In 2003, Congress passed legislation intended to curb identity theft, and the Federal Trade Commission (FTC) subsequently issued a "Red Flags" Rule that requires creditors or financial institutions with covered accounts to have in place programs to assist in identifying a potential identity theft.  CPAs could become subject to the FTC’s Red Flags rule, since recent interpretations from the FTC to other professional organizations (lawyers, physicians) indicate that a “creditor” includes “any entity that defers payments, even in the normal course of a traditional billing process”.  Thus, if a CPA bills clients monthly, this could be considered to be an extension of credit that would require the CPA to have an internal program, subject to inspection and review, designed to detect, prevent and mitigate client identity theft.

The AICPA and many state CPA societies continue to seek an exemption for CPAs and have written letters to the FTC (with copies to Members of Congress) requesting such an exemption, based on the fact that CPAs are already required, through state laws, professional codes of conduct and IRS regulations, to maintain client confidentiality such that identity theft is very unlikely.

At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC. The Rule was due to become effective on November 1, 2009 and once again it has been delayed. In anticipation of the enforcement, the AICPA developed a practice guide for members, which provides guidance on developing an Identity Theft Prevention Program (ITPP) as required by the FTC’s Red Flags Rule. 

Firms can use the template as a starting point to set up their ITPP, but it must be tailored to reflect the firm's business situation. In addition to internal use, this template can be used by CPA firms to provide guidance to their clients in setting up an ITPP. In addition to adhering to the Red Flags Rule, firms should have in place methods to ensure protection of their client’s files and data.

Introduction to the Red Flags Rule– An overview of the Red Flags Rule and the requirements of an identity theft prevention program.

Identity Theft Prevention Program Template – A template for a firm to use to create a written identity theft prevention program.

A Privacy Checklist for CPA Firms - This checklist provides CPA firms with practical illustration of selected Generally Accepted Privacy Principles (GAPP) in order to maintain privacy best practices within organizations.

Protecting Client Data: Is My Firm At Risk? - A simple checklist intended to quickly assess whether your firm is at risk of exposing your clients’ sensitive personal data.