CPAs Win Exemption From Identity Theft Rules

CPAs are now exempt from new federal requirements for written identity theft protection programs. The Federal Trade Commission’s so-called “red flags rule” requires creditors to develop programs to detect and respond to potential identity theft. The FTC had defined creditors as those who accept payment after services are provided, on a delayed basis. That interpretation covered not only CPAs, but also attorneys, health care providers and other professionals.

The AICPA, American Medical Association and American Bar Association lobbied heavily to change the legislation, which has a Dec. 31 enforcement date. Congress changed the definition of creditor in legislation that President Obama signed Dec. 18. Called the Red Flag Program Clarification Act of 2010, it exempts businesses that “advance funds on behalf of a person for expenses incidental to a service provided.”

Under the new exemption law, the rule only applies to organizations that use consumer reports in connection with credit transactions, provide information to consumer reporting agencies or loan money.

“The AICPA, with help from CPA state societies nationwide, worked tirelessly on this issue,” said AICPA president and CEO Barry Melancon in a statement. “The bill makes clear that CPAs and CPA firms are not classified as ‘creditors’ for the purposes of the Federal Trade Commission’s Red Flags Rule. CPAs and CPA firms often do not receive full payment from clients at the time services are rendered. That is not the same as a financial transaction like a bank loan or a credit card where ID theft is a risk.”