When are tax pros required to use multi-factor authentication?

In today’s digital landscape, the protection of client data has become more critical than ever, particularly for tax professionals who handle sensitive financial information. The growing need for robust security measures has led to an industry-wide requirement for multi-factor authentication (MFA).

What is multi-factor authentication?

MFA is a security system that requires multiple forms of verification before granting access to a system or data. This process involves more than just a password; it includes a combination of factors such as something you know (a password), something you have (a mobile device for a text message or push notification) and sometimes something you are (biometrics like a fingerprint or retinal scan).

While the term “multi-factor” might seem daunting, it is quickly becoming a standard in data security. Currently, tax professionals are required to have at least two types of authentication in place. Because most MFAs require two factors, it is sometimes referred to as two-factor authentication. As data breaches and cyber threats continue to rise, the industry is expected to move toward even more robust forms of MFA.

Why is MFA a requirement now?

The push for MFA is not a recent development. Its origins date back to the late 1990s with the Gramm-Leach-Bliley Act, which established safeguards for financial institutions to protect client data. In 2021, the Federal Trade Commission (FTC) updated its safeguard rules, mandating specific operational changes that went into effect in June 2023. These changes included the requirement for financial institutions, including tax firms, to implement MFA as a crucial security measure.

For tax professionals, the benefits of the MFA requirement extend beyond compliance; it is about protecting clients and the integrity of tax practices. Given the increasing frequency of cybersecurity attacks, relying solely on passwords is no longer sufficient. MFA adds an essential layer of protection, ensuring that unauthorized individuals cannot easily access systems and client information.

What systems need to be protected?

What data and systems need to be protected with MFA? The answer is straightforward — all client data should be safeguarded. It is more effective to protect all data rather than selectively deciding which information requires protection.

In terms of systems, any system that has access to client data should be protected by MFA. This includes:

• Computer logins
• Locally installed tax preparation applications
• Internal systems storing client data
• Cloud-based applications (e.g. cloud-based tax or bookkeeping software)

For additional security, extend MFA protection to all accounts including social media and personal accounts to ensure that no avenue is left vulnerable to attack.

Consequences of non-compliance

Failing to implement MFA can have severe consequences. The penalties for non-compliance with the FTC’s safeguards can exceed $100,000. Even more alarming is the possibility of personal liability if a breach occurs, and the tax professional is found negligent.

The damage, however, isn’t limited to financial penalties — reputation is also at risk. For some firms, the reputational damage caused by a data breach can be catastrophic, potentially leading to the closure of the business, even if the financial impact is managed.

Overcoming the barriers to MFA implementation

Despite its importance, many tax professionals are hesitant to implement MFA due to perceived cost and inconvenience. However, the cost is minimal, with many software providers offering MFA at little to no extra charge. The real challenge lies in adapting to the added steps required by MFA, but given the high stakes, this inconvenience is a small price to pay for securing a business and its client data.

Staying informed and connected

It is crucial for tax professionals to stay informed about the latest security requirements and best practices. Regular training for firm owners and staff is not just recommended—it is mandated by the FTC safeguards. NATP encourages all tax pros to take advantage of the resources available through the organization, including courses and peer support.

Multi-factor authentication is not just a compliance requirement; it is a vital tool in protecting tax practices and clients from the ever-growing threat of cyberattacks . For those who have not yet implemented MFA, now is the time to do so.