FTC Extends Deadline for ‘Red Flags’ ID Theft Rule

The Federal Trade Commission has once again extended the deadline for enforcing the so-called “Red Flags Rule” that requires financial institutions and creditors to develop identity theft prevention programs.

The rule, which was set to go into effect on Nov. 1, 2009, was extended to June 1, 2010, at the request of members of Congress. The rule was originally promulgated as part of the Fair and Accurate Credit Transactions Act. Under the rule, Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices or specific activities — known as “red flags” — that could indicate identity theft.

The rule was originally set to go into effect on Nov. 1, 2008, but this is the fourth time the deadline for enforcing the rule has been extended.

The American Institute of CPAs has asked the FTC to exempt CPAs from certain provisions of the Red Flags Rule. “We are concerned with the potentially broad application of the Red Flags Rule to the accounting profession, and do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” AICPA president and CEO Barry Melancon wrote to the FTC in August (see Data Breaches a Worry at CPA Firms Too). He pointed out that the burdens associated with the rule’s requirements outweigh the risks. The AICPA is asking state CPA societies to also write to the FTC and ask for the exemption.

Melancon welcomed the FTC's latest decision to delay implementation of the rule. “The FTC made an appropriate decision in delaying implementation of the Red Flags Rule and we appreciate the commission’s continuing consideration of our request for a CPA exemption,” said Melancon in a statement. “We are concerned about the potentially broad application of the Red Flags Rule to the accounting profession. As trusted advisors, CPAs are personally acquainted with their clients and adhere to strict privacy requirements over identifying information.”

On Oct. 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys.

The FTC staff has provided guidance on the rule, including materials posted on a Red Flags Rule site (www.ftc.gov/redflagsrule). The FTC has also published a compliance guide for businesses, and created a template that enables low-risk organizations to create an identity theft program via an online form.