Redacting Tax Returns Before Sharing: Guide for Accountants

This article is for general informational purposes only and does not constitute legal advice. Regulatory requirements vary by jurisdiction and change over time. Consult a qualified legal professional for advice specific to your organization's circumstances.

A client calls Wednesday afternoon. Their home purchase closes in two weeks and the lender is asking for two years of 1040s. The client wants to send them directly from your files. The returns contain their Social Security number on every page, their Employer Identification Number for a side business, a Schedule C with income they haven't mentioned to the lender, and a Schedule D with a capital loss they'd rather not explain.

This is a routine request in a tax practice. The answer is not to refuse to help - it's to identify what the lender actually needs and share only that, in a form that doesn't hand over data the recipient has no business holding.

What counts as sensitive in a US tax return

Federal returns contain several categories of highly sensitive personal identifiers:

• Social Security Number (SSN) - appears on the face of most federal returns
• Employer Identification Number (EIN) - links to specific business entities
• Bank account and routing numbers in refund/payment sections
• Schedule details revealing income sources the client has not elected to disclose
• Foreign financial account indicators (FBAR-related reporting on Schedule B)

State returns often reproduce the federal SSN and add state-specific identifiers. W-2s and 1099s submitted with returns contain SSNs, employer details, and sometimes health insurance information from Box 12 codes.

The lender asking for 1040s generally needs one thing: income verification to support underwriting. They do not need the SSN - they already have it from the loan application. They often do not need schedules relating to income sources not relevant to the lending decision. Sharing only what is necessary for the stated purpose is required under applicable privacy standards, including the Gramm-Leach-Bliley Act (GLBA) requirements that apply to CPAs providing tax services.

Four scenarios tax and accounting professionals handle regularly

Tax return shared with a mortgage lender

Lenders ask for 1040s as income verification. Before sending, redact the SSN, bank account and routing numbers, and any schedules that don't relate to the income basis for the loan. If the client has business income on Schedule C but the lender is underwriting based on W-2 wages only, Schedule C can come out. Confirm with the client what the lender has specifically requested.

Some lenders accept IRS Tax Return Transcripts (obtained via Form 4506-C) rather than copies of the actual return. Transcripts do not display the full SSN - they show a masked version. Where this option is available, it may be preferable to sharing redacted copies, since the lender receives the same verification from a government-authenticated source without access to the original document.

W-2 or 1099 shared with a financial planner

W-2s contain the employee's SSN, employer EIN, and a detailed breakdown of withholding. 1099 forms vary - a 1099-INT from a bank shows account numbers alongside interest income. Before sharing either document with a financial planner, identify what information they actually need and redact what falls outside that scope. An SSN is not necessary for retirement contribution planning. Account numbers are not necessary for income analysis.

Full financial statements shared with an investor

Compiled or reviewed financial statements prepared for a closely held business may contain owner SSNs, EINs, officer compensation details, and related-party transaction information. Investor due diligence requests frequently ask for full financials. Before sharing, check whether any personally identifying information - particularly SSNs - has been included in the documents through an error in preparation. Remove it.

Payroll register shared with an external auditor

Payroll registers contain SSNs, bank account details, individual salary and hourly figures, and often health insurance and retirement contribution data. External auditors testing payroll completeness typically need to verify totals, rates, and headcount. They generally do not need every employee's SSN or bank account number to complete that work. Confirm the specific scope of the audit request before sharing, and redact personal identifiers beyond what the auditor actually needs.

US regulatory framework for CPAs and tax advisors

Gramm-Leach-Bliley Act (GLBA). CPAs providing financial advisory or tax services to individuals are considered "financial institutions" under GLBA. This means they are subject to the FTC Safeguards Rule, which requires firms to protect client financial information with appropriate security controls, limit access to those with a need to know, and avoid sharing customer financial information beyond what is permitted or authorized. As of 2025, the revised Safeguards Rule requires covered firms to maintain a written information security program. Sharing unredacted tax returns with third parties who don't need all the information in them is inconsistent with these obligations.

AICPA Code of Professional Conduct. Section ET 1.700.001 (Confidential Client Information Rule) prohibits CPAs in public practice from disclosing any confidential client information without the specific consent of the client, except as required by law or professional standards. This rule applies to third-party sharing scenarios. Sharing more information than the client has authorised - or more than the recipient requires - is a potential ethics violation.

IRS Form 4506-C as an alternative. Form 4506-C authorizes the IRS to release tax transcripts directly to a third party (such as a mortgage lender). Transcripts display masked SSNs and provide income verification without the client's full return being shared. Where lenders accept transcripts, this is often a cleaner solution than redacting copies of original returns.

State CPA society standards. Most state CPA societies have adopted the AICPA Code or maintain equivalent confidentiality provisions. Several states - including California, New York, and Texas - have state-specific data privacy laws that apply to CPA firms as businesses handling consumer data. If your firm operates in California, the CCPA may apply to how you handle client data beyond the scope of the AICPA engagement.

RedactProof detects SSNs, EINs, bank account numbers, and 40+ other personal data types automatically, with pixel-burn redaction that permanently removes the underlying data.

SSN, EIN, and other identifiers: what to redact by default

A Social Security Number is the highest-risk identifier in a US tax document. It unlocks identity verification across financial, government, and healthcare systems. Every document that contains a client's SSN should be reviewed before sharing with any third party. The question is not "does this third party need the document" but "does this third party need the SSN." In most third-party sharing scenarios in tax practice, the answer is no.

An Employer Identification Number identifies a specific business entity. It is less sensitive than an SSN but should still be reviewed in context. Sharing an EIN with a party who has no role in that business is unnecessary and creates a linkage the client may not intend.

Bank account and routing numbers appearing in refund or payment sections should be redacted as a default. These are directly actionable for ACH fraud. No third party needs this information for income verification purposes.

For a thorough overview of PII categories and identification patterns, our guide to what is PII covers the taxonomy in plain terms.

Why the redaction method matters

Overlay redaction - placing a black box over text in a PDF - leaves the underlying text in the file. Anyone with basic PDF tools can select and copy the "redacted" text. The ICO in the UK and equivalent US guidance from bodies like the NIST and FTC have flagged this risk in document security contexts.

Pixel-burn redaction converts the document page to an image, permanently destroying the text layer. The redacted content cannot be recovered by the recipient regardless of what tools they use. For documents containing SSNs, bank details, and other high-risk identifiers, this is the standard that professional practice requires.

Our guide to how to redact a PDF explains the technical difference between overlay and pixel-burn redaction and how to verify that a redaction is actually permanent.

Building a consistent process in your practice

Many small and mid-size CPA firms handle third-party document sharing informally - a staff member gets a request, finds the return, and emails it over. That process works until someone forwards a 1040 with a client's SSN to a mortgage company that then gets breached. At that point, the firm has a GLBA Safeguards Rule problem, a potential state law notification obligation, and a client relationship issue.

A written procedure for outgoing documents reduces that exposure. It does not need to be complex. It needs to define: who reviews outgoing client documents before they leave the firm, what categories of identifier are always removed before third-party sharing, and what tool is used for permanent redaction. For firms handling payroll, a checklist at the point of sharing takes five minutes and removes most of the risk.

Our redaction policy template provides a starting framework adaptable for US tax and accounting practices.

Related guides: document redaction for HR teams | how to redact a PDF | what is PII

Documents are processed in your browser and never uploaded to our servers.