AICPA Suit Seeks to Shield CPAs From 'Red Flags Rule'

The AICPA filed a has filed a lawsuit seeking an injunction barring the Federal Trade Commission (FTC) from applying its so-called "Red Flags Rule" to CPAs.

“We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” AICPA President and CEO Barry Melancon said in a statement. “As trusted advisors, CPAs are personally acquainted with their clients and already adhere to strict privacy requirements governing identifying information.”

The rule was designed to help prevent identity theft and was promulgated under the Fair and Accurate Credit Transactions Act of 2003, but has been repeatedly delayed and most recently was blocked by court order on Oct. 30 insofar as it would apply to lawyers and law firms. It requires financial institutions and credit card companies to develop and implement programs to detect and respond to activity that may signal identity theft. In the FTC’s interpretation, the rule would apply to public accountants only because CPA firms typically bill clients for services rendered, thus technically qualifying as a “creditor.” Public accountants do not provide financial services that would typically create identity theft risks for clients.

The AICPA’s complaint alleges that the FTC is exceeding its congressionally granted powers and alleges that the FTC "has acted arbitrarily, capriciously, and contrary to law by failing to articulate a rational connection between the profession of public accounting and identity theft ....  The FTC further failed to identify any legally supportable basis for applying the rule to accountants."