The AICPA on Tuesday asked the Federal Trade Commission (FTC) to exempt CPAs from certain provisions of its Red Flags Rule to prevent identity theft. The current action by the AICPA follows an FTC announcement last week that it would delay enforcement of the rule until Nov. 1.
The Red Flags Rule, which was released Nov. 9, 2007, under the Fair and Accurate Credit Transactions Act of 2003, requires businesses and organizations within its scope to implement a written identity theft prevention program to detect warning signs of identity theft in their day-to-day operations. Enforcement of the rule has been postponed three times since the original Nov. 1, 2008, effective date.
The rule applies to what it calls “financial institutions” and “creditors.” However, according to the FTC Web site, the definition of “creditor” in the rule is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. As examples, the FTC says utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies may fall within the definition.
“We are concerned with the potentially broad application of the Red Flags Rule to the accounting profession, and do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” wrote AICPA CEO Barry Melancon in an Aug. 4 letter to the FTC.
Melancon pointed out that CPAs are personally acquainted with their clients and adhere to strict privacy requirements related to identifying information. “We suggest that the likelihood of misrepresentation or theft of one’s identity is so low that the burdens associated with the Rules’ requirements outweigh the benefits,” he wrote.
The AICPA has also asked state CPA societies to write to the FTC and to their representatives in Congress about this issue.
—Matthew G. Lamoreaux is a JofA senior editor. His e-mail address is firstname.lastname@example.org.