Your team uses AI to draft tax advice, reconcile accounts, and summarise financials. Do you know what client data they're sharing?
Accountants paste BAS lodgements into ChatGPT for review, bookkeepers upload bank feeds into Claude for reconciliation, and managers summarise client financials with Gemini. Vireo Sentinel shows you what's happening and catches sensitive records before they reach external services.
What's actually happening
Tax return preparation
A junior accountant pastes a client's full income statement, deductions, and TFN into ChatGPT to check for missed claims. The ATO would have questions about where that ended up.
Client financial summaries
A manager copies three years of profit and loss statements into Claude to draft a loan support letter. Revenue figures, director salaries, and creditor positions now sit on Anthropic's servers.
BAS reconciliation
A bookkeeper uploads a quarter's worth of transaction records into Gemini to find discrepancies. GST figures, supplier ABNs, and bank account details all included.
Your clients trust you with everything. AI platforms don't have the same obligations.
85% of accounting professionals are excited about AI, but only 37% of firms invest in AI training. That gap is where financial records walk out the door.
The data at risk in every engagement
Accounting firms hold more personal financial information than most industries. Here's what ends up in AI prompts unchecked.
Tax file numbers and identifiers
TFNs, ABNs, ACNs, Social Security numbers, VAT registration numbers, personal identification documents.
Financial statements
Profit and loss, balance sheets, cash flow statements, aged receivables, management accounts, budgets.
Payroll records
Employee salaries, superannuation details, leave balances, bank account numbers, tax withholding amounts.
Client personal information
Names, addresses, dates of birth, marital status, dependant details, contact records across multiple engagements.
Business commercial data
Revenue figures, profit margins, supplier terms, debtor lists, loan covenants, shareholder distributions.
Advisory correspondence
Tax advice letters, restructure recommendations, succession plans, trust distribution minutes, ATO ruling requests.
Your professional obligations already cover this
Accountants don't need AI-specific rules to be on the hook. Existing professional standards and privacy laws already apply.
Tax Practitioners Board and Privacy Act
Code of Professional Conduct (TASA 2009)
In effect now
Registered tax agents must maintain confidentiality under Section 30-10 of the Tax Agent Services Act 2009. Sharing tax records with third-party AI services without authorisation is a potential breach.
Privacy Act 1988 (POLA Act 2024)
Statutory tort from 10 June 2025
Individuals can sue for damages capped at $478,550 for serious privacy invasions. The OAIC can pursue civil penalties up to $50 million for serious breaches. Enforcement priorities for 2025-26 explicitly include AI-related privacy practices.
APES 110 Code of Ethics
In effect now
Issued by APESB, requires confidentiality of information obtained through professional relationships. Section 114 prohibits disclosure without specific authority or legal right.
ATO data security expectations
In effect now
Tax agents are expected to protect client records with the same care applied to their own. Practice management system security extends to any AI services used to process that information.
ICAEW, ACCA, and UK GDPR
Professional duty of confidentiality
In effect now
ICAEW and ACCA codes require members to maintain confidentiality. This extends to how technology, including generative AI, is used with financial records. No carve-out exists for AI platforms.
UK GDPR and Data Protection Act 2018
In effect now
DPIAs required before deploying new technology that processes personal information. Sharing financial records with third-party AI providers requires a lawful basis. ICO fines up to 17.5 million GBP or 4% of global turnover.
Making Tax Digital (MTD) data obligations
In effect now
HMRC's MTD framework requires digital record keeping with appropriate security. Using unsanctioned AI to process VAT or income tax records creates compliance gaps in the digital chain.
ICO enforcement priorities
In effect now
The ICO has highlighted AI as a priority enforcement area. Accountancy firms processing large volumes of personal financial information are higher-risk targets for regulatory attention.
EU AI Act and GDPR
GDPR data minimisation
In effect now
Sending personal information to AI services beyond what's strictly necessary is a data minimisation violation. GDPR fines up to 20 million EUR or 4% of global turnover.
AI Literacy requirements
February 2025
Organisations must ensure staff have sufficient AI literacy. Accounting firms need to show their people understand the risks of sharing financial records with these systems.
Professional secrecy obligations
In effect now
Accountants across EU member states are bound by professional secrecy under national laws implementing the EU Accounting Directive. These obligations extend to all processing, including AI.
EU AI Act penalties
August 2026 for high-risk systems
Up to 15 million EUR or 3% of global turnover for non-compliance with high-risk requirements. AI systems making financial assessments may fall into high-risk categories.
AICPA and state regulations
AICPA Code of Professional Conduct
In effect now
Rule 1.700 requires CPAs to maintain confidentiality. The AICPA has issued guidance noting that AI tools must be evaluated for data handling practices before use with client information.
IRC Section 7216 (Tax return preparers)
In effect now
Federal law restricting disclosure of tax return information by preparers. Penalties include fines up to $1,000 and imprisonment up to one year. Pasting tax records into a generative AI service could constitute unauthorised disclosure.
State privacy laws
Varies by state
California CCPA/CPRA, Colorado AI Act (effective June 2026), and other state-level frameworks create additional obligations. Several states have specific provisions for financial information handling.
FINRA and SEC considerations
In effect now
For firms providing investment advisory alongside accounting, FINRA's 2025 oversight report highlights AI-related risks including data leakage and requires firms to supervise AI usage at enterprise and individual levels.
How Vireo Sentinel helps accounting firms
See what's happening
Which platforms your people use, how often, and what type of work goes in. Find out whether your team runs client financials through ChatGPT before you hear about it from the TPB or a client.
Catch sensitive records before they leave
Real-time detection of TFNs, ABNs, financial figures, and personal identifiers. Warns the user and gives them options: cancel, redact, edit, or override with a documented justification.
Prove governance works
Compliance reports with sections mapped to relevant frameworks. When a client asks how their records are protected, or the regulator asks about your AI governance, show them evidence rather than a policy nobody reads.
What this looks like in practice
The BAS that nearly left
A bookkeeper pastes a full quarterly BAS into ChatGPT to check GST calculations. The extension detects the ABN, GST amounts, and supplier details across the submission. The bookkeeper chooses to redact identifiers and proceeds.
Year-end financials
Three years of management accounts go into Claude so a senior accountant can draft annual report commentary. Vireo catches company names, director names, and detailed financial positions. Every interaction is logged.
When payroll gets pasted
An entire pay run summary lands in Gemini while a payroll officer troubleshoots a superannuation discrepancy. Vireo flags employee names, TFNs, salary details, and bank accounts across every category.
The partner drafting tax advice
The partner's prompt looks identical to the graduate's: a full financial position pasted in to draft a Division 7A loan agreement. Vireo intervenes the same way regardless of seniority.
Built for accounting firms
Warns, doesn't block
Staff keep working on engagements. Choices, not roadblocks.
Deploys in minutes
Browser extension. No agents, no proxies, no IT project required.
Privacy by design
Sensitive content detected and redacted in the browser, before it reaches our servers.
Affordable
Enterprise governance without the enterprise price tag. Built for firms that bill in six-minute increments, not six-figure IT budgets.
Explainable detection
Deterministic pattern matching. When the TPB or your professional body asks how it works, you can give them a straight answer.
See how your firm uses AI
Start freeVireo Sentinel supports your compliance efforts but does not provide legal advice. You remain responsible for your organisation's compliance obligations.