Advisory Opportunity Emerges for CFEs

By Robert Tie



A new era in federal anti-identity-theft regulation began Dec. 18, when President Barack Obama signed into law the Red Flag Program Clarification Act of 2010.

This article explains how, for Certified Fraud Examiners (CFEs), the legislation has turned a potential compliance obligation into a noteworthy practice niche — advising entities and individuals subject to the Federal Trade Commission’s Red Flags Rule.

Under the FTC regulation, certain financial institutions and creditors must implement policies and procedures for detecting and addressing foreseeable risks — “red flags” — of identity theft they may encounter in daily business operations. (The FTC resource links below provide details.)

The rule technically has been in effect since Nov. 1, 2008. But now, with passage of the Clarification Act, federal regulators have begun to enforce it. The FTC, the National Credit Union Administration and the federal bank regulatory agencies administer the rule.


CFEs, CPAs, attorneys, physicians and other professionals typically grant their clients credit for the brief period between issuance and payment of an invoice.

They, and most observers, have distinguished this practice from that of an entity whose service innately — not incidentally — consists of granting credit such as banks, credit unions and other lenders.

Nevertheless, the FTC has disagreed by saying that such professional businesses are subject to the Red Flags Rule.

The American Bar Association, the American Institute of Certified Public Accountants and the American Medical Association, among other groups, filed class action suits and intensively lobbied against the rule’s credit clause. Congress eventually passed the new legislation, which exempts from the rule any creditor — such as a CFE — who “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”


Don’t expect guidance on exactly those risks to address; they can vary widely among types of organizations and industries. Instead, the FTC spells out the essential features of an effective compliance plan:
Every organization subject to the rule is required to develop, implement and administer an identity theft prevention program, which must:

  • Include policies and procedures to identify the types of potential indications of identity theft that may be observed during the business’s normal activities
  • Be designed to detect the kinds of red flags the organization’s compliance program identifies (for example, warnings from victims, law enforcement, insurers, or credit reporting agencies of possible identity theft; or suspicious-looking business documents, personal identification information, or activities)
  • Say exactly what the organization will do when it detects red flags
  • Specify how the organization will periodically reassess the program to ensure its ongoing ability to address new methods and indications of identity theft


According to survey results released in October 2010 by KPMG LLP’s Audit Committee Institute, only 58 percent of 1,200 responding audit committee members said they were satisfied with the quality of fraud risk-related information they receive from management. Respondents rated the usefulness of information they received on fraud risk second to lowest of 11 types of risk to which enterprises are exposed.

In the vast majority of cases, of course, management is not withholding information from the audit committee; managers themselves often have inadequate knowledge of the fraud-related risks their organizations face.

So, various stakeholders throughout the enterprise want more effective methods for identifying and mitigating fraud risks. But their enthusiasm can wane when such benefits seem dwarfed by the costs — economic and otherwise ¬— of obtaining them.

Take, for example, identity theft — the focus of the Red Flags Rule. The FTC has reported that as many as 9 million Americans have their identity stolen each year.

“The consequences of this crime are often disastrous for individuals and businesses victimized by it,” said Hubert Klein, CFE, CPA, a partner in the Hackensack, N.J., office of EisnerAmper, a Northeast regional accounting firm. Klein specializes in forensic accounting and litigation support.

“While the FTC rule responds to this crisis, it places an additional administrative burden on an organization,” Klein added. “And the non-compliance penalties are stiff.”

The rule allows the FTC to bring an enforcement action against a business that does not enact the rule’s requirements in a timely or proper fashion.

There is a $2,500 penalty, Klein said, for each violation of the rule — every time stolen data flows undetected through a business system but would have been detected if the organization had an effective identity theft prevention program.

“Say someone stole John Smith’s credit card information and fraudulently used it to execute 10 transactions with Jones Electrical Supplies,” Klein said. “When that fraud comes to light, the FTC could fine Jones $25,000 for those 10 violations. In the case of a large online retailer, the violations — and the fines — could escalate far beyond five digits.”

But, he added, there’s no need for a business to be caught between the risk of such fines and the high cost of implementing an effective compliance program.

“With the help of a CFE who is thoroughly familiar with the rule and the act,” Klein said, “a business can minimize its compliance costs and noncompliance risk and enjoy the benefits of this much-needed regulation. A CFE-guided identity theft prevention program can produce a net gain for the organization.”


While a CFE can help a company comply with the Red Flags Rule, its external auditor is prohibited from doing so, just as it is forbidden to provide Sarbanes-Oxley consulting services to its audit clients.

So, Klein said, CFEs should explore this opportunity to expand their practices. In fact, he added, CFEs might even be able to form alliances with CPA firms who cannot provide the Red Flags Rules help their audit clients need.

Because CFEs are trained in designing and implementing internal controls, they are well-suited to help businesses set up programs to minimize and mitigate the red flags of identity theft.

Likewise, CFEs can train employees to implement such plans and return to advise further when the time to update the plans inevitably arrives.


CFEs should familiarize themselves with the rule and the act and determine those businesses subject to the rule.

Matching their knowledge, skills and abilities with those organizations’ needs will better enable CFEs to market services to them.

“Make sure you’re ready when needed by a client or employer,” Klein said. “It’s good for job security especially in this economy.”


Robert Tie is a New York business writer.


The Association of Certified Fraud Examiners assumes sole copyright of any article published on or ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: