If you manage fiduciary accounts for trusts, estates, or client funds, the rules governing how you handle that money are specific, unforgiving, and increasingly enforced. And the cybersecurity threats targeting those accounts have grown sharper than most CPAs realize.
Here’s what you need to know to protect your clients, your practice, and yourself.
What Trust Accounting Actually Requires
At its core, trust accounting is the practice of managing and reporting on assets held in a fiduciary capacity. Whether you’re overseeing a revocable trust, an irrevocable trust, an estate, or a client retainer account, one principle applies across the board: the money isn’t yours. It belongs to the beneficiaries, and every dollar must be tracked, documented, and accounted for.
The AICPA’s Practice Guide for Fiduciary Accounting, issued in response to widespread adoption of the 1997 Uniform Principal and Income Act, outlines the framework most states follow today. Over the past two decades, most states plus the District of Columbia have adopted versions of this Act, though the specific rules vary by jurisdiction.
That jurisdictional variation is where trouble starts. What’s acceptable in one state may trigger a violation in another. Professional advisors must constantly monitor the trust accounting law in their jurisdiction, including any recent amendments and their effective dates.
California, for example, now authorizes its State Bar to audit any trust accounting records without warning, without a client complaint, and without probable cause. Other states have followed with their own tightened enforcement mechanisms. If your practice operates across state lines, you’re navigating multiple sets of rules simultaneously.
The Fiduciary Duties That Get CPAs in Trouble
Most CPAs understand the concept of fiduciary duty. Fewer realize how strictly regulators enforce it. Here are the obligations that trip firms up most often:
- Prohibition on commingling: Trust assets must never be mixed with personal or business funds. Each trust requires its own segregated account. This sounds basic, but it remains one of the most common violations found in audits.
- Annual beneficiary reporting: Trustees have a legal duty to provide an accounting to beneficiaries on a regular basis. These reports must include asset lists, income summaries, and detailed expense breakdowns.
- Taxable income vs. fiduciary income: CPAs preparing fiduciary income tax returns must recognize that taxable income and fiduciary accounting income are not the same. Failing to understand the difference creates legal liability for both trustees and beneficiaries.
- Prudent asset management: Every investment decision, distribution, and expense must align with the trust’s stated purpose and the beneficiaries’ interests. Conflicts of interest aren’t just bad practice. They’re grounds for removal.
- Record retention: Most jurisdictions require trust account records to be preserved for at least five years after the matter closes. Incomplete records during an audit can be just as damaging as a financial discrepancy.
The consequences for getting any of this wrong are real and escalating. Trust accounting violation penalties start at $5,000 for first offenses and escalate quickly to license suspension for repeated failures. An Illinois family law attorney was fined $15,000 for commingling funds and failing to document transfers correctly. A Florida practitioner received a two-year suspension for skipping three-way reconciliations for 14 months. A New York estate planner lost his license entirely after repeatedly failing to reconcile ledgers with bank statements.
These aren’t outliers. They’re patterns. And the enforcement actions don’t require that actual funds went missing. Mismanagement alone, even if unintentional, is enough to trigger penalties, fines, or loss of licensure.
Reconciliation: The Non-Negotiable Practice
If there’s one area where trust accounting compliance lives or dies, it’s reconciliation. A three-way reconciliation, performed monthly, matches the bank statement balance against the trust liability account balance and each individual client or beneficiary balance. All three numbers must agree.
When they don’t, you have a problem. And the longer that problem goes undetected, the more expensive it becomes.
Reconciliation software has made this process faster and more accurate, automating the comparison of recorded transactions against bank statements, investment statements, and other financial documents. But the software only works if someone actually runs it. Plenty of firms invest in the right tools and then let reconciliations slip during busy months.
Every financial transaction involving the trust, including deposits, disbursements, interest income, investment gains, and expenses, must be recorded. There are no exceptions for small amounts or routine transfers. Effective record-keeping prevents disputes and keeps your practice audit-ready.
Think of reconciliation as the pulse check of your fiduciary practice. Skip it once and you might get lucky. Skip it repeatedly and you’re building the kind of exposure that leads to enforcement action, malpractice claims, or worse.
The Cybersecurity Threat Most CPAs Underestimate
Trust accounts are a goldmine for cybercriminals. They contain social security numbers, bank account numbers, investment records, and enough personally identifiable information to commit identity theft, authorize fraudulent transactions, and file fake tax returns.
The numbers tell the story:
- Reported attacks on accounting practices have jumped 300% since 2020
- The average data breach in the financial industry costs $5.56 million, well above the $4.4 million cross-industry average
- A Georgia CPA firm recently paid a $450,000 ransom just to regain access to encrypted client files
- AI-powered phishing campaigns now craft emails that mimic clients, banks, and tax authorities with alarming accuracy
Business email compromise (BEC) is the single most financially damaging threat to accounting practices. Attackers impersonate clients requesting wire transfers, or they compromise an accountant’s email to send payment instructions to unsuspecting clients. In a trust accounting context, where large fund movements are routine, a single compromised email can redirect hundreds of thousands of dollars.
The FTC Safeguards Rule now requires financial institutions, including tax preparers and many accounting firms, to maintain comprehensive information security programs. The IRS has its own guidelines for protecting taxpayer data. And once systems are compromised, firms must notify every impacted client by law.
Ransomware attacks on accounting firms are particularly damaging because of timing. An attack during tax season or a court-mandated trust filing deadline can prevent a firm from meeting its obligations. And in the growing trend of “double extortion,” attackers don’t just encrypt your files. They exfiltrate the data first and threaten to publish it unless you pay.
Your trust accounting data is some of the most sensitive financial information that exists. Protecting it is not just good practice. It’s a regulatory and ethical obligation.
What Your Firm Should Do Now
Staying compliant with trust accounting rules while defending against modern cyber threats requires a layered approach. Here’s where to start:
- Audit your reconciliation process. Are you running three-way reconciliations every month, without exception? If not, fix that first.
- Review your vendor agreements. Every third party with access to trust data, from your cloud provider to your IT company, needs a signed Business Associate Agreement or equivalent.
- Encrypt everything. Client data at rest and in transit. Emails containing trust information. File shares and cloud storage. No exceptions.
- Train your team on phishing. AI-generated phishing emails are now nearly indistinguishable from legitimate correspondence. Your staff needs ongoing, current training. Not a once-a-year video.
- Document everything. If it isn’t documented, it didn’t happen. That applies to transactions, policies, training, and incident response plans.
Protect Your Trust Accounts With CyberShieldIT
Trust accounting compliance doesn’t stop at reconciliation and record-keeping. The data you manage is a high-value target, and the firms that protect it best are the ones that treat cybersecurity as part of their compliance program, not an afterthought.
CyberShieldIT works with accounting firms and CPAs to build security programs that protect client trust accounts from both regulatory risk and cyber threats. Our shield-based approach covers:
- ITShield: Managed IT with access controls, audit logging, and endpoint security built for compliance
- CyberShield: 24/7 threat monitoring and layered defenses against ransomware and phishing
- Comm Shield: Encrypted email and communication channels for client data
- Cloud Shield: Secure cloud storage that meets regulatory encryption standards
Your clients trust you with their most sensitive financial data. Make sure that trust is protected.
