Categories
In this article
- Key regulations and implications
- Sarbanes-Oxley Act (SOX)
- FTC Safeguards Rule
- IRS Recordkeeping
- Gramm-Leach-Bliley Act (GLBA)
- Payment Card Industry Data Security Standard (PCI DSS)
- FINRA Rules
- Securities and Exchange Commission (SEC) Rules
- General Data Protection Regulation (GDPR)
- New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500):
- Dodd-Frank Wall Street Reform and Consumer Protection Act
- Health Insurance Portability and Accountability Act (HIPAA)
- State-Specific CPA Board Rules
- SysCloud offers a unified solution to address regulatory requirements
Data Protection and Compliance: A Guide for CPAs and CAS Professionals
4 Dec 2024
7 mins read
Ridhima Gupta
Handling financial data isn't just about balancing the books; it's about navigating a maze of regulations designed to protect sensitive information and maintain trust. For CPAs and finance professionals using popular accounting tools like QuickBooks Online or Xero along with productivity applications such as Microsoft 365, Box or Dropbox, meeting compliance requirements for data retention, data loss prevention, and change tracking can be a daunting task.
For instance:
Federal Trade Commission Act (FTC Act): The FTC can levy fines up to $50,120 per violation for unfair or deceptive practices, including inadequate data security.
California Consumer Privacy Act (CCPA): Imposes civil penalties up to $2,500 per violation or $7,500 per intentional violation for mishandling consumer data.
Health Insurance Portability and Accountability Act (HIPAA): Fines range from $100 to $50,000 per violation, with an annual maximum of $1.5 million for organizations that fail to protect health information.
Ignoring these regulations can lead to serious consequences—especially for smaller firms.
Recently, a Louisiana-based CPA reported a data breach incident that exposed customer names, Social Security numbers, driver’s license numbers, financial account numbers, passport numbers, and medical information. The cost of dealing with such incidents is expensive in addition to the significant erosion in reputation.
According to the Q1 2024 RSM US Middle Market Business Index survey, breaches at smaller middle market firms ($10 million to less than $50 million in revenue) rose to 20% from 12%, and breaches at larger companies ($50 million to $1 billion in revenue) increased to 37% from 28% since last year’s survey.
So, why is data security and compliance so challenging in the finance industry?
Multiple tools with different rules: Professionals juggle various SaaS applications, each with its own data management protocols.
Diverse data types: Different tools handle different kinds of sensitive information—from financial transactions to client communications.
Limited native features: Many accounting platforms lack robust backup and retention capabilities, making it tough to meet regulatory standards.
Navigating this complex environment is tough, but essential. Compliance isn't just about avoiding fines; it's about protecting your clients and your reputation.
This guide aims to shed light on these challenges by highlighting key regulations and real-world cases where firms faced penalties.
Key regulations and implications
Sarbanes-Oxley Act (SOX)
Applicable to:
- Publicly traded companies: All U.S. public companies and their subsidiaries.
- Accounting firms: Registered public accounting firms auditing these companies.
- Management and boards: Executives and board members of these companies.
Scope:
- Financial statements: Income statements, balance sheets, cash flow statements.
- Audit reports: Documentation supporting financial audits.
- Internal communications: Emails and memos related to financial reporting.
- Transaction records: Detailed logs of financial transactions.
Extract from the law:
Issue in the time period.
(1)Any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78j–1(a)) applies, shall maintain all audit or review workpapers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded.
The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall— (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
What it means:
Any publicly traded company, its executives and the accounting firms auditing them must keep audit records for 7 years and have systems to track who made changes to financial data, ensuring accuracy and compliance. Internal control provides framework for tracking changes that are supposed to be reported by officers as internal controls report. If an employee modifies a financial report, internal controls log who made the change, what was altered, and when. This ensures compliance and creates accountability.
FTC Safeguards Rule
Applicable to:
- Non-banking financial institutions: Mortgage brokers, payday lenders, finance companies.
- Professional service providers: Accountants, tax preparers, financial advisors.
- Other entities: Credit reporting agencies, check-cashing businesses, and companies significantly engaged in financial activities.
Scope:
- Non-public personal information (NPI): Personally identifiable financial information provided by a consumer to a financial institution, resulting from a transaction, or otherwise obtained by the institution. Examples: Names, addresses, bank account numbers, credit card details, income histories, Social Security numbers.
Extract from law:
You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.
Protect against any anticipated threats or hazards to the security or integrity of customer information.
Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
What it means:
Entities should identify potential risk to customer information and implement measures to mitigate them by ensuring that data is stored securely, regularly backed-up, and that any access or changes to this data are monitored to prevent unauthorized use.
IRS Recordkeeping
Applicable to:
- Federal, state, and local agencies: Entities that receive FTI for tax administration purposes.
- Contractors and agents: Third parties engaged by these agencies who have access to FTI.
Scope:
- Primary account number (PAN), cardholder name issued, expiration date, service code, full magnetic stripe data, CVV, PIN.
Extract from law:
"You must keep your records as long as they may be needed for the administration of any provision of the Internal Revenue Code. Generally, this means you must keep records that support items shown on your return until period of limitations for that return runs out. The period of limitations is the period of time in which you can amend your return to claim a credit or refund or the IRS can assess additional tax."
a. Conduct backups of user-level information contained in system documentation, including security related documentation, weekly;
b. Conduct backups of system-level information contained in the system weekly;
c. Conduct backups of system documentation, including security- and privacy-related documentation weekly; and
d. Protect the confidentiality, integrity, and availability of backup information."
What it means:
Any government entity or third party involved must ensure that all tax records are backed up daily, access to these records is logged, and security systems are regularly tested to prevent unauthorized access
Gramm-Leach-Bliley Act (GLBA)
Applicable to:
- Financial institutions: CPAs, wealth advisors, tax preparers, and businesses offering financial products or services.
Scope:
Non-public personal information (NPI): Personally identifiable financial information provided by consumers such as names, addresses, bank account numbers, income, credit histories, Social Security numbers.
Extract from the law:
Develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards.
What it means:
CPAs and financial advisors must develop a tailored information security program that identifies risks to customer non-public personal information (NPI) such as social security number, financial transactions, credit history, etc. Key actions include implementing data backup and retention policies, encryption, access controls, incident response protocols, and secure disposal methods.
Payment Card Industry Data Security Standard (PCI DSS)
Applicable to:
- Financial institutions, service providers, third party vendors processing credit card payments.
Scope:
- Primary Account Number (PAN), cardholder name issued, expiration date, service code, full magnetic stripe data, CVV, PIN.
Extract from the law:
Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:
• Coverage for all locations of stored account data.
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.
• Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.
• Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.
• A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable.
Internal vulnerability scans are performed as follows:
• At least once every three months.
• Vulnerabilities that are either high-risk or critical (according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Rescans are performed that confirm all high-risk and all critical vulnerabilities (as noted above) have been resolved.
• Scan tool is kept up to date with latest vulnerability information.
• Scans are performed by qualified personnel and organizational independence of the tester exists.
What it means:
Any institution that accepts credit card payments must ensure that customer card information is stored securely, retained only for as long as necessary, monitored for access and changes, and subjected to regular security checks to prevent data breaches.
FINRA Rules
Applicable to:
- Broker-dealers: Firms engaged in buying and selling securities on behalf of clients or for their own accounts.
- Registered representatives: Individuals licensed to act as brokers or dealers.
Scope:
- Customer account information: Personal details, transaction histories, and communications.
- Financial transactions: Records of trades, settlements, and related financial activities.
- Communications: Emails, instant messages, and other forms of correspondence related to business operations.
Extract from the law:
(a) Members shall make and preserve books and records as required under the FINRA rules, the Exchange Act and the applicable Exchange Act rules.
(b) Members shall preserve for a period of at least six years those FINRA books and records for which there is no specified period under the FINRA rules or applicable Exchange Act rules.
(c) All books and records required to be made pursuant to the FINRA rules shall be preserved in a format and media that complies with SEA Rule 17a-4.
Each member shall conduct a review, at least annually (on a calendar-year basis), of the businesses in which it engages. The review shall be reasonably designed to assist the member in detecting and preventing violations of, and achieving compliance with, applicable securities laws and regulations, and with applicable FINRA rules. Each member shall review the activities of each office, which shall include the periodic examination of customer accounts to detect and prevent irregularities or abuses. Each member shall also retain a written record of the date upon which each review and inspection is conducted.
What it means:
Any brokerage firm must keep detailed records of all client transactions, store them securely to prevent tampering, monitor employee communications for compliance, conduct annual reviews of their practices, and retain these records for at least six years.
Securities and Exchange Commission (SEC) Rules
Applicable to:
- Broker-dealers: Firms buying and selling securities on behalf of clients or for their own accounts.
- Investment advisers: Individuals or firms providing advice about securities investments.
- Public companies: Corporations with publicly traded securities.
- Self-regulatory organizations (SROs): Entities like FINRA overseeing certain aspects of the securities industry.
Scope:
- Financial statements: Balance sheets, income statements, and cash flow statements.
- Transaction records: Documentation of trades, purchases, sales, and other financial activities.
- Communications: Emails, instant messages, and other correspondences related to business operations.
- Client Information: Personal and financial details of clients and investors.
Extract from the law:
Every member, broker or dealer subject to § 240.17a-3 must preserve for a period of not less than three years, the first two years in an easily accessible place.
Preserve the records exclusively in a non-rewriteable, non-erasable format.
At all times have available, for examination by the staffs of the Commission, the self-regulatory organizations of which the member, broker, or dealer is a member, or any State securities regulator having jurisdiction over the member, broker, or dealer, facilities for immediately producing the records preserved by means of the electronic recordkeeping system and for producing copies of those records.
What it means:
A brokerage firm must back up client transaction records in secure, non-editable formats, retain them for at least three years (two years in an easily accessible location), and ensure data can be immediately recovered for regulatory or operational needs.
General Data Protection Regulation (GDPR)
Applicable to:
All organizations processing personal data of individuals within the EU, regardless of the organization's location.
- This includes financial institutions, CPAs, accountants, bookkeepers, brokerage services, and any other entities handling personal data.
Scope:
- Names and contact details (e.g., email addresses, phone numbers).
- Identification numbers (e.g., social security numbers).
- Online identifiers (e.g., IP addresses).
- Financial information (e.g., bank account details).
- Health records.
Extract from the law:
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
What it means:
A financial institution must store client data securely, keep it only as long as needed for financial services, regularly back up the data, monitor any changes to it, and periodically test their security systems to prevent data breaches.
New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500):
Applicable to:
- Financial services companies licensed under NYDFS, including CPAs and wealth advisors in New York.
Scope:
- Non-public information (NPI): Business-related information, personal identifiers, financial data.
Extract from the law:
“Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts; (3) detect Cybersecurity Events; (4) respond to identified or detected Cybersecurity Events to mitigate any negative effects; (5) recover from Cybersecurity Events and restore normal operations and services; and (6) fulfill applicable regulatory reporting obligations."
What it means:
The NYDFS Cybersecurity Regulation mandates covered entities to implement a risk-based cybersecurity program, ensure governance oversight, secure data through controls like encryption and MFA, manage third-party risks, report incidents within 72 hours, and maintain audit trails for five years. Annual compliance certification is also required.
Dodd-Frank Wall Street Reform and Consumer Protection Act
Applicable to:
- Wealth or investment advisers.
Scope:
- Financial records and reports: Documentation related to financial transactions and consumer financial products or services.
Extract from the law:
17 CFR § 275.204-2(e)(1) - Books and records to be maintained by investment advisers.
All books and records required to be made under the provisions of paragraphs (a) to (c)(1)(i), inclusive, and (c)(2) of this section (except for books and records required to be made under the provisions of paragraphs (a)(11), (a)(12)(i), (a)(12)(iii), (a)(13)(ii), (a)(13)(iii), (a)(16), and (a)(17)(i) of this section), shall be maintained and preserved in an easily accessible place for a period of not less than five years from the end of the fiscal year during which the last entry was made on such record, the first two years in an appropriate office of the investment adviser.
What it means:
Wealth advisers must adhere to the Dodd-Frank-enhanced SEC rules by maintaining accurate records of transactions, communications, and financial advice for at least five years, implementing systems to track data changes, and establishing robust business continuity and cybersecurity plans.
Health Insurance Portability and Accountability Act (HIPAA)
Applicable to:
- CPAs, CAS providers, and wealth advisers handling Protected Health Information (PHI) as Business Associates.
Scope:
- Protected health information (PHI): Individually identifiable health information.
Extract from the law:
Covered entities and business associates must retain required documentation—such as policies, procedures, and assessments—for six years from the date of creation or when it was last in effect, whichever is later.
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Establish and implement contingency plans, including data backup and disaster recovery plans, to ensure the availability of ePHI during emergencies.
What it means:
Business associates handling PHI under HIPAA must sign Business Associate Agreements (BAAs) with covered entities, implement administrative, physical, and technical safeguards to protect PHI, and retain compliance documentation for six years. They must track and log PHI activity, report breaches within 60 days, train staff on HIPAA requirements, and establish contingency plans for data backup and recovery. Use and disclosure of PHI must be limited to what is necessary, and any non-compliance must be reported to the covered entity.
State-specific CPA board rules
Applicable to:
- CPAs licensed in all US states along with those registered in District of Columbia, Puerto Rico, the U.S. Virgin Islands, Guam, the Northern Mariana Islands, and American Samoa.
Scope:
- Client records and work papers: Documentation related to professional services – billing, client communication, audit and services-related records.
Extract from the law:
The following are extracts from the Texas Administrative code as an example:
A record listed in the Texas State Records Retention Schedule (Revised 5th Edition) must be retained for the minimum retention period indicated by any state agency that maintains a record of the type described.
Ensure that electronic state records remain accessible, accurate, authentic, reliable, legible, and readable for the duration of the retention period.
Ensure that all electronic state records are protected from unauthorized alteration or erasure.
What it means:
Most State Boards typically require records to be retained for 5 to 7 years, depending on the jurisdiction and type of engagement (e.g., audits may require longer retention). For tax-related services, CPAs may also need to follow IRS guidelines, which recommend a 7-year retention period for some records.
SysCloud offers a unified solution to address regulatory requirements
SysCloud offers CPAs, Investment Advisers, and CAS providers a unified platform to secure critical SaaS data that:
- Ensures adequate data retention
- Monitors the presence of sensitive information*
- Detects ransomware files or ransomware encrypted files*
- Tracks data changes or unusual financial data entries*
- Provides insights on excessive data sharing or possible data loss events*
With SysCloud, CPAs, CAS providers, and wealth advisers get a single pane of glass to administer data protection for all SaaS applications that are critical to their workflows –QuickBooks Online, Xero, OneDrive, SharePoint, Google Drive, Shared Drives, Outlook, Gmail, Teams, Slack, and Box.
SysCloud has implemented robust security practices to securely preserve an air-gapped and immutable copy of the SaaS data on fault-tolerant AWS storage instances in the US and 6 other countries to meet any local data residency requirements.
To learn more about SysCloud, contact us or start a 30-day free trial.
*To be released in Q1 2025
Recommended content
How to Backup QuickBooks Online Data
Learn how to backup QuickBooks Online using native options as well as third-party cloud backup tools.
Read nowBackup OneDrive for Business: Admin's Guide
Learn how to backup OneDrive for Business using manual backup, Sync Client, native Microsoft retention tools, OneDrive API, and third-party cloud backup tools.
Read nowA Complete Guide to Xero Backup
Learn how to back up Xero using native options as well as third-party cloud backup tools.
Read nowIn this article
- Key regulations and implications
- Sarbanes-Oxley Act (SOX)
- FTC Safeguards Rule
- IRS Recordkeeping
- Gramm-Leach-Bliley Act (GLBA)
- Payment Card Industry Data Security Standard (PCI DSS)
- FINRA Rules
- Securities and Exchange Commission (SEC) Rules
- General Data Protection Regulation (GDPR)
- New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500):
- Dodd-Frank Wall Street Reform and Consumer Protection Act
- Health Insurance Portability and Accountability Act (HIPAA)
- State-Specific CPA Board Rules
- SysCloud offers a unified solution to address regulatory requirements
