When you hand your tax documents to a large national firm or chain, there is a good chance the actual preparation of your return never happens in the United States. Your Social Security number, income, bank accounts, medical expenses, business financials, and family details may be transmitted to preparers in India, the Philippines, or other countries — without your knowledge and without meaningful legal protection if something goes wrong.
Offshore tax preparation is not a fringe practice. It is a standard operating model for many of the largest accounting firms, national tax chains, and regional CPA firms in the United States. The business logic is straightforward: labor costs for skilled workers in countries like India and the Philippines are a fraction of US costs, allowing firms to process more returns at lower cost per return.
The typical model works like this: you meet with a local staff member or upload your documents through a portal. Your data is then transmitted electronically to an offshore preparation center — often in India, the Philippines, or Eastern Europe. Preparers there enter your data, prepare the draft return, and send it back to the US office. A US-based reviewer — who may be reviewing dozens of returns per day — looks it over, signs it, and sends it to you for approval.
The person whose name and credentials appear on your return may have spent very little time with your actual situation. The people who spent the most time with your most sensitive financial data are located overseas, operating under the laws and data protection standards of a foreign country.
Disclosure of offshore preparation is not required by federal law in most cases. The IRS requires preparers to disclose when tax return information is shared with third parties — but exceptions and gray areas exist, and enforcement is limited. Many clients whose returns are prepared offshore never know it happened. The consent buried in engagement letters is often written in language most clients do not read or understand.
To prepare a complete and accurate tax return, a preparer needs access to virtually every piece of sensitive financial and personal information you have. When your return is prepared offshore, all of this data is transmitted internationally:
Your full legal name, Social Security number, date of birth, and home address — everything needed to open accounts, file fraudulent returns, or steal your identity.
Every W-2, 1099, brokerage statement, and K-1 you receive — your employer, your investment accounts, your dividend income, your retirement distributions.
Your routing and account numbers for direct deposit of your refund — sufficient to initiate fraudulent ACH transactions.
If you own a business — revenue, expenses, payroll, profit margins, client lists, contractor payments, and your business bank account details.
Your home address, mortgage balance, property values, and real estate holdings — enough to research and target your assets.
Your spouse's Social Security number, your children's names and SSNs, childcare provider information, and medical expense details.
This is not a partial picture of your finances. It is the complete picture — arguably the most comprehensive collection of sensitive personal and financial data that exists about you anywhere.
This is where the picture becomes genuinely concerning. Once your data crosses an international border, US data protection laws have limited reach:
The IRS can regulate US-based tax preparers through its PTIN registration system, ethical standards, and disciplinary procedures. It has no authority over foreign nationals working at offshore preparation centers. If an overseas employee improperly accesses or misuses your data, the IRS cannot investigate, sanction, or hold that person accountable.
IRC Section 7216 governs the disclosure of tax return information by US tax preparers and requires consent before sharing information with third parties, including offshore vendors. However, enforcement of these rules against the actual offshore handlers of your data is largely theoretical. The firm takes on liability for compliance — but the practical protection that provides to you as a client after a breach is limited.
India has data protection legislation, but its enforcement mechanisms and standards differ significantly from US law. The Philippines similarly has privacy legislation, but again, the practical recourse available to a US taxpayer whose data is mishandled by a foreign entity is extremely limited. You would need to pursue remedies in a foreign legal system, under foreign law, against a foreign company — a practically insurmountable task for most individuals.
Even if the offshore preparation firm has robust internal security, you have no visibility into how your data is stored, who can access it, whether it is retained after the return is completed, or whether it might be shared with subcontractors or other parties in that country's data economy. The chain of custody for your most sensitive financial information becomes effectively untrackable.
The IRS receives hundreds of thousands of reports of tax-related identity theft annually. Fraudsters who obtain your Social Security number and prior year income information can file a fraudulent return in your name and claim your refund before you file. Recovering from tax identity theft is a multi-year ordeal involving IRS identity protection PINs, manual review processes, and delayed refunds. The source of the data breach is rarely identified — but the value of tax return data to identity thieves is well established.
When pressed on offshore preparation, large firms typically offer several justifications. It is worth understanding each one and its limitations:
Large offshore preparation centers do generally have security infrastructure — encrypted transmissions, access controls, and internal policies. But security protocols are only as strong as their weakest link, and the history of major data breaches at large organizations — including financial institutions with significant security budgets — demonstrates that protocols do not eliminate risk. The question is not whether protocols exist, but whether you are comfortable with your most sensitive data being accessible to people you will never meet, operating under legal systems you have no connection to.
Confidentiality agreements signed by offshore employees are governed by the law of the country where the employee is located. Enforcing such an agreement against a foreign national employed in another country — if a breach occurs — is a practical impossibility for most individual clients.
Some firms point to disclosure language in their engagement agreements as satisfying their obligations. Read that language carefully. It is typically buried in multi-page documents, written in technical legal language, and presented as something to click through rather than genuinely consider. Disclosure of a practice does not make the practice appropriate — it simply shifts responsibility to the client who clicked "I agree."
The economics of offshore preparation work only at scale. A large firm processing tens of thousands of returns can achieve meaningful cost savings by routing preparation overseas. A local CPA firm serving hundreds of clients in a defined community has no such incentive — and significant disincentives:
If you are currently using a national chain, a large regional firm, or any preparer you are not certain about, these questions will tell you quickly what is happening with your data:
Every return prepared at Mercer Flanagan is prepared in-house by our Frederick team and reviewed by a CPA. Your data never leaves our office. It is never transmitted to offshore vendors. It is never shared with preparers in other countries. We have been preparing returns for Frederick County families and businesses since 1971, and the people who know your situation are the same people who prepare your return — year after year. Book a free consultation to experience the difference firsthand.
No — it is legal with proper client disclosure and consent under IRC Section 7216. The practice is widespread and largely unregulated beyond the disclosure requirement. Legal does not mean without risk to the client, and legal does not mean the firm is required to make the disclosure easy to find or understand.
Ask directly. You can also review your engagement agreement for references to third-party vendors, international affiliates, or data sharing. If your return was prepared through a large national chain or a firm that advertises very low prices for complex returns, offshore preparation is more likely than not. The economics of very cheap tax preparation almost always involve offshore labor.
Even a simple W-2 return contains your Social Security number, your employer's EIN, your bank account information for direct deposit, and your home address. That is sufficient information for identity theft and fraudulent tax filing. The complexity of the return does not reduce the sensitivity of the underlying data.
An IP PIN is a six-digit number that the IRS issues to protect your Social Security number from being used to file a fraudulent federal tax return. Once you have an IP PIN, a return filed using your SSN without the correct IP PIN will be rejected. Any US taxpayer can now opt into the IP PIN program at irs.gov — we strongly recommend it as a baseline protection regardless of who prepares your taxes. A new PIN is issued each year and must be provided to your tax preparer.
Roy Cogliandolo, CPA
Mercer Flanagan · Frederick, MD · June 2026
Every return we prepare stays in-house, prepared and reviewed by our local CPA team. No offshore vendors. No anonymous preparers in other countries. Just the same people who have served Frederick County since 1971.
Book a Free Consultation Call (301) 662-6992