CPAs have won yet another reprieve on the “Red Flags Rule” front.
You remember the rule, right? In the words of the Federal Trade Commission, it requires certain creditors and financial institutions to “develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities -– known as ‘red flags’ — that could indicate identity theft.”
The rule has been a thorn in the side of CPAs and other professionals for a while now, and why? “CPAs are already required, through state laws, professional codes of conduct and IRS regulations, to maintain client confidentiality such that identity theft is very unlikely.” That’s a direct quote from the AICPA’s Information Technology Center.
In light of such arguments, the FTC has offered several extensions on the deadline to comply, with the current deadline set for June 1, 2010.
CPAs, though, will get some additional time.
The U.S. District Court for the District of Columbia has ordered the FTC to delay enforcement of the rule with respect to AICPA members in public practice. The 90-day delay will begin once an appeals court rules on a related lawsuit brought by the American Bar Association against the FTC.
The ABA sued the FTC in 2009 over enforcement of the rule for attorneys and won its case. The FTC appealed that decision in March and is awaiting the appeals court’s ruling.
Speaking of lawsuits, the AICPA filed one of its own in late 2009 seeking to bar the FTC from applying the rule to CPAs. That lawsuit is still pending.
“We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” AICPA President and CEO Barry Melancon said at the time. “As trusted advisors, CPAs are personally acquainted with their clients and already adhere to strict privacy requirements governing identifying information.”
As always, our thanks to the AICPA for keeping us abreast of developments with the “Red Flags Rule.” We’ll keep you posted on updates to the rule, but in the meantime, check out these related resources:
- FTC “Red Flag Rule” resources
- AICPA guide for creating an identity theft prevention program
- Protect your data … or pay the price (an MACPA podcast featuring Marilyn Prosch, an associate professor in the Department of Information Systems Management at Arizona State University)
- Preventing identity theft throughout the data life cycle, a JofA article written by Prosch
- Outsourcing and privacy: 10 critical questions top management should ask, a Statement article written by Prosch