FTC Delays Red Flags Enforcement Yet Again
I missed this when it hit the newswires two weeks ago, but the FTC has delayed enforcement of the Red Flags Rule. This change was in response to the American Bar Association successfully suing the FTC and being granted an injunction to prevent the Red Flags Rule being applied to lawyers.
Similarly, the American Institute of CPAs (AICPA) is now also suing the FTC to also get injunctive relief from having to comply with the Red Flags Rule as well.
“We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” said AICPA president and CEO Barry Melancon in a statement. “As trusted advisors, CPAs are personally acquainted with their clients and already adhere to strict privacy requirements governing identifying information.”
The current AICP requirements [link to http://infotech.aicpa.org/NR/rdonlyres/3B82B216-9576-4755-8431-0E942B40513C/0/CPA_Firms_Privacy_Checklist.pdf no longer works] are pretty much inline with most of the security requirements of the Red Flags Rule already. So really what the AICP is telling us is that they really care about our privacy but they can’t be bothered to monitor their own systems for abuse or loss of our information. I guess they don’t really care after all.
Adding a federal regulation on top of practices imposes costs. Let’s require them to tell the FTC how often problems are reported to them, and the resolutions. Then if it turns out that there’s a real issue, we can think about ‘do we need red flag rules’ in place.
I can understand why lawyers want a certain exception – client attorney privilege needs to be thought out.
But why accountants? If anything, their access would make them ideally suited to pursuing the programme, in both a positive and negative sense.
So they should presumably craft an alternate. Maybe this is their opening gambit?