CPAs: Red Flag Rules Shouldn't Apply to Us

Lora Bentley

The Federal Trade Commission's Red Flag Rules are in compliance news again, if only because the American Institute of Certified Public Accountants has asked to be exempt from them. Designed to prevent identity theft, the rules require financial institutions to develop and implement processes for detecting and reporting warning signs of the fraud before it happens.


According to Compliance Week, AICPA President Barry Melancon is asking the FTC to exempt CPAs and accounting firms from the requirements because they already implement privacy practices that help prevent identity theft. Therefore, they are already at low risk for that particular crime. AICPA senior technical manager, Nancy Cohen explained, "We know our clients. CPAs know who comes to their office." Banks and insurance companies, on the other hand, often do not.


Other professional organizations whose members bill for services rather than requiring payment at the time of service have made similar arguments, writer Tammy Whitehouse says. The FTC has promised additional guidance in the future regarding how the rules should be applied..

Add Comment      Leave a comment on this blog post
Aug 19, 2009 6:43 AM Teo Leonard Teo Leonard  says:

The thought of CPAs, along with Attorneys, arguing exemption from a rule that is designed to stop the effects of ID theft is pretty ridiculous.  The reality is that the leadership of the ABA and the AICPA don't get what the Red Flags Rule is about.

Both organizations argue that Identity Theft does not happen in their industry, yet they ignore that Identity Fraud, which this rule is designed to stop, does.  Last year, over 530,000 ID Theft victims had fraudulent tax returns filed on their behalf using fraudulent documents and ids.  A CPA applying the Red Flags Rule would have avoided the majority of these returns if not all by following a process that takes than a minute per client.

The number involving attorneys is even more staggering.  Last year approximately 700,000 ID Theft victims had fraudulent acts perpetrated on them via attorneys services.  This included fraudulent wills, trusts, corporation, criminal defense and real estate.

It is frightening that two of the largest business organizations in the US, who deal with our personal and financial data, do not want to take a part in fighting ID Fraud. 

The damage on the victims is catastrophic and is nearly impossible to repair.  Perhaps when an attorney starts suing the businesses who assist in the fraud for damages, then will these groups step up to the plate.

Sep 12, 2009 8:47 AM Barry Morgan Barry Morgan  says: in response to Teo Leonard

What process only takes a minute?

Sep 25, 2009 4:01 AM Teo Leonard Teo Leonard  says: in response to Barry Morgan

Hi Barry,

The process of verifying an identity and following a Red Flags Rule policy only takes a minute when you are setting up a client file.

The time to setup a Red Flags Rule policy varies greatly. has an Identity Theft Prevention Program they generate for their customers such as CPAs and Attorneys, and their program takes on average about 10-15 minutes per firm to generate the policy.

All you have to do is follow it.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.