Red Flags Rule Guidance 

    Red Flag Program Clarification Act of 2010

    A pen for the signing of the Red Flag Program Clarification Act of 2010Following years of advocacy efforts and a legal battle, CPAs received a permanent exemption from the Federal Trade Commission’s Red Flags Rule with President Barack Obama’s signing of the Red Flag Program Clarification Act of 2010 on Saturday, December 18, 2010.

    In 2003, Congress passed legislation (Fair and Accurate Credit Transactions Act, or “FACTA”) intended to curb identity theft. Pursuant to this legislation, the FTC issued, on November 9, 2007, a "Red Flags" rule that requires “creditors” or “financial institutions” with “covered accounts” to implement a written identity theft prevention program to detect warning signs of identity theft in their day-to-day operations. Enforcement of the rule has been postponed numerous times—most recently until Dec. 31, 2010—since the original Nov. 1, 2008, effective date.

    “The AICPA is pleased Congress passed and the president has signed into law S. 3987, the Red Flag Program Clarification Act of 2010, amending the Fair Credit Reporting Act,” said AICPA President and CEO Barry Melancon in a statement. “The AICPA, with help from state CPA societies nationwide, worked tirelessly on this issue. The bill makes clear that CPAs and CPA firms are not classified as ‘creditors’ for the purposes of the FTC’s Red Flags Rule. CPAs and CPA firms often do not receive full payment from clients at the time services are rendered. That is not the same as a financial transaction like bank loan or a credit card where ID theft is a risk. This legislation makes clear that a CPA's billing cycle isn’t an identity theft risk. This legislative fix to a burdensome regulation is a positive development in Washington.”

    While CPAs may be exempt from the Red Flags Rule, their clients may not be. Visit the Red Flags Rule Overview page for additional information which may be helpful when assisting clients.

    A CPA's Guide to Creating an Identity Theft Prevention Program

    A checklist for creating an identity theft prevention programWhile CPA firms may be exempt from the Red Flags Rule, their clients may not be.  The following resources on the Red Flags Rule may be helpful when assisting clients. 

    A Privacy Checklist for CPA Firms - This checklist provides CPA firms with practical illustration of selected Generally Accepted Privacy Principles (GAPP) in order to maintain privacy best practices within organizations. 


    Protecting Client Data: Is My Firm At Risk? - A simple checklist intended to quickly assess whether your firm is at risk of exposing your clients’ sensitive personal data.

    Additional Resources

    Tools for creating an identity theft prevention programA list of additional resources on the Red Flags Rule and Identity Theft.

    Federal Trade Commission:
    Federal Register Notice
    The Red Flags Rule: Frequently Asked Questions
    FTC FACT Act Red Flags Rule Template  
    FTC Information Security Video Tutorial

    Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy
    Protecting Personal Information: 10 Steps a Business Can Follow to Avoid Identity Theft
    Preventing Identity Theft Throughout the Data Life Cycle
    AICPA/CPA Canada Generally Accepted Privacy Principles

    A A A

    Copyright © 2006-2014 American Institute of CPAs.