Most firms file Section 7216 under “offshore staffing,” deal with it once, and move on. We think that filing is wrong. Here is our position, plainly: every modern firm runs on cloud software, which means tax return information routinely touches third-party systems. Tax prep platforms, document portals, e-signature tools, practice management, backup. The moment that is true, 7216 discipline belongs in every engagement, not just in firms with staff overseas.
What the statute actually says
IRC Section 7216 makes it a crime for a preparer to knowingly or recklessly disclose tax return information, or to use it for any purpose other than preparing the return, outside the permitted exceptions. It is a misdemeanor, punishable by a fine of up to $1,000 per violation, or $100,000 in cases tied to identity theft, up to one year of imprisonment, or both. Section 6713 adds a civil penalty of $250 per improper disclosure or use, capped at $10,000 per year, with higher amounts in identity-theft cases. Nothing in any of that mentions geography.
The nuance most summaries flatten
The regulations draw a line that matters, and it is not “get one consent and you're fine.” Under Treas. Reg. 301.7216-2, a meaningful set of disclosures is permitted without consent because they are part of preparing the return: disclosures to your own staff in the United States, to U.S.-based contractors maintaining your systems (with written notice of the 7216 and 6713 penalties), and to other U.S. preparers or processors performing preparation or auxiliary services. Disclosures to the IRS and under court order are also permitted. This is why using mainstream U.S.-hosted tax software does not, by itself, trigger a consent requirement.
Written consent under Treas. Reg. 301.7216-3 is for everything outside that lane: using return information to offer services other than tax preparation, disclosing it to third parties for non-preparation purposes, and disclosing it to preparers located outside the United States. Consent must come before the disclosure or use, never after. You generally may not condition your preparation services on getting it, with a narrow exception for disclosures to another preparer assisting with the return. And a U.S. preparer faces specific restrictions on sending a taxpayer's Social Security number to a preparer outside the United States.
Consents for 1040 clients have a prescribed form
For Form 1040 series taxpayers, the IRS prescribes the format in Rev. Proc. 2013-14. The short version: each consent must be a separate written document, on paper or electronic, and it may be furnished as an attachment to an engagement letter. Paper consents must be in at least 12-point type with all text on the page pertaining solely to that consent. Every consent must include specific mandatory statements, word for word, including the line that federal law requires the form and the statement telling the taxpayer how to contact the Treasury Inspector General for Tax Administration. Consents to disclose and consents to use must be separate documents. Multiple disclosures can share one consent only if the taxpayer can affirmatively select each one. And if the consent does not state a duration, it is valid for one year from the date the taxpayer signs.
Notice what that means: a sentence buried in your engagement letter is not a 7216 consent for a 1040 client. It fails the separate-document requirement and the mandatory language before you even reach the signature.
So what belongs in the engagement letter?
A pointer, not a substitute. Use the engagement letter to set expectations and describe your consent practice, then deliver any required consent as its own conforming document. Here is one way to say it:
SAMPLE. For discussion with your attorney, not for use as-is.
Confidentiality of your tax return information. Federal law (IRC Section 7216) limits how we may use and disclose your tax return information. We use it to prepare and file your returns, and we disclose it only as the law permits without your consent, such as to our personnel and U.S.-based service providers who assist in preparing your return. If we ever wish to use your information for any other purpose, or disclose it to any other party, we will first ask for your written consent on a separate consent form that meets IRS requirements, and you are free to decline. This letter is not that consent and does not replace it.
Two cautions. First, have your attorney review any version of this before it goes into your template; your services and your state may require different language. Second, the point of the paragraph is the last sentence: an engagement letter clause does not replace a conforming 7216 consent where one is required. It just makes sure your clients are never surprised when one shows up.
What 7216 discipline looks like in practice
Inventory every system that touches tax return information, and keep the list current. For each vendor, know whether the data flow fits a permitted category or needs consent. Train staff that “use” is as regulated as “disclosure,” so return data never feeds a marketing list or an unvetted tool by habit. Keep signed consents organized, and calendar their expiration. None of this is hard. It just has to be written down and enforced, which is the same discipline the FTC Safeguards Rule already demands of your firm. At Tech Guru, that is the work we do every week: we write WISPs aligned to the Safeguards Rule and IRS Publication 4557, and we configure firms' systems so the policies, including 7216 handling, actually run.
This article is educational content, not legal advice, and the sample language above is illustrative only. Have your attorney review any firm-specific engagement letter or consent language before you use it.
