PTIN Renewal 2026: The WISP Question Preparers Get Wrong

PTIN renewal season runs from October through December, and every paid tax preparer in the country has to renew. Buried in the renewal form is a question that has been there since 2023 but only recently started carrying real weight: “Have you implemented a Written Information Security Plan (WISP)?”

A surprising percentage of preparers click “yes” without thinking about it. The IRS has signaled, in increasingly direct ways, that this is not a question to answer lightly.

What the question means

The question asks whether you have, on file, a written document describing how your practice protects taxpayer information. Not whether you generally try to be secure. Not whether you have a password policy. Not whether your antivirus is up to date.

A document. In writing. Describing your security program.

That requirement comes from two places:

• The FTC Safeguards Rule (16 CFR Part 314), which since 2003 has explicitly defined paid tax preparers as “financial institutions” and required them to maintain a written security program.
• IRS Publication 4557 (“Safeguarding Taxpayer Data”), which is the IRS’s plain-language explanation of what the security program should look like, including the written plan requirement.

Both apply to solo practitioners. Both apply to a 100-person firm. There is no small-firm exemption.

What the IRS has been saying

Through 2024 and 2025, the IRS Office of Professional Responsibility has issued repeated public statements that the WISP question on PTIN renewal is meaningful. They have indicated, in webinars and in written guidance, that:

• Misrepresenting compliance is a misrepresentation to the IRS, with all the professional consequences that implies.
• Random sampling of WISP claims is on the table for future enforcement cycles.
• The IRS shares information with the FTC, which has actual enforcement authority over Safeguards Rule violations.

The pattern is the same one regulators always follow before serious enforcement: years of soft warnings, increasingly specific guidance, then selective public action. We are in the late “specific guidance” phase.

What an actual WISP looks like

The IRS template in Pub 4557 walks through the required content. A real WISP includes:

1. Designated Security Coordinator. By name, even if it’s the firm owner.
2. Information inventory. What taxpayer data you have, where it lives, who can access it.
3. Risk assessment. Annual, in writing.
4. Administrative safeguards. Hiring, training, vendor oversight, offboarding.
5. Technical safeguards. MFA, full-disk encryption, endpoint protection, secure backup, current patches.
6. Physical safeguards. Locked storage, building access, secure disposal.
7. Incident response plan. What you do in the first 24 hours of a breach.
8. Training program. Annual minimum.
9. Review cadence. When the document gets reviewed and re-signed.

The template is functional. It works best if you already understand the underlying technology and just need a structure. If you don’t, the template by itself is not enough. The controls have to exist.

The three groups we see at PTIN time

Working with tax preparers in West Texas, we see three patterns:

Group A. Have a real WISP, follow it. Roughly 15% of practices we encounter. They tend to be the ones who went through some kind of compliance moment in the past (a breach scare, a new partner with a corporate background, a CPA license review). They click yes on the PTIN form with confidence.

Group B. Have a “WISP” they bought five years ago. Maybe 20-25%. A vendor sold them a 30-page Word document that they signed once, filed in a binder, and have never updated. Most of the controls described in the document are aspirational. They click yes, technically defensible but materially weak.

Group C. Have no WISP at all. The majority. They click yes anyway because the alternative seems to invite IRS scrutiny.

The trap in Group C is that “yes” is the legally riskier answer over time. A truthful “no” can be remediated. A false “yes” cannot.

What to do if you’re in Group C

Order matters:

1. Use the IRS template in Pub 4557 as a starting structure.
2. Walk your practice honestly against the nine areas above. Where there are gaps, write them down.
3. Close the technical gaps first. MFA on email and tax software, full-disk encryption on every laptop, real endpoint protection, tested backups. Most can be done in a week with the right vendor.
4. Document what you do. The plan should describe your real practice, not a wish list.
5. Train your staff and document the training.
6. Sign and date the document.

If you start in October, you can plausibly be in Group A by the time you renew in December.

The two-minute version

Take our WISP Compliance Check. It walks the same nine areas the IRS covers, gives you an instant grade, and emails a written gap report. Free. No follow-up sales calls unless you ask.

If you want help writing the actual document or closing the technical gaps, that’s something we do for accounting and tax practices as part of our HIPAA-style compliance work (Pub 4557 and HIPAA Security Rule overlap heavily on technical controls). The work is typically 8-20 hours of engineering depending on practice size.

The deadline isn’t the PTIN form. The deadline is whichever phishing email finally lands.