Printer Friendly

Red Flags Rule: get ready to comply: FTC to begin enforcement Dec. 31.

the Federal Trade

Commission will begin enforcement of its Red Flags Rule Dec. 31, 2010. for financial institutions and creditors subject to the FTC's jurisdiction including CPA firms. Businesses that bill customers for sales or services after services have been performed, even in the normal course of a traditional billing process are considered a "creditor" under the current Red Flags Rule that has yet to go into effect.

The following is a brief rundown of the new rule, how it affects CPAs and how CPAs can make sure they are in compliance.

ID Theft Protection

The Red Flags Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to detect the warning signs--or red flags of identity theft in their day-to-day operations.

Who's Affected?

According to the AICPA, CPAs could become subject to the rule since recent interpretations from the FTC to other professional organizations, such as lawyers and physicians, indicate that a "creditor" includes "any entity that defers payments, even in the normal course of a traditional billing process." Thus, if a CPA bills clients monthly, this could be considered an extension of credit that would require the CPA to have an internal program subject to inspection and review designed to detect, prevent and mitigate client identity theft.

The rule initially became effective Jan. 1, 2008, with full compliance for all covered entities originally required by Nov. 1, 2008. The FTC has issued several Enforcement Policies delaying enforcement of the rule as Congress finalized legislation that would limit the scope of business covered.

Pending Legal Actions

The AICPA has a lawsuit (filed Nov 10, 2009) pending in the United States District Court for the District of Columbia that seeks a bar against the application of the rule to CPAs and accounting firms. The AICPA's suit, in part, asserts that the FTC exceeded its statutory authority by extending the rule to regulate accountants and public accounting firms. The AICPA does not believe there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered.

Earlier this year, AICPA members in public accounting were granted a 90-day grace period from the date on which the U.S. Court of Appeals for the District of Columbia Circuit renders an opinion in the American Bar Association's case against the FTC. The FTC's appeal on the ABA case is pending in the Circuit Court.

What a Plan Looks Like

According to the Red Flags Rule, an identity-theft prevention program must:

* Include reasonable policies and procedures to identify the red flags of identity theft you may run across in the day-to-day operation of your business. For example, if a customer has to provide some form of identification to open an account with your company an ID that looks like it might be fake would be a red flag for your business.

* Be designed to detect the red flags you've identified. For example, if you've identified fake IDs as a red flag, you must have procedures to detect possible fake, forged or altered identification.

* Spell out appropriate actions you'll lake when you detect red flags.

* Address how you will re-evaluate the program periodically to reflect new risks.

Further, a board of directors (or a board committee) must approve the first written program. If you don't have a board, approval is up to an appropriate senior-level employee. The program also must stale who's responsible for its implementation and administration.

Because employees have a role in preventing and detecting identity theft, the program must include appropriate staff training. If you outsource or subcontract parts of your operations that would be covered by the rule, your program must address how you'll monitor your contractors' compliance.

information compiled from the FTC and AICPA.

More Resources:

Red Flags Rule Text

FTC Resources

Red Flags Rule Main Page

A How-To Guide for Business

Fighting Fraud with the Red Flags Rule: A How-To Guide for Business

AICPA Resources

CPAs Guide to Creating an Identity Theft Program

Identity Theft Prevention Program Template

A Privacy Checklist for CPA Firms

Protecting Client Data
COPYRIGHT 2010 California Society of Certified Public Accountants
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2010 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:RegulatoryIssues
Publication:California CPA
Geographic Code:1USA
Date:Oct 1, 2010
Previous Article:The reformation: can Dodd-Frank Act live up to promise?
Next Article:Deposition rules: new Tax Court Rule may change the way IRS pursues depositions.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters