Following years of advocacy efforts and a legal battle, CPAs received a permanent exemption from the Federal Trade Commission’s Red Flags Rule with President Barack Obama’s signing of the Red Flag Program Clarification Act of 2010 on Saturday.

The Red Flags Rule, which was released Nov. 9, 2007, under the Fair and Accurate Credit Transactions Act of 2003, requires businesses and organizations within its scope to implement a written identity theft prevention program to detect warning signs of identity theft in their day-to-day operations. Enforcement of the rule has been postponed numerous times—most recently until Dec. 31, 2010—since the original Nov. 1, 2008, effective date.

The rule applies to what it calls “financial institutions” and “creditors.” However, according to the FTC Web site, the definition of “creditor” in the rule is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. As examples, the FTC says utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies may fall within the definition.

In August 2009 the AICPA asked the Federal Trade Commission (FTC) to exempt CPAs from certain provisions of its Red Flags Rule. When the exemption was not granted, the AICPA filed a lawsuit seeking to bar the FTC from applying the rule to CPAs. The Institute said the rule would “impose onerous and unnecessary requirements on AICPA members.”

The lawsuit, filed in U.S. District Court for the District of Columbia, alleged that the FTC was exceeding its congressionally granted powers under the Fair and Accurate Credit Transactions Act of 2003 by seeking to apply the rule to accountants engaged in the practice of public accountancy.

“The AICPA is pleased Congress passed and the president has signed into law S. 3987, the Red Flag Program Clarification Act of 2010, amending the Fair Credit Reporting Act,” said AICPA President and CEO Barry Melancon in a statement. “The AICPA, with help from state CPA societies nationwide, worked tirelessly on this issue. The bill makes clear that CPAs and CPA firms are not classified as ’creditors‘ for the purposes of the [FTC’s] Red Flags Rule. CPAs and CPA firms often do not receive full payment from clients at the time services are rendered. That is not the same as a financial transaction like bank loan or a credit card where ID theft is a risk. This legislation makes clear that a CPA’s billing cycle isn’t an identity theft risk. This legislative fix to a burdensome regulation is a positive development in Washington.”

Melancon thanked Sens. John Thune (R-S.D.), Mark Begich (D-Alaska) and Chris Dodd (D-Conn.) for their work in getting the bill passed and “making clear in Senate debate that congressional intent is the FTC’s Red Flags rule will not apply to accountants and other professional service providers.” He also applauded the bill’s authors, Reps. John Adler (D-N.J.), Mike Simpson (R-Idaho) and Paul Broun (R-Ga.), and Reps. Barney Frank (D-Mass.) and Spencer Bachus (R-Ala.) for bringing the bill to House consideration.

—Matthew G. Lamoreaux