CPAs Gain Statutory Exemption From Red Flags Rule


Following years of advocacy efforts and a legal battle, CPAs received a permanent exemption from the Federal Trade Commission’s Red Flags Rule with President Barack Obama’s signing of the Red Flag Program Clarification Act of 2010 on Saturday.


The Red Flags Rule, which was released Nov. 9, 2007, under the Fair and Accurate Credit Transactions Act of 2003, requires businesses and organizations within its scope to implement a written identity theft prevention program to detect warning signs of identity theft in their day-to-day operations. Enforcement of the rule has been postponed numerous times—most recently until Dec. 31, 2010—since the original Nov. 1, 2008, effective date.


The rule applies to what it calls “financial institutions” and “creditors.” However, according to the FTC Web site, the definition of “creditor” in the rule is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. As examples, the FTC says utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies may fall within the definition.


In August 2009 the AICPA asked the Federal Trade Commission (FTC) to exempt CPAs from certain provisions of its Red Flags Rule. When the exemption was not granted, the AICPA filed a lawsuit seeking to bar the FTC from applying the rule to CPAs. The Institute said the rule would “impose onerous and unnecessary requirements on AICPA members.”      


The lawsuit, filed in U.S. District Court for the District of Columbia, alleged that the FTC was exceeding its congressionally granted powers under the Fair and Accurate Credit Transactions Act of 2003 by seeking to apply the rule to accountants engaged in the practice of public accountancy.


“The AICPA is pleased Congress passed and the president has signed into law S. 3987, the Red Flag Program Clarification Act of 2010, amending the Fair Credit Reporting Act,” said AICPA President and CEO Barry Melancon in a statement. “The AICPA, with help from state CPA societies nationwide, worked tirelessly on this issue. The bill makes clear that CPAs and CPA firms are not classified as ’creditors‘ for the purposes of the [FTC’s] Red Flags Rule. CPAs and CPA firms often do not receive full payment from clients at the time services are rendered. That is not the same as a financial transaction like bank loan or a credit card where ID theft is a risk. This legislation makes clear that a CPA's billing cycle isn’t an identity theft risk. This legislative fix to a burdensome regulation is a positive development in Washington.”


Melancon thanked Sens. John Thune (R-S.D.), Mark Begich (D-Alaska) and Chris Dodd (D-Conn.) for their work in getting the bill passed and “making clear in Senate debate that congressional intent is the FTC’s Red Flags rule will not apply to accountants and other professional service providers.” He also applauded the bill’s authors, Reps. John Adler (D-N.J.), Mike Simpson (R-Idaho) and Paul Broun (R-Ga.), and Reps. Barney Frank (D-Mass.) and Spencer Bachus (R-Ala.) for bringing the bill to House consideration.


—Matthew G. Lamoreaux ( ) is a JofA senior editor.


More from the JofA:


 Find us on Facebook      Follow us on Twitter



Developing finance leaders

A good leader recognizes that part of the job is developing the next generation of leaders. Veronica McCann, CGMA, a former division CFO at Commerzbank in Singapore, shares tips on developing future finance leaders.


Belicia Cespedes: A CPA at 17

Through hard work and determination, Belicia Cespedes earned the credential before she was even eligible to vote.


How to audit high risk areas

Revenue recognition, internal control over financial reporting, accounting estimates and going concern are areas of audit that have emerged as particularly challenging and complex.