AICPA Sues FTC over Identity Theft Rule

Register now

The American Institute of CPAs has filed a lawsuit against the Federal Trade Commission challenging the applicability of the so-called “Red Flags Rule” to CPAs.

The lawsuit follows on the heels of the FTC’s recent decision to delay enforcement of the rule for the fourth time (see FTC Extends Deadline for ‘Red Flags’ ID Theft Rule). The rule, promulgated by the FTC in November 2007 to comply with the Fair and Accurate Credit Transactions Act of 2003, requires financial institutions and creditors to develop and implement written identity theft programs to help identify, detect and respond to patterns, practices or specific activities — known as “red flags” — that could indicate identity theft. It was originally set to take effect on Nov. 1, 2008, but after the latest extension, it is now set to become effective June 1, 2010.

The AICPA filed suit in the U.S. District Court for the District of Columbia seeking an injunction barring the FTC from applying the Red Flags Rule to CPAs, claiming the rule would impose onerous and unnecessary requirements on AICPA members. Its application to lawyers and law firms has already been blocked after a similar lawsuit was filed by the American Bar Association.

“We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” said AICPA president and CEO Barry Melancon in a statement. “As trusted advisors, CPAs are personally acquainted with their clients and already adhere to strict privacy requirements governing identifying information.”

The Red Flags Rule was mainly intended to apply to financial institutions and credit card companies, requiring them to develop and implement programs to detect and respond to activity that may signal identity theft. Under the FTC’s interpretation, the rule would apply to public accountants only because CPA firms typically bill clients for services rendered, thus technically qualifying them as a “creditor.”  However, the AICPA contends that public accountants do not provide financial services that would typically create identity theft risks for clients.

The AICPA’s complaint, filed by the law firm Fried, Frank, Harris, Shriver & Jacobson LLP, alleges that the FTC is exceeding its congressionally granted powers under the 2003 law by interpreting its Red Flags Rule to apply to accountants. The complaint alleges that the FTC has acted arbitrarily, capriciously, and contrary to law by failing to articulate a rational connection between the profession of public accounting and identity theft. The FTC failed to explain how the manner in which public accountants bill their clients in the normal course of business constitutes an extension of credit, according to the AICPA, adding that the FTC further failed to identify any legally supportable basis for applying the rule to accountants.

The AICPA’s lawsuit follows an Oct. 30 order by U.S. District Court Judge Reggie B. Walton in response to the American Bar Association’s lawsuit seeking to enjoin the FTC from applying its Red Flags Rule to practicing attorneys. Judge Walton granted the ABA’s motion in a partial summary judgment, holding that the FTC had exceeded its authority by interpreting the term “creditor” to include attorneys engaged in the practice of law. That same day, the FTC issued a press release announcing that it was delaying enforcement of the rule until June 1, 2010, a decision welcomed by the AICPA.

“The FTC made the right move in delaying implementation of the Red Flags Rule and we certainly still appreciate the commission’s continuing consideration of our request for a CPA exemption,” Melancon said.

A copy of the complaint filed by Fried Frank is available at

For reprint and licensing requests for this article, click here.