top of page
Search

FTC Safeguards Rule and Offshore Accounting: Why Work-From-Home Is a Security Risk

  • Writer: Florene Simpson
    Florene Simpson
  • Feb 9
  • 7 min read

In recent years offshore accounting and tax services have become crucial for how CPA and accounting firms run their operations. Shortages in skilled workers busy seasons with higher workloads, and pressure to cut costs have led firms to move away from relying on in-house staff. At the same time remote work has grown, both in the U.S. and in offshore locations.  

Offshoring by itself is not an issue, but combining it with unmonitored remote work has led to serious risks with both data security and compliance. Many firms believe that as long as tasks are completed and there hasn’t been a data breach, the process is fine. However, under the FTC Safeguards Rule, that belief is no longer accurate.  


The Safeguards Rule does not focus on convenience, cost-cutting, or good intentions. It checks if proper security controls exist to safeguard customer data. CPA and accounting firms managing confidential financial and taxpayer details often face issues with unregulated offshore remote work settings that do not meet these standards.  


Why CPA and Accounting Firms Are Covered by the FTC Safeguards Rule 


The FTC Safeguards Rule comes from the Gramm-Leach-Bliley Act. This law applies to financial institutions that manage private personal information of customers. CPA and accounting firms fit this description because they handle sensitive financial details. They work with tax returns, income information, bank statements, and other personal financial records. This rule applies to all firms, no matter their size.  


Smaller or mid-sized firms do not get a pass just because they look different from big banks. Firms that deal with customer financial data must take steps to secure it. Even when firms outsource or send work overseas, they still hold the responsibility. The duty to protect client data stays with the firm that collected it. 

 

Key Expectations of the FTC Safeguards Rule 


The Safeguards Rule sets general guidelines but specifies clear requirements for firms to follow. Firms need to create, put into practice, and keep an information security program that matches their size, the complexity of their operations, and the importance of the data they manage. 


Written Information Security Program (WISP) 


One key part of the Safeguards Rule is having a written information security program often called a WISP. This document should not just exist on paper. It needs to explain how the firm finds risks to customer data and how it works to guard against those risks. Firms need to keep the program up-to-date and use it. Firms with offshore teams have to include details in the WISP about offshore access remote connections, and third-party participation. A vague or outdated policy that does not match actual practices won’t meet the requirements. 


Risk Assessment 


Firms need to do a risk assessment to find internal and external threats that could harm customer information.  


These risks may include: 

  • Unauthorized entry 

  • Sharing information 

  • Loss or damage to data 

  • Misuse by insiders 

  • Failures in technology 


Using offshore work models makes risks grow. People’s home networks personal gadgets, and uneven security habits create dangers. Identifying and fixing these threats is crucial. A risk review that skips these areas is not thorough. 


Administrative, Technical, and Physical Controls 


The Safeguards Rule demands firms set up protections in three key areas.  


  • Administrative measures include creating policies, giving training, setting procedures, and keeping an eye on compliance.  

  • Technical measures involve managing who has access, ensuring proper login methods encrypting data, and watching for security breaches.  

  • Physical measures focus on securing buildings limiting access to certain areas and ensuring device safety.  


Covering all three areas is essential for a reliable security setup. A single weak spot can break the whole system. 


Why Offshore Remote Work Setups Often Miss the Mark 


The Safeguards Rule does not outright ban working from home. Still offshore remote setups at home often fall short of compliance because of design flaws. 


Unprotected or Unstable Networks 


Home internet networks are not meant to handle sensitive financial information. Their setup, security features, and reliability can vary. Firms do not oversee how routers are set up, who uses the same network, or if encryption practices meet security standards. From a regulatory view, using unsecured networks brings serious risks particularly when accessing private customer data. 


Usage of Personal Devices 


In many offshore work-from-home setups, people often rely on their personal computers to handle job-related tasks. These computers might not have proper security measures like endpoint protection, patch updates, encryption, or centralized management. Firms cannot always ensure security patches are applied, prevent unauthorized software installs, or guarantee that customer information remains off local drives. If someone loses, shares, or compromises a device, the firm might struggle to track or respond to the issue. 


Trouble with Oversight and Tracking 


A major problem with casual work-from-home arrangements is the lack of proper oversight. The Safeguards Rule requires firms to oversee who accesses customer data and identify unauthorized activities. However, in unregulated environments, companies often fail to do this. 

  • Keep a record of who viewed certain data 

  • Spot strange or suspicious actions 

  • Review access records 

  • Act fast during incidents 

If firms do not monitor and review, they cannot prove they have proper security measures in place even if there has not been any data breach. 

 

Responsibilities to Oversee Vendors for Offshore Work 


The FTC Safeguards Rule states firms need to manage their service providers. This involves the following steps: 

  • Choose service providers who can protect customer data 

  • Establish contracts that mandate security measures 

  • Check the service provider’s security practices regularly 


When people perform offshore work in informal or vague setups meeting these responsibilities becomes challenging. Enforceable contracts might not exist; there might be no written security protocols, and it can make proper oversight almost impossible. A regulatory perspective would see the absence of vendor monitoring as a failure to comply with standards. 


Geography Does Not Matter, but Controls Do 


Many people believe that offshore work is always more dangerous than domestic work. The Safeguards Rule does not recognize this as true. Regulators look at security controls instead of focusing on location. A well-equipped offshore center with strict access secured devices monitored systems, and clear policies can meet compliance standards better than a domestic work-from-home setting that lacks these measures. On the flip side offshore work-from-home setups that depend on trust instead of rules tend to fail no matter where they are based.  

What matters most is whether effective safeguards are in place and followed. 

 

How Regulators Define "Reasonable Security" 


The Safeguards Rule does not give a fixed list of requirements. Regulators focus on results and proof. They ask key questions to evaluate security. 

  • Did the firm recognize risks it could predict? 

  • Did they put protections in place to manage those risks? 

  • Were service providers checked and supervised? 

  • Could the firm spot and handle security issues? 

  • Does the paperwork show what happens in practice? 


It is important to know that regulators do not need a breach to prove non-compliance. If a firm fails to show it has reasonable security measures, not having an incident does not shield it from action being taken. 


What Is Driving the Enforcement? 


Rules about protecting data are getting stricter in every industry. CPA and accounting firms are facing more pressure for a few key reasons. They are now dealing with a lot more sensitive financial information than ever before. Working remotely and outsourcing has added more places where data can be accessed. Regulators have also noticed many problems caused by weak security systems and bad vendor management. 


Now, enforcement has become real. Authorities are asking firms to show proof of their security plans how they manage vendors, and how they respond to data issues. Firms using casual offshore work-from-home setups often find it hard to provide this proof. 

 

As firms mature their outsourcing governance, documented due diligence covering confidentiality, data security, contractual safeguards, and oversight becomes increasingly important.  


MYCPE ONE is an offshore services organization operating in the accounting industry for over a decade, with experience across more than one thousand CPA and accounting firms, and has compliance resources available aligned with IRS, AICPA, and FTC frameworks. 

 

Resources 

A Complete Guide to IRS 7216, AICPA, and FTC Requirements  

View here  

Due Diligence Checklist  

View here  

Virtual Event: Update on IRS 7216, AICPA and FTC Requirements  

View here  

 

Conclusion 

The problem isn't offshore accounting itself. The real challenge comes from offshore work-from-home setups. 


The FTC Safeguards Rule pushes firms to choose structured, organized, and well-monitored security measures instead of relying on convenience-driven models. As regulations tighten, firms sticking to casual setups will encounter rising risks to compliance, operations, and reputation. 


To succeed with offshoring, firms need proper governance, not guesswork. 


Key Points 

  • The FTC Safeguards Rule applies to CPA and accounting firms. 

  • Firms must ensure customer data is protected even when outsourcing work overseas. 

  • Offshore home-based setups often miss necessary security measures. 

  • Watching over vendors is a legal duty, not just a recommended practice. 

  • Regulators look at controls and proof, not intentions or cost-cutting. 

  • Designed offshore setups are becoming more important to follow regulations. 


FAQs 


Does the FTC Safeguards Rule ban remote work-from-home setups? 

No, the FTC Safeguards Rule does not ban working from home. It advises firms to use proper administrative, technical, and physical safety measures to keep customer data secure, no matter where employees work. Many home-based setups often fail to meet these standards because companies cannot control devices, networks, physical security, or monitoring. Regulators might see a work-from-home model as breaking the rules if the company cannot prove it has the same security as an office space. 

 

What must a firm ensure when third parties handle offshore tasks? 

When a firm outsources work overseas, it still retains full responsibility for protecting customer information. The Safeguards Rule says firms need to choose service providers that can offer proper protections, make them agree to those protections in contracts, and check how secure their systems are. Just passing the work to a third party does not remove the firm’s responsibility. Failing to monitor a vendor's actions counts as a compliance failure under FTC standards. 

 

What do regulators mean by “reasonable security” according to the Safeguards Rule? 

A firm’s reasonable security depends on its size, its complexity, the type of work it does, and how sensitive the data it works with is. Regulators tend to check if there is a written security program with proper risk evaluations, access restrictions, monitoring tools, incident response plans, and vendor management. They do not wait until a breach happens to take action. Regulators will hold a firm accountable if it cannot show it had proper protections in place. 

 

Do smaller CPA and accounting firms need to follow the same rules as bigger firms? 

The Safeguards Rule adapts to a firm's size and complexity, so its requirements should suit how the firm operates. Still, being small does not mean skipping those requirements. Smaller firms need to identify risks, put protections in place, monitor their service providers, and document their security measures. Sometimes, smaller firms face even greater risks because they often rely more on casual outsourcing without strong controls. 

 

Can firms still use offshore outsourcing and follow the rules? 

Yes, firms can continue with offshore outsourcing if they do it in a structured, well-managed, and secure way. Successful compliance involves using secure access locations, controlled devices, monitored networks, clear policies, and organized oversight. Firms that focus on proper management and security measures can keep outsourcing offshore while sticking to the FTC Safeguards Rule. 

 

 

Comments

bottom of page