August 7, 2009

Red Flags Rules: Delayed in Part, Explained in Part

In 2007, Congress enacted the Fair and Accurate Credit Transactions Act of 2003 (FACTA), a part of which is a component known as the Federal “Red Flags Rule”.  These Rules apply to financial institutions and creditors, and requires such entities to establish a written identity theft prevention program.  This law is intended to reduce identity theft, and the damage caused thereby, by having affected institutions keep a close eye on such matters.  The identity theft program is intended to detect the warning signs of identity theft, and thereby, to prevent or reduce identity theft. 

The Federal Trade Commission (FTC), along with several other federal agencies, has responsibility to administer the Red Flags Rule.  Because the definition of “financial institutions”, and particularly, “creditor”, is broad, the questions have been:

  • Does it encompass employee benefit plans, for example, a 401k plan that offers a participant loan program?
  • Does it apply to a flexible spending account, such as a flexible medical spending account, a dependent care assistance plan, or health reimbursement account (HRA), whether administered by an employer or third party administrator (TPA); and, does it make a difference whether these programs allow the use of debit or credit cards?

While many of these questions are unanswered, the FTC has recently issued a coupleQuestions & Answers that are useful to affected employers.  Specifically:

  • Q&A 12 of Part B, Who’s Covered by the Red Flags Rule?, states that a 401(k) plan that allows a participant to take a loan against his/her account, does not become a creditor, and thus would not be subject to the employer’s identity theft prevention policy.
  • Q&A 14 addresses flexible medical spending accounts.  According to this Q&A, a flexible medical spending account does not become subject to the law, whether administered by the employer or TPA.  Several questions remain outstanding, however.  These Q&As do not address issues that might arise if the flexible medical spending account allows the use of a debit or credit card.  Further, the Q&As are not specific as to the applicability to dependent care assistance plans, health reimbursement accounts (HRAs), or other similar programs. 

The FTC has indicated that it will continue to provide guidance, the goal being to ensure that the law is applied as intended, and not to capture unintended entities.  Stay tuned for further FTC developments.  These Rules notwithstanding, ERISA plan sponsors and ERISA fiduciaries are obligated to protect participant personal information, in accordance with the prudence standards imposed upon them.

Delayed Effective Date

The Red Flags Rules were to become effective August 1, 2009; however, the FTC has delayed the effective date until November 1, 2009. 

Red Flag Tools

The FTC has posted on its website, many tools to assist businesses and organizations in implementing an identity theft program, including sample policies, a ‘How-to Guide for Business”, and a do-it-yourself program.


The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations.

As required by U.S. Treasury rules, we inform you that, unless expressly stated otherwise, any U.S. federal tax advice contained in this Benefit Beat is not intended or written to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed by the Internal Revenue Service.

Accelerated Recovery Resources

Access articles and tools to help your business generate cash, improve leverage, and align & transform as you recover from the pandemic.

COVID-19 Resources

Access all COVID-19 related articles to help your business respond to the pandemic.

Insights in Your Inbox