Red Flags compliance: How accountants can help their clients

Accounting and other professional firms are now exempt from the Red Flags rule issued by the Federal Trade Commission (FTC) in 2007. But all other businesses and nonprofits that extend credit or hold accounts that might be subject to identity theft were required to be in compliance as of December 31, 2010.

Enforcement of the rule has been delayed for years, in part, because of lawsuits brought by the American Institute of Certified Public Accountants (AICPA) and other groups. The language of Red Flag Program Clarification Act of 2010 signed by the president on December 20 narrowed the definition of creditor to exclude professional firms that often do not receive full payment at the time the service is rendered. The AICPA and the American Bar Association dropped their lawsuits, leaving the FTC free to enforce the rule.
 
The Red Flags rule requires creditors or financial institutions with covered accounts to implement a written identity-theft prevention program. The program should identify and detect signs of identity theft in a client's normal course of business and spell out appropriate actions they will take when they detect red flags. Creditors would include entities that loan money, such as banks, finance companies, automobile dealers, and mortgage brokers, but many other businesses and nonprofits also will be subject to the rule.
 
"Accountants need to raise awareness of the Red Flags rule for the possibility of identity theft among their clients. While clients do need to focus on this requirement, from what I have seen, not many are making this any kind of a priority, except entities like financial institutions that are already highly regulated," Elsie Rose, partner at Yount, Hyde & Barbour P.C. in Glen Allen, Virginia, told AccountingWEB.
 
"Two additional areas that need attention, for example, could be nonprofits and employee benefit plans that allow for participant loans, where there may be some exposure," Rose said. "We should be communicating with our clients on a regular basis to make them more aware of the identify theft and Red Flag rules. Clients can benefit from compliance just by being able to say to their customers, 'we are doing everything we can to protect your identity.'
 
"I think that when clients understand the risk reduction, they are more willing to incorporate procedures and adopt policies," Rose said. "Our firm has included comments in management letters about the need to evaluate risks and consider adopting policies and procedures to comply. We have sent brochures to clients and written articles on fraud occurrence and deterrence that incorporate best practices and risk reduction. Our firm also did a risk management seminar with a law firm for small business owners and included Red Flags compliance in our presentation."
 
Helping clients create their Red Flags program can be part of the audit process.
 
"CPAs are in the best position to assist clients to prepare their Red Flags program, to identify the areas in their business where they are vulnerable to identity theft," Rose said. "Often in the course of a transaction walk-through, you can say you already have A, B, C in place, and you can incorporate some changes and improve the process in this way to help meet the Red Flags requirements.
 
"While in some cases it is easy to identify an area where a policy and monitoring are incorporated with little effort – for example, confidentiality of social security numbers and access to information – other areas are more difficult to detect. For example, suspicious activity on a customer account or changes in customer charges and collection patterns," Rose said.
 
"With private schools that provide tuition financing and financial aid, it is easy to identify the parents and students who might be vulnerable to identity theft. It could be more difficult to identify the red flags with other clients and businesses, due to the complexity and types of services they offer," Rose said. "Clients may decide to create the Red Flags program themselves but they may come to us and ask us if we see any holes or opportunities for strengthening controls."
 
There is still some confusion about the meaning of creditor despite changes in the Red Flag Program Clarification Act of 2010. The act states that a creditor is:
 
one who regularly extends, renews, or continues credit; regularly arranges for extension, renewal, or continuation of credit; or is assignee of an original creditor that participates in the decision to extend, renew, or continue credit –
 
and who also
 
regularly and in ordinary course of business:
  • obtains or uses consumer reports directly or indirectly in connection with a credit transaction;
  • furnishes information to consumer reporting agencies in connection with a credit transaction; or
  • advances funds to or on behalf of a person based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person (except for advancement of funds for "expenses incidental to a service provided by the creditor to that person");
or
 
[2] is any other type of section 702 creditor that the agency determines is appropriate by regulation because it offers or maintains accounts that are subject to a "reasonably foreseeable risk" of identity theft.
 
Even if a business does not use or furnish information to consumer reporting agencies, that business may be subject to the Red Flags rule because it "offers or maintains accounts that are subject to a "reasonably foreseeable risk" of identity theft." The FTC Web site has a note that it is revising its site to reflect the change in the law.
 
Penalties can be as high as $3,500 for each individual account that is not protected by a Red Flags program – $2,500 for noncompliance at the federal level and $1,000 at the state level.
 
"The AICPA was successful in getting CPAs exempt in December 2010, but I can assure you that our firm is very focused on client identity protection, and existing policies are designed to protect our clients," Rose said. "We are still employing best practices to avoid identity theft. I view the win here as not being subject to the regulation and having a federal agency with access and enforcement responsibilities able to come in at any time."
 
Some useful links that accountants could forward to clients include:

You may like these other stories...

It's not a reality—yet—but accounting software is poised to eliminate accountants. We are at a tipping point for many similar professions: online education replacing professors, legal software replacing...
Inversions: Loophole Is the ProblemJacob J. Lew, the U.S. Treasury Secretary, published an opinion piece in the Wall Street Journal that "the system has become full of inefficiencies and special-interest loopholes. That...
School tax breaks get House support as Democrats objectRichard Rubin of Bloomberg reported that the House of Representatives on Thursday voted to expand and simplify tax breaks for education as Republicans continue to pass...

Upcoming CPE Webinars

Jul 31
In this session Excel expert David Ringstrom helps beginners get up to speed in Microsoft Excel. However, even experienced Excel users will learn some new tricks, particularly when David discusses under-utilized aspects of Excel.
Aug 5
This webcast will focus on accounting and disclosure policies for various types of consolidations and business combinations.
Aug 20
In this session we'll review best practices for how to generate interest in your firm’s services.
Aug 21
Meet budgets and client expectations using project management skills geared toward the unique challenges faced by CPAs. Kristen Rampe will share how knowing the keys to structuring and executing a successful project can make the difference between success and repeated failures.