Red Flags Rule: get ready to comply: FTC to begin enforcement Dec. 31.
Commission will begin enforcement of its Red Flags Rule Dec. 31, 2010. for financial institutions and creditors subject to the FTC's jurisdiction including CPA firms. Businesses that bill customers for sales or services after services have been performed, even in the normal course of a traditional billing process are considered a "creditor" under the current Red Flags Rule that has yet to go into effect.
The following is a brief rundown of the new rule, how it affects CPAs and how CPAs can make sure they are in compliance.
ID Theft Protection
The Red Flags Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to detect the warning signs--or red flags of identity theft in their day-to-day operations.
According to the AICPA, CPAs could become subject to the rule since recent interpretations from the FTC to other professional organizations, such as lawyers and physicians, indicate that a "creditor" includes "any entity that defers payments, even in the normal course of a traditional billing process." Thus, if a CPA bills clients monthly, this could be considered an extension of credit that would require the CPA to have an internal program subject to inspection and review designed to detect, prevent and mitigate client identity theft.
The rule initially became effective Jan. 1, 2008, with full compliance for all covered entities originally required by Nov. 1, 2008. The FTC has issued several Enforcement Policies delaying enforcement of the rule as Congress finalized legislation that would limit the scope of business covered.
Pending Legal Actions
The AICPA has a lawsuit (filed Nov 10, 2009) pending in the United States District Court for the District of Columbia that seeks a bar against the application of the rule to CPAs and accounting firms. The AICPA's suit, in part, asserts that the FTC exceeded its statutory authority by extending the rule to regulate accountants and public accounting firms. The AICPA does not believe there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered.
Earlier this year, AICPA members in public accounting were granted a 90-day grace period from the date on which the U.S. Court of Appeals for the District of Columbia Circuit renders an opinion in the American Bar Association's case against the FTC. The FTC's appeal on the ABA case is pending in the Circuit Court.
What a Plan Looks Like
According to the Red Flags Rule, an identity-theft prevention program must:
* Include reasonable policies and procedures to identify the red flags of identity theft you may run across in the day-to-day operation of your business. For example, if a customer has to provide some form of identification to open an account with your company an ID that looks like it might be fake would be a red flag for your business.
* Be designed to detect the red flags you've identified. For example, if you've identified fake IDs as a red flag, you must have procedures to detect possible fake, forged or altered identification.
* Spell out appropriate actions you'll lake when you detect red flags.
* Address how you will re-evaluate the program periodically to reflect new risks.
Further, a board of directors (or a board committee) must approve the first written program. If you don't have a board, approval is up to an appropriate senior-level employee. The program also must stale who's responsible for its implementation and administration.
Because employees have a role in preventing and detecting identity theft, the program must include appropriate staff training. If you outsource or subcontract parts of your operations that would be covered by the rule, your program must address how you'll monitor your contractors' compliance.
information compiled from the FTC and AICPA.
Red Flags Rule Text
Red Flags Rule Main Page
A How-To Guide for Business
Fighting Fraud with the Red Flags Rule: A How-To Guide for Business
CPAs Guide to Creating an Identity Theft Program
Identity Theft Prevention Program Template
A Privacy Checklist for CPA Firms
Protecting Client Data
|Printer friendly Cite/link Email Feedback|
|Date:||Oct 1, 2010|
|Previous Article:||The reformation: can Dodd-Frank Act live up to promise?|
|Next Article:||Deposition rules: new Tax Court Rule may change the way IRS pursues depositions.|