You are three returns behind and a client's K-1 has a passthrough entry you want a second opinion on. So you paste the schedule into ChatGPT and ask it to explain the basis adjustment. Stop. That single paste can be a disclosure of tax return information under IRC Section 7216, a criminal statute, and a breach of your AICPA confidentiality duty. The model never needed the client's name. The figures, the Social Security number, and the nature of the business were already enough.
Most coverage of AI in accounting frames the risk as accuracy. The model hallucinates, so check its math. That misses the bigger exposure. Your compliance problem is not the output. It is the input. The moment client data leaves your firm and lands on a third party's servers, you have made a disclosure, whether or not the answer that comes back is correct.
Pasting a return into ChatGPT is a disclosure to a third party
Section 7216 makes it a crime for a tax return preparer to knowingly or recklessly disclose or use any tax return information for a purpose other than preparing the return, absent the taxpayer's consent. The term "tax return information" reaches far. It covers any information the preparer obtains in connection with preparing a return: income figures, deductions, the client's identity, even a draft schedule. Type that into a public AI tool and you have shared it with the tool's owner. The CNA risk control guidance distributed through the AICPA Member Insurance Programs states it without softening: when data is entered into a generative AI tool, "you are sharing that data with the AI tool's owners."
The statute carves out no exception for "I only wanted help reasoning through it." Disclosure is disclosure. A machine recipient instead of a human one does not change the analysis, because the data still reaches the company that runs the machine.
What counts as tax return information is wider than you think
Preparers often assume the danger is only the obvious identifiers: the name, the Social Security number, the address. The regulatory definition runs much broader. Tax return information includes any information the preparer derives or receives in connection with preparing a return, including the taxpayer's identity, the nature of their business, their income, and even your own working notes about the engagement. A redacted schedule with the name blacked out can still be tax return information if the figures and circumstances came from the return. De-identifying helps. It does not automatically make a paste safe.
Take a realistic example. You upload a profit-and-loss statement so the model can flag unusual ratios, then ask it to draft a memo. You never typed the client's name. You still disclosed the client's financial detail to the provider, and the draft memo now also sits in your chat history. Two disclosures from one task. The convenience is real. So is the trail it leaves behind.
Under Section 7216, the compliance event is the paste, not the answer. The data left your firm the moment you hit enter.
The penalty is criminal, and it stacks per violation
A Section 7216 violation is a misdemeanor carrying a fine of up to $1,000 or imprisonment of up to one year, or both, plus the costs of prosecution. That is per violation. So a habit of pasting client data across a busy season is not one exposure but many. Where the disclosure connects to identity theft, the criminal fine can rise to $100,000. A parallel civil penalty under Section 6713 adds $250 for each prohibited disclosure, capped at $10,000 a calendar year, and that one needs no proof of knowledge or recklessness at all.
Criminal exposure is the headline. It is rarely the first thing that bites. The likelier consequence is a malpractice claim, a state board complaint, or a client who walks and tells everyone why. The fine is small. The damage to a firm built on trust is not. And here is what most AI-in-accounting pieces leave out: a ChatGPT conversation carries no preparer-client privilege, so a chat log full of client figures is discoverable and subpoenable in a way your locked file room is not.
Adoption pressure makes this urgent rather than theoretical. AI use across accounting and tax firms has climbed sharply, and the features now sit inside software many preparers already touch daily. The riskiest behavior, a quick paste into a consumer chatbot, is also the easiest and most tempting one. Your policy has to move faster than the habit, because by the time a disclosure is noticed it has already happened.
AICPA confidentiality rules apply even where Section 7216 might not
Section 7216 binds tax return preparers. The AICPA Confidential Client Information Rule, section 1.700.001 of the Code of Professional Conduct, binds every member in public practice across all engagements, not just tax. It says a member shall not disclose confidential client information without the client's specific consent. An advisory engagement, an audit working paper, or a financial model that never touches a 1040 is still covered. Pasting any of it into a public model is the same kind of disclosure.
The rule has teeth in a way that catches firms off guard. A member is treated as in violation if they cannot demonstrate that safeguards were applied to reduce the threat to confidentiality to an acceptable level. You may have to prove your controls existed. "We told staff not to do that" is far weaker than a documented policy plus a tool that keeps the data inside the firm.
Why the free consumer tier is the trap
The exposure is not "AI" in the abstract. It is the default consumer chatbot. On free and standard consumer tiers, providers may retain inputs and use them to train future models, depending on the settings and the terms in force. The CNA guidance tells firms to take the same care with anything shared with a generative AI tool as they would posting on a public site like social media, and to prohibit sharing confidential client or firm information with these tools altogether. Enterprise and API tiers often carry no-training terms and data controls, a different risk profile. Read the actual terms for the exact product and plan you use, as of June 2026, because providers revise them often.
Before any staff member uses an AI tool on client work, confirm two things in writing: does the plan train on inputs, and does it retain them? If you cannot find a clear no in the terms, treat the tool as a public channel.
What a compliant 7216 consent actually has to look like
Here is the part most "AI for accountants" posts skip, because it is the unglamorous one: the consent that would let you route tax return information to an outside tool is not a casual checkbox. For Form 1040 series clients, the IRS prescribes the format and content in Revenue Procedure 2013-14. Each separate disclosure or use needs its own written consent document. The consent must contain specific mandatory language verbatim, the wording differing for a disclosure versus a use. Paper consents have to be in at least 12-point type. Electronic consents must appear on their own screen with adequate contrast and an affirmative action by the taxpayer to agree.
Read that against how a paste actually happens. Nobody drafts a 12-point, single-purpose, mandatory-language consent before dropping a K-1 into a chat window at 11pm in March. That gap is the point. The formality of a real consent is exactly what an impromptu paste skips, which is why the safe move is to keep client-identifying data out of the tool rather than to chase a consent after the fact. The AICPA publishes sample 7216 consent forms; treat them as the bar, not as paperwork to backfill.
A safe workflow that keeps the speed without the disclosure
You do not have to give up AI to stay clean. You have to change what reaches it and on what terms. Three controls do most of the work.
- Get consent in the right form. Section 7216 disclosures generally require the taxpayer's prior written consent, and for Form 1040 clients the IRS prescribes the format and content under Rev. Proc. 2013-14. If your engagement contemplates routing tax return information to an outside tool, that belongs in a compliant consent, not a verbal okay.
- De-identify before you ask. Strip names, SSNs, EINs, and addresses, and replace specific figures with rounded or sample numbers when you only need help with method or logic. A question about how a basis adjustment works does not need the client's real numbers.
- Use a tool that does not train on or retain your inputs. The product and plan you choose decides whether a paste becomes a disclosure to a model's training pipeline. Pick one with clear no-training, controlled-retention terms, and keep client-specific context inside systems you control.
Notice the ordering. Consent is a legal step, de-identification is a habit, and tool choice is an architecture decision. Skip any one and the weight falls on the others. Do all three and the AI question becomes a non-event.
A fourth control earns its keep under the confidentiality rule: documentation. Write the policy down. State which tools are approved, on which plans, what may never be pasted, and how staff de-identify inputs. Train on it once a season and log that you did. If a complaint ever lands, the question will be whether you applied safeguards, and a dated policy plus an approved-tool list beats a memory of good intentions every time.
Public chatbot versus a private working context
| Dimension | Public consumer chatbot | Private-by-architecture context |
|---|---|---|
| Where client data lands | On the provider's servers, owned by the tool's owner | In a per-user isolated store, encrypted at rest |
| Trained on your inputs | Possible on free or standard tiers, per settings | Not used for training |
| Section 7216 disclosure on paste | Yes, data leaves the firm to a third party | Reduced surface, data stays in a store you control |
| Who proves safeguards | Hard to evidence after the fact | Documented isolation and encryption controls |
| Replaces consent and engagement duties | No | No, those remain the firm's obligation |
The right column is not a compliance product. It is a smaller blast radius. The firm still owes the client consent, an engagement letter, and judgment about what is appropriate to process at all.
Where MemX fits, and where it does not
MemX gives ChatGPT, Claude, and Gemini a persistent memory layer that is private by architecture: per-user isolation, encryption at rest, and inputs that are not used for training. For an accountant, the practical effect is that the working context you build up, your firm's standard treatments, your preferred wording, the method notes you keep reaching for, lives in a store you control rather than getting re-pasted into a public chat every time. That shrinks the data-exposure surface Section 7216 and the confidentiality rule care about.
Read the limits clearly. MemX does not make a firm "Section 7216 compliant," and nothing here is legal or tax advice. Consent in the IRS-prescribed form, your engagement letter, de-identification of client data, and the decision about what is appropriate to process all remain the firm's responsibility. MemX keeps your own working context private. It is not a substitute for the consent and confidentiality obligations you already carry.
Frequently asked questions
01Is pasting a client's tax return into ChatGPT illegal?
It can violate IRC Section 7216, a criminal statute that bars tax return preparers from disclosing tax return information without the taxpayer's consent. Pasting it into a public tool shares it with the tool's owner, which is a disclosure. This is not legal advice; consult counsel on your facts.
02What is the penalty for a Section 7216 violation?
It is a misdemeanor with a fine of up to $1,000 or up to one year imprisonment, or both, plus prosecution costs, per violation. A parallel civil penalty under Section 6713 is $250 per disclosure, capped at $10,000 a year. Identity-theft cases can reach $100,000.
03Does removing the client's name make it safe?
It helps but does not fully solve it. Tax return information is broad and includes figures and circumstances, not just names. De-identifying inputs reduces exposure, but consent and your tool's data terms still matter. The cleanest path combines de-identification with a tool that does not retain or train on inputs.
04Can I use AI at all in my accounting practice?
Yes. The AICPA does not ban AI; CNA's guidance warns against feeding confidential client or firm data into tools that share it with the provider. Use consent where required, de-identify inputs, and choose tools with no-training, controlled-retention terms. Keep a documented policy so you can evidence your safeguards.
05Does the AICPA confidentiality rule apply to non-tax work?
Yes. The Confidential Client Information Rule, section 1.700.001, applies to every member in public practice across all engagements, not just tax. Audit working papers, advisory models, and financial data are all covered. Pasting any of it into a public AI tool is a disclosure that requires client consent.
The takeaway
The risk in AI for accountants is not a wrong answer. It is the paste. Client data entered into a public chatbot reaches the tool's owner, and under IRC Section 7216 and the AICPA confidentiality rule that is a disclosure with criminal and professional consequences. Get consent in the prescribed form, de-identify what you ask, and use tools that do not train on or retain your inputs. Do that, and AI becomes a quiet productivity gain instead of a liability waiting for an audit. Reviewed by Aditya Kumar Jha, Founding Software Engineer at MemX.
