Lesson 6: AICPA Confidentiality Rule (ET §1.700.001)

← Study Guide home · Lesson 6 of 12

The professional ethics layer that goes further than §7216

Learning Objectives

After completing this lesson, you will be able to:

• Explain how the AICPA confidentiality rule differs from §7216 in scope and application
• Describe the third-party service provider interpretation and what it requires
• Apply the threat/safeguards analysis to an AI vendor scenario
• Identify how Georgia incorporates AICPA standards into the CPA license
• Describe the AICPA's current position on AI as of 2026

What the AICPA Confidential Client Information Rule Covers

AICPA Code of Professional Conduct §1.700.001 provides:

"A member in public practice shall not disclose any confidential client information without the specific consent of the client."

The scope of this rule is broader than §7216 in one critical respect: it covers "confidential client information", defined as "any information obtained from the client that is not available to the public", not just "tax return information." This means:

• Financial statements you prepare for a non-tax engagement
• Business strategy discussions
• Client communications about litigation
• Personal financial information provided in a non-tax context
• Information about a client that was not furnished for return preparation

A CPA who uses a cloud AI tool to process client information from any professional engagement, not just tax return preparation, is subject to ET §1.700.001.

The Third-Party Service Provider Interpretation (Interpretation 1.700.040)

This interpretation directly addresses cloud vendors and outside services. It provides, in substance:

When a member uses a third-party service provider (TPSP) to assist in providing professional services, threats to compliance with the Confidential Client Information Rule may exist. Before disclosing confidential client information to a TPSP, the member should either: 1. Enter into a contractual agreement with the TPSP to maintain confidentiality and provide reasonable assurance of appropriate procedures to prevent unauthorized release; or 2. Obtain specific consent from the client before disclosing information to the TPSP.

Key distinction from §7216: The AICPA rule does not have the same elaborate exceptions framework as §7216. Instead, it uses a threat/safeguards conceptual framework, the question is whether threats to compliance can be reduced to an acceptable level through safeguards.

What counts as adequate safeguards under Interpretation 1.700.040:

• A written contractual agreement with the AI vendor requiring confidentiality
• Reasonable assurance that the vendor has appropriate security procedures
• Monitoring the vendor's compliance

✅ COMPLIANCE NOTE: An AI vendor with a signed DPA that includes robust confidentiality and security commitments may satisfy the AICPA requirements even if the §7216 auxiliary service exception analysis is uncertain. These are independent standards, you need to satisfy both.

The "Hosting Services" Analogy

The AICPA has addressed cloud hosting services through ethics guidance that provides a useful analogy for AI tools. When a CPA uses a cloud-based practice management system, document storage service, or cloud accounting platform, the CPA is using a TPSP that has access to client data. The AICPA's position has been that:

1. The CPA remains responsible for client confidentiality regardless of the technology used
2. A contractual agreement with the vendor is the preferred safeguard
3. The CPA must evaluate whether the vendor's practices provide reasonable assurance of confidentiality
4. If the vendor cannot provide adequate assurance, the CPA must obtain client consent

The analogy to AI tools is direct: substituting "AI vendor" for "cloud hosting vendor" does not change the fundamental analysis. The CPA remains responsible. Adequate safeguards are required. The vendor's contract terms must be reviewed.

The Threat/Safeguards Analysis

The AICPA conceptual framework approach requires practitioners to:

Step 1: Identify the threats. Using an AI vendor creates threats including: unauthorized disclosure of client data by the vendor, vendor use of data for training purposes, data breach at the vendor, inadequate vendor security, and scope creep in how the vendor uses data.

Step 2: Assess significance. Are these threats significant? For most cloud AI tools, the threats are significant, the data is valuable, breaches have occurred at major tech companies, and some vendors have terms permitting training on user data.

Step 3: Apply safeguards. Safeguards include:

• Contractual confidentiality and no-training clauses
• Data processing agreements with specific security standards
• US-only data residency provisions
• Vendor security certifications (SOC 2 Type II)
• Client notification and consent
• Regular vendor review

Step 4: Evaluate residual risk. If safeguards reduce threats to an acceptable level, you are in compliance. If you cannot reduce the threats to an acceptable level, you must obtain client consent or not use the tool.

How ET §1.700.001 Interacts With §7216: Independent Obligations

A critical principle: satisfying §7216 does not satisfy ET §1.700.001, and vice versa. These are independent obligations from separate regulatory frameworks.

Example: You obtain a valid §7216 disclosure consent from a business client for use of Microsoft 365 Copilot. The consent covers the tax return information. However, you also use Copilot to draft financial statements for that same client from non-tax engagement data. The §7216 consent covers only tax return information, the financial statement data is covered by ET §1.700.001, which requires either a contractual safeguard with Microsoft or a separate consent.

Example: The auxiliary service exception under §301.7216-2(d) may apply to a document scanning vendor, eliminating the §7216 consent requirement. But the AICPA's Interpretation 1.700.040 still requires either a confidentiality agreement with the scanning vendor or client consent. The §7216 exception does not carry over to the AICPA rules.

The AICPA's Current Position on AI (as of 2026)

As of June 2026, the AICPA has taken the following positions on AI:

• The AICPA has not issued a standalone AI ethics interpretation specifically addressing how ET §1.700.001 applies to generative AI tools.
• The AICPA has stated that existing ethics standards, including Interpretation 1.700.040 on third-party service providers, apply to AI tool use, because AI vendors are TPSPs.
• The AICPA's Technology & Business Solutions Committee has published educational content on AI in accounting practice, but these are not authoritative ethics standards.
• The revised SSTS (effective January 1, 2024) address reliance on tools, including AI (covered in Lesson 7), but address professional standards rather than confidentiality per se.

⚠️ GUIDANCE GAP: The AICPA has not issued an official interpretation specifically addressing how the conceptual framework applies when a client's confidential information is processed by an AI model. The AICPA's position is that existing guidance (TPSP interpretation) applies, but practitioners are operating without AI-specific AICPA ethics guidance as of June 2026.

Georgia Rule 20-12-.19: AICPA Standards Incorporated

Georgia Rule 20-12-.19 provides:

"In the performance of services in the practice of public accountancy for which standards have been established by the American Institute of Certified Public Accountants or by other entities having similar generally recognized authority, a licensee shall conform to such standards."

Tax services are specifically listed as subject to this rule. This means that the AICPA Code of Professional Conduct, including ET §1.700.001, is part of your CPA license obligations in Georgia. Violating the AICPA confidentiality rule is not merely a professional ethics matter; it is a violation of the Georgia State Board of Accountancy rules that can result in license suspension or revocation.

Georgia Rule 20-12-.11: Independent Confidentiality Duty

Georgia Rule 20-12-.11 provides a separate, independent confidentiality obligation:

"A licensee shall not without the consent of his or her client disclose any confidential information pertaining to his or her client obtained in the course of performing professional services."

This rule applies to all confidential information, not just tax return information. It is broader than §7216, parallel to the AICPA rule, and independently enforceable by the Georgia State Board of Accountancy. Note that the rule also:

• Does not relieve a licensee of obligations under other Board rules
• Does not prevent disclosure in a quality review
• Does not prevent responding to Board inquiries

Key Takeaways

• ET §1.700.001 covers all "confidential client information", any non-public information from the client, which is broader than §7216's "tax return information."
• Interpretation 1.700.040 requires that before you share client information with a TPSP (including an AI vendor), you must either have a contractual confidentiality agreement with the vendor or obtain client consent.
• These are independent obligations, satisfying §7216 does not satisfy the AICPA rules, and vice versa. Both must be satisfied.
• Georgia Rule 20-12-.19 incorporates AICPA standards into the CPA license, making AICPA ethics violations also Georgia Board violations.
• Georgia Rule 20-12-.11 creates an independent state confidentiality duty applying to all confidential client information.

Quick Review

Q1: A CPA obtains a valid §7216 consent for disclosing a client's tax return information to an AI vendor. Must the CPA also comply with ET §1.700.001?

Answer: Yes. The §7216 consent satisfies one obligation but not the other. The CPA must also either have a contractual confidentiality agreement with the AI vendor under Interpretation 1.700.040 or obtain specific client consent for AICPA purposes. In practice, a well-drafted §7216 consent that also addresses AICPA confidentiality concerns may serve both purposes, but the CPA must consciously address both frameworks.

Q2: A CPA prepares financial statements for a client, no tax services involved. The CPA uses an AI drafting tool to help write the MD&A section, pasting in the client's revenue and expense data. Does §7216 apply?

Answer: No, §7216 covers tax return information, and this data was not furnished in connection with return preparation. However, ET §1.700.001 applies to all confidential client information, so the CPA must ensure either a contractual agreement with the AI vendor or specific client consent before using the tool.

Q3: A CPA firm in Georgia uses a cloud AI vendor with a signed DPA but has not obtained individual client consent for AI use. A client complains to the Georgia State Board of Accountancy that their information was shared with an AI company without their knowledge. What rules are potentially at issue?

Answer: The following rules are potentially at issue: (1) Georgia Rule 20-12-.11 (independent confidentiality duty, disclosure of confidential information without consent); (2) ET §1.700.001 as incorporated by Georgia Rule 20-12-.19; (3) IRC §7216/§6713 (if tax return information was disclosed without consent or a valid exception). The DPA is relevant evidence of safeguards under Interpretation 1.700.040, but the absence of client consent or notification may still constitute a violation of Rule 20-12-.11's consent requirement.

Q4: The AICPA has not issued an AI-specific ethics interpretation as of June 2026. Does this mean AI use with client data is unregulated under AICPA ethics standards?

Answer: No. The AICPA's position is that existing Interpretation 1.700.040 (third-party service providers) applies to AI tools. The absence of an AI-specific interpretation does not create a safe harbor. AI vendors are TPSPs, and the TPSP interpretation applies.

← Lesson 5: FTC Safeguards Rule & WISP · Study Guide home · Lesson 7: Revised SSTS (Effective January 1, 2024) →