The recently revised AICPA Code of Professional Conduct includes a new Confidential Client Information Rule under Section 1.700.001, which expands the guidance on maintaining the confidentiality of client information.
The general thought previously has been that if CPA tax practitioners were complying with Sec. 7216 and revisions of its related regulations that went into effect six years ago (Regs. Secs. 301.7216-1 through 301.7216-3), they were complying with the less detailed AICPA code Rule 301, Client Confidential Information.
Now that the new AICPA guidance with its expanded interpretations has taken effect (on Dec. 15, 2014), members are encouraged to assess their practices for compliance with both sets of rules.
New AICPA Confidential Client Information Rule
Former Rule 301 stated that “a member in public practice shall not disclose any confidential client information without the specific consent of the client,” but did not state the method for obtaining the consent. However, Rule 391, Ethics Rulings on Responsibilities to Clients, suggested that the consent be in writing (see Interpretation 391-2, “Disclosure of Client Information to Third Parties”). Former Rule 301 provided exceptions to the consent requirement for complying with Rule 202, Compliance With Standards, and Rule 203, Accounting Principles; complying with a valid subpoena, summons, or applicable statutes and government regulations; conducting a review of a member’s professional practice under AICPA or state CPA authority; or initiating or responding to a complaint made by a professional ethics organization. One interpretation under the rule regarding confidential information and the purchase, sale, or merger of a practice stated that client consent is not required in connection with a review of client confidential information in connection with the purchase, sale, or merger of a practice. The member, however, should take appropriate precautions (i.e., use nondisclosure agreements) to protect against the prospective purchaser’s disclosing confidential information.
New Rule 1.700.001 did not change former Rule 301 and maintained the existing exceptions. However, the revised AICPA code includes 11 interpretations under the rule to provide further guidance on confidentiality issues. These interpretations are largely based on ethics rulings made under the former code. They include:
- 1.700.005, “Application of the Conceptual Framework for Members in Public Practice and Ethical Conflicts”;
- 1.700.010, “Client Competitors”;
- 1.700.020, “Disclosing Information From Previous Engagements”;
- 1.700.030, “Disclosing Information to Persons or Entities Associated With Clients”;
- 1.700.040, “Disclosing Information to a Third-Party Service Provider”;
- 1.700.050, “Disclosing Client Information in Connection With a Review of the Member’s Practice”;
- 1.700.060, “Disclosure of Client Information to Third Parties”;
- 1.700.070, “Disclosing Client Information During Litigation”;
- 1.700.080, “Disclosing Client Information in Director Positions”;
- 1.700.090, “Disclosing Client Names”; and
- 1.700.100, “Disclosing Confidential Client Information as a Result of a Subpoena or Summons.”
Interpretation 1.700.005 addresses the use of the new Conceptual Framework that is incorporated into the revised AICPA code to help members identify, evaluate, and address threats to compliance with the ethics rules resulting from a specific relationship or circumstance not addressed in the code.
Notably, the Conceptual Framework requires members to evaluate whether safeguards can be applied to mitigate a threat of noncompliance. A member will be considered to have violated the Confidential Client Information Rule if the member cannot demonstrate that safeguards were applied to eliminate or reduce significant threats to an acceptable level (see Interpretation 1.700.005). Revised AICPA code Rule 1.000.010, Conceptual Framework for Members in Public Practice, provides additional guidance. This mandate to apply safeguards should give members pause—an unauthorized data breach could certainly represent a threat of noncompliance with the Confidential Client Information Rule. Members should consider whether their data security systems and processes for managing client information are up-to-date and enforced.
Obtaining client consent
The basic tenet of the Confidential Client Information Rule is that a member must obtain consent to disclose a client’s confidential information. This requirement is not new, and certainly members in tax practice should already be obtaining client consent before disclosing tax return information to third parties, as required under Sec. 7216. However, these two standards address different categories of information.
Confidential client information is defined in the AICPA code as any information obtained from the client that is not available to the public. Sec. 7216 applies to tax return information, which is any information that is furnished for, or in connection with, the preparation of a return (or amended return) of income tax imposed under chapter 1 of the Internal Revenue Code. Tax return information may be publicly available, but it would still be protected as tax return information by virtue of its being supplied as part of a tax return engagement. Conversely, a CPA could have client information subject to the Confidential Client Information Rule that is not covered by Sec. 7216, such as financial statements.
Disclosing information to a third-party service provider
One of the IRS’s motivations for revising the regulations under Sec. 7216 in 2009 was tax return preparers’ increasing use of outsourcing, both domestic and international. Sec. 7216 requires client consent for most types of disclosures of tax return information and use of third-party service providers. However, there is an exception for third-party providers of “auxiliary services” in connection with the preparation of tax returns. Sec. 7216 considers these providers to be preparers subject to Sec. 7216 by virtue of the nature of the services they provide. A disclosure to an auxiliary service provider located in the United States does not require consent under Sec. 7216 so long as the services provided are not substantive determinations or advice affecting the tax liability of taxpayers (Regs. Sec. 301.7216-2(d)). While a tax return preparer is required to notify a contractor (defined as a provider of services such as programming, maintenance, repair, testing, or procurement of equipment or software used for tax return preparation) of its obligations to not disclose tax return information, there is no such requirement under Sec. 7216 for the tax return preparer to notify an auxiliary service provider of the requirements of Sec. 7216 regarding the disclosure of tax return information.
The Confidential Client Information Rule’s approach is slightly different, with Interpretation 1.700.040 addressing client confidentiality and the use of third-party service providers (TPSPs). The interpretation starts with the premise that using a TPSP may threaten compliance with the Confidential Client Information Rule. It observes that because clients might not expect the member to use a TPSP, either the member should enter into a contractual agreement with the TPSP to maintain the confidentiality of the information and provide reasonable assurance that the TPSP has appropriate procedures in place to prevent the unauthorized release of confidential information, or the member should obtain specific consent from the client before disclosing the confidential client information to the TPSP. Thus, members must determine whether an auxiliary service provider under the Sec. 7216 regulations also is a TPSP and what steps must be taken to satisfy the standards under Interpretation 1.700.040.
Using anonymous client data
A CPA may receive a request from a third party such as a trade association or a surveying or benchmarking organization to disclose client information. Even if the information is presented in a manner in which the specific clients cannot be identified, both Sec. 7216 and the Confidential Client Information Rule limit when and how the information may be disclosed.
Under the Sec. 7216 regulations, a tax return preparer may use tax return information to produce a statistical compilation of data without client consent if the use or disclosure of the compilation relates directly to the internal management or support of the return preparer’s tax return preparation business or to bona fide research or public policy discussions concerning state or federal taxation (Regs. Sec. 301.7216-2(o)). The compilation must be anonymous as to taxpayer identity, and it may not disclose an aggregate figure containing data from fewer than 10 tax returns.
Again, the Confidential Client Information Rule’s requirements are a bit different. Interpretation 1.700.060 observes that threats to compliance with the Confidential Client Information Rule may occur if the CPA complies with a request from a third party to disclose client information in a manner that may result in the disclosure of the client’s information to others, even without the client’s being specifically identified. Furthermore, if the client information is considered confidential, the member would be in violation of the rule unless the client specifically consented, preferably in writing, to the disclosure or use of the information. The consent should specify the nature of the information that may be disclosed, the type of third party to whom it may be disclosed, and its intended use.
Note that this is the only interpretation stating the preference that consent be obtained in writing. Thus, CPAs should be cautious in complying with requests to prepare a compilation of client information. Even if the disclosure would be permissible under Sec. 7216 without client consent, it might not be under Rule 1.700.001.
Implementing the new rule
The revised confidentiality rule in the AICPA code has only recently come into force, and it is yet to be seen how states will react to the revision and the new Conceptual Framework. However, implementing the new rule in most instances should require CPA tax practitioners to make only minor modifications to procedures they already follow to comply with Sec. 7216.
Editor’s note: A version of this article appeared as “AICPA’s Revised Confidentiality Rule, Sec. 7216, and the Tax Professional,” The Tax Adviser , Feb. 2015, page 136.
By Mary L. Blatch, J.D. (mblatch@deloitte.com), a senior manager at Deloitte Tax LLP in Washington and a member of the AICPA Tax Practice Responsibilities Committee.
To comment on this article or to suggest an idea for another article, contact Paul Bonner, senior editor, at pbonner@aicpa.org or 919-402-4434.
