Tax professionals can no longer ignore WISP (written information security plan) compliance. How you follow the FTC Safeguards Rule and IRS Publication 4557 is now under closer scrutiny. This is crucial for anyone handling sensitive client data.

A WISP isn’t just a document. It’s a living plan that shows how your firm protects taxpayer information. It also covers how to reduce cybersecurity risks and stay audit-ready all year.

Tax professionals must follow WISP compliance protocols if they store, send or work with client data. This applies to all firms, big or small.

What does a WISP include?

A WISP includes broad security policies tailored to your firm’s operations. While each plan is unique, most address the following areas:

• Risk assessment of your systems and data
• Access controls for employees, contractors and third parties
• Encryption protocols for data in transit and at rest
• Incident response procedures in case of a breach
• Ongoing training and security awareness
• Documentation and annual review of policies and protocols

Why WISPs matter

A tax preparer in a mid-size firm experienced a phishing attack just weeks before filing season. While their software was up to date, they had no formal incident response plan or employee training on data handling. The result? A breach report to the IRS and multiple hours of downtime, during their busiest week of the year.

A documented WISP backed by real safeguards could’ve helped mitigate the damage and possibly prevented the incident altogether.

Many firms know what’s required in a WISP but haven’t verified their technology supports it. Partnering with a trusted cybersecurity expert specializing in tax and accounting can help ensure your tech safeguards match your written policies.

5 steps to start strengthening your firm’s WISP

1. Educate yourself on the core components of a WISP. NATP’s online workshop can help with that.
2. Map your technology environment, including where client data is stored or accessed.
3. Note any gaps, such as a lack of encryption, missing policies or informal processes.
4. Designate a WISP owner – even if it’s just you – for maintaining updates.
5. Document your plan and make it part of your annual compliance review.

Common questions about WISP compliance

What is a written information security plan?
A written information security plan (WISP) outlines how your practice safeguards client data across administrative, technical, and physical layers. It serves as your compliance roadmap for handling sensitive information.

Is WISP compliance mandatory for tax professionals?
Yes. The FTC Safeguards Rule and IRS Publication 4557 outline WISP expectations for any business that handles taxpayer data, including sole proprietors.

Do I need an IT consultant to build a WISP?
Not necessarily. Many firms begin with self-guided templates and educational tools. However, validating the technical side with a security partner is often recommended.

How often should the WISP be reviewed or updated?
Annually, at a minimum, or sooner if there are changes to your software, vendor stack, or staffing structure.

Does cloud hosting help meet WISP standards?
Yes, especially platforms that offer encryption, access control, continuous monitoring and formal compliance frameworks like SOC 2.

Pairing policy with protection

NATP’s on-demand webinar helps tax professionals build strong, compliant security policies. After creating your WISP, ensure your IT systems can support those protections. Use secure backups, encrypted access and monitor your systems year-round.

The right mix of policy, training, and infrastructure ensures your firm is compliant and resilient.

The clean vehicle credit process looks different this tax season. With the option to transfer credits directly to the dealer, new reconciliation steps are required on your client’s return. Understanding how to report the credit and navigate Form 8936 will help prevent filing issues and ensure accurate tax reporting.

Below, you’ll find a few of the top questions from a recent webinar on the topic and their corresponding answers. If you choose to attend the on-demand version of this webinar, you can access the full recording and the entire list of Q&As.   

Q: Is Form 15400, Clean Vehicle Seller Report, required if the buyer transfers the credit to the dealer?

A: Yes, Form 15400 is required when the buyer transfers either the clean vehicle credit or previously used clean vehicle credit. Publication 5905 (Rev. 1-25) contains details of the process.

Q: Is there a way to claim the credit if the taxpayer does not receive the seller report?

A: No, the report is used to verify the purchase and eligibility of the vehicle and purchaser. The instructions state: “If you elected to transfer the credit to the dealer, you are required to reconcile the Clean Vehicle Credit on your income tax return for the year the vehicle is placed in service.” Reconciliation cannot occur without the report, and the credit is not valid.

Q: Can a married couple split the credit if they file married filing separately (MFS)?

A: No, the credit is only available to the vehicle buyer whose name is on the seller report, and whose identification number is also listed there. The credit cannot be split.

Q: If the credit is passed to the dealer and if, after reconciling the credit, the taxpayer does not qualify, is there a repayment obligation?

A: Yes, if upon reconciliation on Form 8936, Clean Vehicle Credit, the credit qualifications are not met, the disqualified portion will be added to the taxpayer’s tax liability as if it was never reduced or they never received the price reduction on the vehicle.

Q: What if a buyer has insufficient tax liability to fully use a transferred credit?

A: The credit can be used only to the extent that the taxpayer has a tax liability to absorb it; it is not carried over into future years. Unused credit amounts are lost.

---

To learn more about reconciling clean vehicle credits, you can watch our on-demand webinar. NATP members can attend for free, depending on membership level! If you’re not an NATP member and want to learn more, join our completely free 30-day trial.

Question: Alex purchased his home in 2024, and his average mortgage balance for the year was $900,000. He paid $32,000 in mortgage interest during the year. He is single and wants to know how much of his mortgage interest is deductible on Schedule A (Form 1040), Itemized Deductions.

Answer: Under §163(h)(3)(F)(i)(II), for mortgages taken out after December 15, 2017, the deduction for mortgage interest is limited to the interest paid up to $750,000 of home acquisition debt for single filers. Interest attributable to mortgage debt above this limit is not deductible.

Alex’s average mortgage balance of $900,000 exceeds the allowable limit by $150,000 ($900,000 –- 750,000). To calculate the deductible portion of his interest, apply the following ratio:

$750,000 / $900,000 = 0.833 (or 83.3%)

0.833 × $32,000 = $26,656

Alex may deduct $26,656 of the mortgage interest he paid in 2024 on Schedule A (Form 1040), Itemized Deductions. The remaining $5,344 of interest is not deductible.