The Federal Trade Commission (FTC) announced on October 22, 2008 that it would delay enforcement of its Identity Theft Red Flag Rules (the “Red Flag Rules”) until May 1, 2009, given the extent to which the Red Flag Rules apply to entities not traditionally regulated by the FTC. The Red Flag Rules were issued as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Generally, the Red Flag Rules require creditors to create and implement written identity theft prevention programs, which were to have been in place by November 1, 2008, and which must provide for the identification, detection and response to patterns, practices, or specific activities, or “Red Flags,” that could be a sign of identity theft.

The reason for the expansive reach of the Red Flag Rules is due to its broad definition of the term “creditor.” Under the Red Flag Rules, a “creditor” includes any entity that regularly extends, renews or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. The term “regularly” is not defined by the Red Flag Rules, but for purposes of the Federal Reserve Board’s regulations under the Truth in Lending Act, a person “‘regularly’ extends consumer credit only if it extended credit [other than credit transactions secured by the consumer’s principal dwelling] more than 25 times (or more than five times for transactions secured by a dwelling) in the preceding calendar year. If a person did not meet these numerical standards in the preceding calendar year, the numerical standards shall be applied to the current calendar year.” If a similar interpretation of “regularly” were applied to the Red Flag Rules, any entity that extends consumer credit more than 25 times in the preceding calendar year (or the current calendar year) would be considered a “creditor,” and hence be subject to the Red Flag Rules. (Note that, unlike the FTC, the Federal Reserve Board will expressly exempt retirement plan loans from the Truth in Lending Act, beginning on July 1, 2010. See page 8 for more information.)

401(k) plans that allow in-service loans may find themselves among the entities affected by this expansive definition of “creditor,” as a plan loan to a participant is an extension of credit to that participant. If a 401(k) plan makes loans to more than 25 participants from the 401(k) plan in a given plan year, that plan may be subject to the Red Flag Rules.

If a 401(k) plan determines that it is subject to the Red Flag Rules, it must develop a written program which identifies and detects the relevant warning signs (“Red Flags”) of identity theft. This program must include reasonable policies and procedures to:

  • Identify relevant Red Flags for the 401(k) plan accounts, and incorporate those Red Flags into the program;
  • Detect Red Flags which have been so incorporated;
  • Respond appropriately to any Red Flags which are detected to prevent and mitigate identity theft; and
  • Ensure the program (including the incorporated Red Flags) are updated periodically to reflect new issues regarding identity theft.

Examples of “Red Flags” suggested by the FTC generally fall into five categories, which include alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; the presentation of suspicious documents; the presentation of suspicious personal identifying information (such as a suspicious address change); the unusual use of, or other suspicious activity related to, a covered account and notice from customers, victims of identity theft, law enforcement activities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

The FTC has indicated that the nature of the written program should depend on the complexity, size and nature of the creditor’s business. As a result, a 401(k)’s written program might well be relatively straightforward.

Once the Red Flag Rules become effective on May 1, 2009, creditors (including 401(k) plans) which have not developed the written program required by the Red Flag Rules may be subject to penalties of up to US$2,500 for each independent violation.