AICPA’s Revised Confidentiality Rule, Sec. 7216, and the Tax Professional

Six years ago new regulations under Sec. 7216 went into effect that reworked how CPAs in tax practice obtain consent from clients to disclose their tax return information (see Regs. Secs. 301.7216-1 through 301.7216-3). While AICPA Code of Professional Conduct Rule 301, Client Confidential Information, long required CPAs to obtain client consent before disclosing client confidential information (prior to recent amendments to the AICPA code), the Sec. 7216 regulations have much more stringent requirements for how that consent must be obtained, especially for individual taxpayers.

The general thought was that if CPAs were complying with Sec. 7216, they were complying with the AICPA rule. The recently revised AICPA code includes a new Confidential Client Information Rule under Section 1.700.001, which expands the guidance on this topic. Although compliance with Sec. 7216 will generally lead to compliance with the Confidential Client Information Rule, now is an opportune time to examine some of the differences between the standards. Practitioners are encouraged to assess their internal operating practices to determine whether they comply with both rules.

New AICPA Code Rule 1.700.001, Confidential Client Information Rule

Circular 230, Regulations Governing Practice Before the Internal Revenue Service (31 C.F.R. Part 10), contains no requirements for maintaining client confidentiality. Nor do the AICPA Statements on Standards for Tax Services contain guidance about client confidentiality. The lack of tax-specific ethical guidance meant that for CPAs in tax practice, the primary ethical guidance on privacy and confidentiality was Rule 301, Confidential Client Information , of the unrevised AICPA code. Rule 301 was also incorporated into the ethics codes of many state CPA societies. The AICPA's recently revised code includes the same basic rule on client confidentiality, but it greatly expands the interpretations under the rule. The revised AICPA code went into effect on Dec. 15, 2014.

Former Rule 301 stated that "a member in public practice shall not disclose any confidential client information without the specific consent of the client," but the rule did not state the method by which consent was to be obtained. However, Rule 391, Ethics Rulings on Responsibilities to Clients, suggests that the consent be in writing (see Interpretation 391-2, "Disclosure of Client Information to Third Parties"). Former Rule 301 provided exceptions to the consent requirement for complying with Rule 202, Compliance With Standards, and Rule 203, Accounting Principles; complying with a valid subpoena, summons, or applicable statutes and government regulations; the review of a member's professional practice under AICPA or state CPA authority; or initiating or responding to a complaint of a professional ethics organization. One interpretation under the rule regarding confidential information and the purchase, sale, or merger of a practice stated that client consent is not required in connection with a review of client confidential information that occurs in connection with the purchase, sale, or merger of a practice. The member, however, should take appropriate precautions (i.e., use nondisclosure agreements) to protect against the prospective purchaser's disclosing confidential information.

New Rule 1.700.001 did not change former Rule 301 and maintained the existing exceptions. However, the revised AICPA code includes 11 interpretations under the rule to provide further guidance on confidentiality issues. These interpretations are largely based on ethics rulings made under the former code. The interpretations include:

• 1.700.005, "Application of the Conceptual Framework for Members in Public Practice and Ethical Conflicts";
• 1.700.010, "Client Competitors";
• 1.700.020, "Disclosing Information From Previous Engagements";
• 1.700.030, "Disclosing Information to Persons or Entities Associated With Clients";
• 1.700.040, "Disclosing Information to a Third-Party Service Provider";
• 1.700.050, "Disclosing Client Information in Connection With a Review of the Member's Practice";
• 1.700.060, "Disclosure of Client Information to Third Parties";
• 1.700.070, "Disclosing Client Information During Litigation";
• 1.700.080, "Disclosing Client Information in Director Positions";
• 1.700.090, "Disclosing Client Names"; and
• 1.700.100, "Disclosing Confidential Client Information as a Result of a Subpoena or Summons."

The first interpretation under the Confidential Client Information Rule (Interpretation 1.700.005) addresses the use of the new "Conceptual Framework" that is incorporated into the revised AICPA code. Members use the Conceptual Framework to identify, evaluate, and address threats to compliance with the ethics rules resulting from a specific relationship or circumstance not addressed in the code. The Conceptual Framework is not effective until Dec. 15, 2015, but early adoption is encouraged.

Notably, the Conceptual Framework requires members to evaluate whether "safeguards" can be applied to mitigate the threat of noncompliance with the AICPA code. Once the Conceptual Framework is effective, a member will be considered to have violated the Confidential Client Information Rule if the member cannot demonstrate that safeguards were applied to eliminate or reduce significant threats to an acceptable level (see Interpretation 1.700.005). Revised AICPA code Rule 1.000.010, Conceptual Framework for Members in Public Practice, provides additional guidance on how the Conceptual Framework operates and how to evaluate threats and apply safeguards.This mandate to apply safeguards should give members pause—an unauthorized data breach could certainly represent a threat of noncompliance with the Confidential Client Information Rule. Members should consider whether they have taken steps to ensure that their data security systems and processes for managing client information are up-to-date and enforced.

The basic tenet of the Confidential Client Information Rule is that a member must obtain consent to disclose a client's confidential information. This requirement is not new, and certainly members in tax practice should already be obtaining client consent before disclosing tax return information to third parties, as required under Sec. 7216. However, it is important to understand the different categories of information these two standards address.

Rule 1.700.001 applies to confidential client information, which is defined in the AICPA code as any information obtained from the client that is not available to the public. Sec. 7216 applies to tax return information, which is any information that is furnished for, or in connection with, the preparation of a return (or amended return) of income tax imposed under chapter 1 of the Internal Revenue Code. Tax return information may be publicly available—but it would still be protected as tax return information by virtue of its being supplied as part of a tax return engagement.

It is conceivable that a CPA could have client information subject to the Confidential Client Information Rule that is not covered by Sec. 7216. Assume a CPA performs nontax services for a tax return compliance client—for example, preparing financial statements for a nonpublic entity. The client has already given a consent under Sec. 7216 for its tax return to be disclosed to the bank, but the bank is now requesting the financial statements. The financial statements are not considered tax return information and would therefore not be covered by a standard Sec. 7216 consent. To comply with the ethical duty of confidentiality, the CPA must obtain additional consent from the client before disclosing the financial statements to the bank.

One of the IRS's motivations for revising the regulations under Sec. 7216 in 2009 was the increasing use of outsourcing, both domestic and international, by tax return preparers. In requiring consent for most types of disclosures of tax return information, Sec. 7216 essentially requires clients to consent to the use of third-party service providers. However, there is an exception for third-party service providers that provide "auxiliary services" to tax return preparers in connection with the preparation of tax returns.

The framework under Sec. 7216 considers these providers to be "preparers" subject to Sec. 7216 by virtue of the nature of the services provided. A disclosure to an auxiliary service provider, if it is located in the United States, does not require additional consent under Sec. 7216 so long as the services provided are not substantive determinations or advice affecting the tax liability of taxpayers (Regs. Sec. 301.7216-2(d)). In addition, while a tax return preparer is required to notify a "contractor" (defined as a service provider that is providing services such as the programming, maintenance, repair, testing, or procurement of equipment or software used for purposes of tax return preparation) of its obligations to not disclose tax return information, there is no such requirement under Sec. 7216 for the tax return preparer to notify the auxiliary service provider of the requirements of Sec. 7216 regarding the disclosure of tax return information (Regs. Sec. 301.7216-2(d)).

The approach under the Confidential Client Information Rule is slightly different. The rule has an interpretation that addresses client confidentiality and the use of third-party service providers (TPSPs). Interpretation 1.700.040 starts with the premise that when a member uses a TPSP to assist the member in providing professional services, threats to compliance with the Confidential Client Information Rule may exist. The interpretation observes that clients may not expect the member to use a TPSP to assist the member in providing professional services. Therefore, before disclosing confidential client information to a TPSP, the member should either enter into a contractual agreement with the TPSP to maintain the confidentiality of the information and provide reasonable assurance that the TPSP has appropriate procedures in place to prevent the unauthorized release of confidential information to others, or the member should obtain specific consent from the client before disclosing the confidential client information to the TPSP. Thus, in cases involving disclosure of client information to an entity that would be considered an auxiliary service provider under the Sec. 7216 regulations, members must determine whether the auxiliary service provider also is a TPSP and what steps must be taken to satisfy the standards under this interpretation.

The issue of disclosing aggregated or anonymous client data may arise when a CPA receives a request from a third party such as a trade association or a surveying or benchmarking organization to disclose client information. Even if the information is presented in a manner in which the specific clients cannot be identified, both Sec. 7216 and the Confidential Client Information Rule limit when and how the client's information may be disclosed.

Under the Sec. 7216 regulations, a tax return preparer may use tax return information to produce a statistical compilation of data if the use or disclosure of the compilation relates directly to the internal management or support of the return preparer's tax return preparation business or to bona fide research or public policy discussions concerning state or federal taxation (Regs. Sec. 301.7216-2(o)). The compilation must be anonymous as to taxpayer identity, and it may not disclose an aggregate figure containing data from fewer than 10 tax returns. If the form and use of a compilation of taxpayer information does not meet these requirements, Sec. 7216 requires taxpayers to consent to the compilation and its disclosure.

Again, the requirements under the Confidential Client Information Rule are a bit different. Interpretation 1.700.060 observes that threats to compliance with the Confidential Client Information Rule may occur if the CPA complies with a request from a third party to disclose client information in a manner that may result in the disclosure of the client's information to others without the client's being specifically identified. The interpretation further states that if the information would be considered confidential client information, the member would be in violation of the rule if the member discloses the information without the client's specific consent, preferably in writing, for the disclosure or use of the information. The consent should specify the nature of the information that may be disclosed, the type of third party to whom it may be disclosed, and its intended use.

It is interesting to note that this is the only interpretation stating the preference that consent be obtained in writing. Thus, CPAs should be cautious in complying with requests to prepare a compilation of client information—even if the disclosure would be permissible under Sec. 7216 without client consent, it may not be under Rule 1.700.001.

The revised confidentiality rule in the AICPA code has only recently come into force, and it is yet to be seen how states will react to the revision and the new Conceptual Framework. However, implementing the new rule in most instances should require only minor modifications to procedures already being followed to comply with Sec. 7216.