The Federal Trade Commission (“FTC”) issued an anti-fraud regulation (“Red Flag Rule”) that requires many businesses and organizations to implement a written identity theft prevention program to detect the warning signs of identity theft in their daily operations. Generally, the Red Flag Rule (16 C.F.R. § 681.1 et seq) applies to financial institutions and creditors. However, because the rule defines the term “creditor” very broadly, to include those businesses or organizations that regularly grant loans or extend credit, many 401(k) plan sponsors and health care flexible spending account (“FSA”) service providers have questioned its applicability to their plans. In an effort to assist businesses and organizations with compliance, the FTC recently published a series of frequently asked questions (“The Red Flags Rule: Frequently Asked Questions”) on its website (

With regards to plan loans, the FTC has clarified that a plan sponsor would not be considered a “creditor” subject to the Red Flag Rules when it grants a 401(k) plan loan because the plan participant is borrowing the money from his or her own account. Further, the FTC has also indicated that because a participant establishes an individual account with the 401(k) plan, a separate legal entity, and not their employer, the employer is not required to include the individual plan accounts in a written identity theft prevention program. With respect to flexible spending accounts, which must make the entire amount elected by participants available to them from the beginning of the plan year, the FTC has clarified that neither offering employees flexible spending accounts or maintaining these accounts for other companies makes an employer a “creditor” because if an employee terminates employment before the end of the plan year, the employee is not required to make up any difference between the amount they contributed and the benefits that they received.