Accounting and other professional firms are now exempt from the Red Flags rule issued by the Federal Trade Commission (FTC) in 2007. But all other businesses and nonprofits that extend credit or hold accounts that might be subject to identity theft were required to be in compliance as of December 31, 2010.
Enforcement of the rule has been delayed for years, in part, because of lawsuits brought by the American Institute of Certified Public Accountants (AICPA) and other groups. The language of Red Flag Program Clarification Act of 2010 signed by the president on December 20 narrowed the definition of creditor to exclude professional firms that often do not receive full payment at the time the service is rendered. The AICPA and the American Bar Association dropped their lawsuits, leaving the FTC free to enforce the rule.
The Red Flags rule requires creditors or financial institutions with covered accounts to implement a written identity-theft prevention program. The program should identify and detect signs of identity theft in a client's normal course of business and spell out appropriate actions they will take when they detect red flags. Creditors would include entities that loan money, such as banks, finance companies, automobile dealers, and mortgage brokers, but many other businesses and nonprofits also will be subject to the rule.
"Accountants need to raise awareness of the Red Flags rule for the possibility of identity theft among their clients. While clients do need to focus on this requirement, from what I have seen, not many are making this any kind of a priority, except entities like financial institutions that are already highly regulated", Elsie Rose, partner at Yount, Hyde & Barbour P.C. in Glen Allen, Virginia, told AccountingWEB.
"Two additional areas that need attention, for example, could be nonprofits and employee benefit plans that allow for participant loans, where there may be some exposure", Rose said. "We should be communicating with our clients on a regular basis to make them more aware of the identify theft and Red Flag rules. Clients can benefit from compliance just by being able to say to their customers, 'we are doing everything we can to protect your identity.'
"I think that when clients understand the risk reduction, they are more willing to incorporate procedures and adopt policies", Rose said. "Our firm has included comments in management letters about the need to evaluate risks and consider adopting policies and procedures to comply. We have sent brochures to clients and written articles on fraud occurrence and deterrence that incorporate best practices and risk reduction. Our firm also did a risk management seminar with a law firm for small business owners and included Red Flags compliance in our presentation."
Helping clients create their Red Flags program can be part of the audit process.
"CPAs are in the best position to assist clients to prepare their Red Flags program, to identify the areas in their business where they are vulnerable to identity theft", Rose said. "Often in the course of a transaction walk-through, you can say you already have A, B, C in place, and you can incorporate some changes and improve the process in this way to help meet the Red Flags requirements.
"While in some cases it is easy to identify an area where a policy and monitoring are incorporated with little effort – for example, confidentiality of social security numbers and access to information – other areas are more difficult to detect. For example, suspicious activity on a customer account or changes in customer charges and collection patterns", Rose said.
"With private schools that provide tuition financing and financial aid, it is easy to identify the parents and students who might be vulnerable to identity theft. It could be more difficult to identify the red flags with other clients and businesses, due to the complexity and types of services they offer", Rose said. "Clients may decide to create the Red Flags program themselves but they may come to us and ask us if we see any holes or opportunities for strengthening controls."
There is still some confusion about the meaning of creditor despite changes in the Red Flag Program Clarification Act of 2010. The act states that a creditor is:
one who regularly extends, renews, or continues credit; regularly arranges for extension, renewal, or continuation of credit; or is assignee of an original creditor that participates in the decision to extend, renew, or continue credit –
and who also
regularly and in ordinary course of business:
- obtains or uses consumer reports directly or indirectly in connection with a credit transaction;
- furnishes information to consumer reporting agencies in connection with a credit transaction; or
- advances funds to or on behalf of a person based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person (except for advancement of funds for "expenses incidental to a service provided by the creditor to that person");
 is any other type of section 702 creditor that the agency determines is appropriate by regulation because it offers or maintains accounts that are subject to a "reasonably foreseeable risk" of identity theft.
Even if a business does not use or furnish information to consumer reporting agencies, that business may be subject to the Red Flags rule because it "offers or maintains accounts that are subject to a "reasonably foreseeable risk" of identity theft." The FTC Web site has a note that it is revising its site to reflect the change in the law.
Penalties can be as high as $3,500 for each individual account that is not protected by a Red Flags program – $2,500 for noncompliance at the federal level and $1,000 at the state level.
"The AICPA was successful in getting CPAs exempt in December 2010, but I can assure you that our firm is very focused on client identity protection, and existing policies are designed to protect our clients", Rose said. "We are still employing best practices to avoid identity theft. I view the win here as not being subject to the regulation and having a federal agency with access and enforcement responsibilities able to come in at any time."
Some useful links that accountants could forward to clients include:
- The FTC: Fighting Fraud with the Red Flags Rule: A How-to Guide for Business | BCP Business Center
- The AICPA: Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy
- World Privacy Forum
- Financial Industry Regulatory Authority: FINRA - FTC Red Flags Rule