Confidentiality in Tax Practice

The Financial Accounting Resource Center™ is a comprehensive research service that provides the full text of standards, the latest news from the Accounting Policy & Practice Report ®,...

Cathy Allen

By Cathy Allen

Cathy Allen helps CPAs and others understand and apply auditor independence and professional ethics rules though consultation, training, litigation support and expert services. Ms. Allen was a Managing Director in PwC and served as senior staff to the AICPA Professional Ethics Executive Committee (PEEC), where she was instrumental in developing standards and tools for the profession, such as the AICPA Plain English Guide to Independence and the Conceptual Framework for Independence. She authors several AICPA courses and other publications, including the Institute’s Ethics and Professional Conduct: Updates and Professional Ethics: The AICPA’s Comprehensive Course, and has written on professional ethics for various publications. Ms. Allen is a CPA in New York, New Jersey and Maryland and serves on the New York State Board for Public Accountancy and the National Association of State Boards of Accountancy (NASBA) Board of Directors as Northeast Regional Director. She also chairs the NASBA’s Ethics Committee and contributes to AICPA PEEC task forces.

As we embark upon the 2017 tax season, and look ahead to 2018, we should reflect on the professional responsibilities that differentiate CPAs from the rest of the pack. Tax practitioners have a duty to help clients minimize their tax burden while paying the amount legally owed under the tax code. Tax practitioners act as their clients’ advocate for these purposes but CPAs also must maintain confidentiality of the client’s information, be competent, exercise due care, and act with integrity, objectivity, and sometimes independence. This Insight highlights one of these critical ethics requirements—maintaining the confidentiality of a client’s information.

Keeping Confidences

With very limited exceptions, the AICPA Code of Professional Conduct and state accountancy boards require CPAs to obtain a client’s explicit consent before disclosing confidential client information to outside parties. “Confidential client information” is information the CPA obtained from the client that is not available to the public. Information that is already in the public domain, for example, on websites, or in public filings or publications, is excluded.

A CPA may release confidential client information without consent to: (i) comply with a validly issued and enforceable subpoena or summons; (ii) comply with professional standards, laws or regulations; (iii) enable an authorized peer review of the CPA’s firm; (iv) initiate or respond to a duly authorized investigation by AICPA, state CPA society or state accountancy board; or (v) permit review connected to the prospective purchase, sale, or merger of all or part of an accounting/tax practice. State accountancy board rules may or may not mirror the AICPA Code, and CPAs should comply with the strictest requirements.

The ‘Safeguards Rule’

A rule that’s been gaining more attention lately, but is apparently not yet widely known in the tax preparer community is the Federal Trade Commission’s (FTC’s) “safeguards rule,” which was adopted as part of the Gramm-Leach-Bliley law and applies to financial institutions’ handling of customer information. The following appears on the FTC’s web site:

The definition of “financial institution” includes many businesses that may not normally describe themselves that way. In fact, the Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. This includes, for example, check-cashing businesses, payday lenders…professional tax preparers…

Though CPAs are not financial institutions, thanks to this definition, tax preparers are subject to the law’s safeguards rule, namely, extensive client information security provisions. According to an August 2017 press release, the FTC settled charges alleging that TaxSlayer (not a CPA firm) violated the safeguards rule by failing to develop a written comprehensive security program, conduct a risk assessment to identify reasonably foreseeable internal and external risks to security, and implement information security safeguards that would help prevent a cyberattack. New York State’s Department of Financial Services adopted a rule that became effective this year and goes beyond requirements in the safeguards rule.

Internal Revenue Code

CPAs should comply with Internal Revenue Code (IRC) Section 7216, which prohibits tax return preparers from “knowingly or recklessly” disclosing or using tax return information without the explicit, written consent of the client. Frequently-asked-questions are available at

Blowing the Whistle

A CPA needs the client’s explicit written consent to disclose tax return information in a report to the IRS Office of Professional Responsibility or in a complaint filed with a state accountancy board regarding a previous preparer’s substandard tax work.

The International Ethics Standards Board for Accountants (IESBA) recently adopted a standard that requires accountants (including tax practitioners) to take certain actions when they become aware of a client’s noncompliance with laws and regulations (NOCLAR). Among other things, the rule requires accountants to disclose NOCLAR to the appropriate members of management so they can address the NOCLAR. The accountant must later evaluate whether management has addressed the NOCLAR and whether the accountant should consider further action(s). If the accountant believes the NOCLAR is not sufficiently addressed, the IESBA framework gives accountants the right to disclose NOCLAR to an appropriate regulator when public interest concerns warrant it and applicable laws do not prohibit the disclosure. In considering the IESBA rule, the AICPA proposed a rule that did not incorporate this right to disclose without client consent because the Code and most state accountancy boards prohibit such action, unless a law or regulation requires the accountant to disclose the NOCLAR.

Currently, the AICPA Code addresses a situation in which a CPA withdraws from an engagement after discovering irregularities in a client’s tax return. If contacted by the successor, the CPA should suggest that the successor ask the client for permission to discuss all matters with the successor. If the client refuses, the successor is effectively on notice.

Outsourcing Tax Preparation

Firms that subcontract tax return preparation services to other companies should obtain their clients’ specific consent to disclose information to the other company. Alternatively, the CPA can ensure that the subcontractor agreement provides reasonable assurance that the company has appropriate procedures in place to protect the client’s information. The FTC safeguards rule requirements go beyond these measures and requires the CPA to oversee all contractors’ handling of client information.

Who’s Your Client?

The AICPA recently clarified the Code’s definition of “client,” and the CPA’s responsibilities for maintaining client confidentiality. For example, Ann engages a CPA to prepare her and her husband’s joint tax return. Even if the CPA works exclusively with Ann, both spouses are a single client. Accordingly, if the couple initiates divorce proceedings and Ann instructs the CPA to withhold joint tax information from her husband, the CPA may provide the information to both spouses, because both are “the client.” If, however, a company engages the CPA to perform personal tax services to its executive staff, the CPA has two clients, since the “engaging” entity (company) and the “subject” entities (executives) are different. If the company requests information about the executives’ personal tax situations, the CPA must obtain each executive’s explicit consent to provide that information.

Copyright © 2018 Tax Management Inc. All Rights Reserved.

Request Financial Accounting