcing and professional liability AICPA RequirementsClick here
Guidance Note - AICPA Professional Ethics Executive Committee - Jan 2005 AICPA Requirements
AICPA Code of Professional EthicsAICPA Requirements


Related Blogs


CTA

Disclaimer

Our guidance is grounded in extensive practical experience from the past nine years, during which we have worked closely with attorneys and insurance companies to support CPAs and accounting firms. This collaboration has provided us with valuable insights that shape our approach and recommendations. 

However, it's essential to consult with your independent attorney and insurance companies, seek expert advice on these legal matters, as well as conduct your own due diligence. Additionally, the data presented above is based on our internal experiences and estimates, not on any independent survey. 

Each state may have its own regulations regarding client consent. While most states adhere to AICPA guidance on the professional code of conduct, it’s essential to review your specific state’s requirements to ensure compliance with any additional disclosure obligations. 

Yes, it is essential to inform your insurance company when you engage in outsourcing. Different insurance companies have their own requirements and may provide additional guidance, recommendations, or regulatory compliance expectations. We work closely with the AICPA Membership Insurance Program and Camico, and our guidance is informed by our experiences with these firms. Consulting your insurance provider ensures you meet their specific requirements and stay compliant with any additional recommendations they may have

FAQs

You can work with an offshore independent contractor, freelance worker, or a small mom-and-pop shop, provided they comply with IT, data security, and due diligence requirements. However, 99% of the time, such providers fail to meet these standards. So technically you will be in violation. 

This is why we always recommend partnering with a reputable player who specializes in this industry, has proven experience, and can serve as a reliable long-term partner. Offshoring is not a one-time task—it’s an ongoing commitment that requires consistent compliance and reliability. 

We provide comprehensive documentation in advance for your due diligence and IT and data security compliance in a single package, helping you meet all these requirements seamlessly. Connect with our specialist at chris@my-cpe.com or call us at 646-827-4348 for more information or feel free to schedule a call https://my-cpe.com/schedule-call-offshore-team

The requirement to obtain consent under IRS regulations depends on the type of work being performed. In contrast, the consent requirements under AICPA and FTC regulations are applied to the entity itself, irrespective of the nature of the work being conducted.

IRS Consent Applicability:

  • Under IRS rules, consent is required based on the specific services being performed. For instance, bookkeeping services are generally not subject to this requirement unless they are explicitly linked to tax preparation.
  • A nuanced scenario arises when bookkeeping and tax preparation are covered under a single engagement letter. In such cases, consent would be required because the joint engagement letter covers tax-related services.

Nuance in Tax Preparation and Write-Ups:

  • A key question is whether an annual write-up prepared for the purpose of tax filing qualifies as part of tax preparation. While this area can be considered grey, the practical answer is yes.
  • If the primary purpose of the write-up or annual bookkeeping is to facilitate tax return filing, it falls under the scope of IRS 7216, and consent is likely required.

Understanding and navigating these requirements is essential to ensure compliance with IRS, AICPA, and FTC regulations, particularly when multiple services are bundled under a single engagement

Yes, consent is required for business tax returns. IRS 7216 mandates consent for tax return information, though it does not prescribe a specific form or content for the consent. Following AICPA recommendations can simplify compliance. Here’s the AICPA’s prescribed format. (Click Here)

  • While the consent doesn’t need to be on a separate form, it must explicitly disclose.
  • The name of the service provider.
  • The duration of the consent.
  • This consent can be included in your engagement letter as long as it meets the above requirements.

IRS regulations require you to disclose the name of the service provider in the engagement letter, whether for 1040 work or non-1040 work. This requirement extends to all work under IRS work jurisdiction, including payroll, income tax, sales tax, and any personally identifiable information (PII) related to tax preparation.

  • Affirmative Consent: All three regulatory requirements —IRS, AICPA, and FTC—require explicit affirmative consent. Implied or passive consent is not valid.
  • Electronic Consent: Must include a five-digit unique code typed in by the client. The client must type their name and actively check a box to agree to terms and conditions. Auto-filled names or pre-checked boxes are not acceptable.
  • Paper Consent: Must include a signature and date. Separate consent form is required for 1040 tax returns.

Many firms face challenges, such as delayed return of engagement letters from clients or finalizing fees only at the time of tax return copy given to the client. However, to comply with these regulations consent must be clear, prior and explicit. Delayed or implied consent will not suffice. Ensuring adherence to these requirements will help you avoid potential violations and ensure smooth compliance with IRS, AICPA, and FTC regulations.

Consent must be obtained prior to performing any work involving tax information. Sending the engagement letter or obtaining consent at the time of filing the tax return is a violation of these requirements. Consent must be secured in advance.

All three regulations require due diligence when engaging third-party service providers. AICPA provides a detailed due diligence checklist to ensure compliance. (Click here) Similarly, IRS requirements mandate proper vetting and safeguarding when working with third-party outsourcing vendors. Refer resources for the same at the bottom.

If the consent involves two individuals filing jointly, such as in the case of married filing jointly, we recommend obtaining consent from both individuals.

While the AICPA Professional Code of Ethics may not apply if you are not a member of AICPA, you are still subject to the compliance requirements established by the state accounting board with which you are registered. Most state boards either have their own Code of Ethics or align with the AICPA Code of Ethics, meaning you are likely still subject to similar ethical and compliance standards for outsourcing. It is essential to verify these requirements with your respective state board to ensure full compliance.


Unlike the IRS, AICPA and FTC regulations do not have specific guidelines solely focused on outsourcing. However, whether you outsource domestically within the US or work with a domestic service provider, the same requirements apply. This includes obtaining explicit consent through the engagement letter, conducting proper due diligence, and ensuring compliance with IT and data security standards. These measures are critical for maintaining compliance and safeguarding client information.


If you have separate engagement letters for accounting and tax services, only the tax engagement is subject to IRS 7216 requirements, while the accounting engagement is not. However, if you are a CPA or an accounting firm, the AICPA Code of Professional Ethics still applies to CPA firms, and FTC regulations continue to apply to all accounting and tax firms. These overarching regulations require compliance with ethical standards, due diligence, and data security, irrespective of the type of engagement.


If you have your own setup or office in an offshore country, your offshore entity will still be treated as a third party, even if it is a subsidiary. Similarly, if you directly work with an independent contractor and pay them directly, they are not considered your employees but remain independent contractors. Consequently, all applicable regulations—including those from the IRS, AICPA, and FTC—apply as if you were working with any other third party. This makes it crucial to ensure compliance with these regulations, including due diligence, data security, and consent requirements. Many firms that establish offshore operations fail to meet these compliance standards, underscoring the importance of understanding and addressing these requirements in detail.


The FTC regulation under the Gramm-Leach Bliley Act (GLBA) is primarily applicable to financial institutions because they serve as custodians of their customers’ personally identifiable information (PII). Under the GLBA’s definition, accounting and tax firms are considered financial institutions due to their role in handling sensitive customer information. As custodians of such sensitive data, these firms fall under the purview of FTC regulations, making compliance with the GLBA a critical requirement for safeguarding client information.


Yes, it is essential to inform your insurance company when you engage in outsourcing. Different insurance companies have their own requirements and may provide additional guidance, recommendations, or regulatory compliance expectations. We work closely with the AICPA Membership Insurance Program and Camico, and our guidance is informed by our experiences with these firms. Consulting your insurance provider ensures you meet their specific requirements and stay compliant with any additional recommendations they may have.


Shawn Parikh

Shawn Parikh

Co-Founder & CEO

Shawn Parikh, CA, is the Co-Founder and CEO of MYCPE ONE, a global platform empowering 3,000+ CPA firms through innovative CPE solutions, offshoring, marketing, M&A, and beyond. With over 15 years of experience, Shawn helps accounting and tax professionals scale smarter, a visionary entrepreneur, value investor, and hardcore believer in using tech and education to drive change. Passionate about innovation and growth, he continues to inspire firms worldwide to embrace AI, strategic thinking, and long-term success. Beyond business, Shawn drives social impact through the Social Eye Foundation, advocating for accessible education and stronger communities.

Must Read Blogs

Top 10 Canadian Offshore Accounting Firms in India (2026)
  • 240 Reads

Top 10 Canadian Offshore Accounting Firms in India (2026)

How to Build an Offshore Finance Team for Your Business: A Complete Guide
  • 222 Reads

How to Build an Offshore Finance Team for Your Business: A Complete Guide

Hiring Offshore Accountants in Canada: What CPA Firms Must Know
  • 340 Reads

Hiring Offshore Accountants in Canada: What CPA Firms Must Know

View All