What the Tax Practitioners Board now requires from accounting firms using AI.

Australian accountants are suddenly the happy beneficiaries of a brand-new suite of AI tax research tools. This new wave of platforms promises to drastically lessen the workload of practitioners by offering research and advice-drafting solutions plugged into verified tax databases, outperforming generic models like Copilot, ChatGPT, or Claude.

Yet beneath the excitement of this new wave of productivity, a critical question is emerging. While many firms are enjoying the heavy-lifting benefits of AI, there is a growing, uneasy realisation regarding client data security and how these tools actually process sensitive information.

Enterprise grade LLMs are not enough — still need client consent for offshore processing

For a time, the prevailing view among practitioners was that an enterprise-grade LLM subscription provided sufficient protection. Many accounting firms are now realising that is no longer the case. The United States CLOUD Act permits US law enforcement to compel data from any US-controlled provider, regardless of where that data is physically stored. This means client data processed through platforms like Microsoft Copilot, ChatGPT, or Claude may be accessible to US authorities at any time, without your knowledge or your client’s.

Since the release of TPB(I) D62/2026 in March 2026, Elfworks has engaged in correspondence with the Tax Practitioners Board to obtain clarification on the use of US-based LLMs, be they direct (Chat GPT, Claude paid subscriptions) or indirectly through Tax Research software.

Below are two questions we asked the Tax Practitioners Board (TPB):

Question 1:

If an accounting firm uses Tax Research Software that runs on a US based LLM that stores client information temporarily (or is capable of being retrieved via subpoena) under the US Cloud Act or comparable foreign law, does the tax agent need to disclose the details of this data storage  and potential access when obtaining permissions from the client in the Engagement Letter  or 'fact find' and consent?

Answer:

Where a registered tax practitioner uses tax research software powered by a US‑based large language model (LLM) and client information is transmitted to, processed by, or temporarily stored on overseas servers, this constitutes offshore handling of client information.

In accordance with the Code, particularly the obligations in relation to confidentiality and reasonable care, practitioners should take reasonable steps to ensure clients are clearly informed about:

 ·       the use of AI‑enabled software,

·       the involvement of third‑party providers, and

·       overseas data storage or access (including where this occurs under foreign laws such as the US CLOUD Act).  

Practitioners must obtain informed consent from each client before sharing any of their information with a third party, including cloud service providers. This may be done through engagement letters, privacy notices, or other consent documents.

Question 2 :

If an accounting firm uses Tax Research Software that runs on a US based LLM that stores client information temporarily under the US Cloud Act (stored for 30 days) and the tax agent does not obtain specific consent for client information to be stored this way, what are the likely implications under the Code?

Answer:  

If a practitioner uses AI software that stores client information offshore without obtaining informed client consent, this may raise concerns under the Code. Potential issues may include :

·       Breaches of client confidentiality,

·       Failure to exercise reasonable care in managing technology and data risks, and

·       honesty and integrity in dealings with clients. [emphasis added]

Whether a breach of the Code has occurred will depend on the specific facts and circumstances. Where non‑compliance is established, the TPB may consider sanctions in accordance with Subdivision 30‑D of the TASA.

So in summary – if you input client information into a US based LLM without client consent, you may be sanctioned under the TASA. Not to mention, the same act of sharing client information is likely to have repercussions under the Privacy Act 1988.

Logically there are four paths forward:

1)    Stop using AI altogether (as these are all based overseas).

2)    Bring in a policy within your firm to NOT input client information into foreign LLMs or Tax Research Software powered by foreign LLMs.

3)    Obtain the required client consent to allow the processing of client information overseas.

4)    Use AI Tax Research software that ensures client information never leaves Australia.

Elfworks is Option 4.

A local answer to a global problem

Elfworks now has over 500 accounting firms on the platform — including 15 of Australia’s Top 50 accounting firms as paying customers — and while productivity and accuracy were the initial drawcard, the key emerging point of difference for Elfworks is becoming the security of client information. Elfworks has in place a three-tiered approach to data security:

This three-tiered approach to data security is crucial as AI accounting solutions move into firm workflows through the development of Agentic AI. AI Agents in the accounting context are designed to handle client information for example the first wave of Elfworks agents, including the Client Structure Builder, Trust Resolution Drafter, and Year-End Tax Planner, perform complex, linked tasks using sensitive client information such as individual and entity names, trust deed information, details of trust financial performance for the year and distribution plans to beneficiaries.

As Elfworks uses an anonymisation process and sovereign, Australian-hosted models as part of our agentic AI processes, client data does not leave our jurisdiction. Accountants can use these tools without needing client permission for data to be stored overseas or to be subject to foreign laws that could compel disclosure.

The bottom line for Australian practitioners

As the TPB transitions from consultation to enforcement of its new AI guidelines, the stakes for Australian accounting firms have never been higher. It is only a matter of time before the Tax Practitioners Board starts to actively hold accountants to the standards in TPB(I) D62/2026.

Ultimately, it all starts with one simple question: Do you really know what happens to client information when you click submit?

Elfworks is built for Australian accounting firms that want AI they can trust with client data.

Visit elfworks.ai to start your free trial.