This week, the Federal Trade Commission (“FTC”) addressed a number of open questions regarding the application of its “Red Flag Rules” to employee benefit plan sponsors, and extended its enforcement deadline from August 1, 2009 to November 1, 2009. The rules require financial institutions and “creditors” to develop written programs to detect and respond to patterns, practices or specific activities that are “red flags” for possible identity theft. The extent of the rules’ application to plan sponsors has been unclear, particularly with respect to the entities that are considered “creditors,” broadly defined as those regularly extending or renewing credit.
Through FAQs published on its website, the FTC has now explained that: (1) an employer does not become a “creditor” solely by permitting participants to borrow from their own individual accounts in retirement plans, such as 401(k) plans; (2) in certain cases, an employer which itself is a financial institution or “creditor” is not required to include any individual retirement plans it sponsors for its employees in its written identity theft prevention program, because under such arrangements participants establish accounts not with the employer, but with the plan, a separate legal entity distinct from the employer; and (3) health flexible spending account (“FSA”) sponsors and third-party FSA administrators do not become “creditors” solely by offering or maintaining FSAs that reimburse participants for amounts that they have not yet contributed to their accounts.
This recent guidance is good news for plan sponsors. Although the FTC did not exempt all benefit plans and sponsors from coverage, it has confirmed that sponsoring popular types of plans, such as 401(k) plans and health FSAs, will not generally trigger the written prevention program requirement. Over the next few months, the agency plans to further clarify the types of entities subject to the rules through additional guidance and education efforts.
Regardless of the FTC’s determinations, it is important to remember that plan fiduciaries have a general duty under ERISA to protect participant information. The identity theft program required under the Red Flag Rules can serve as a helpful starting point for plan sponsors in developing or updating procedures for protecting participants from identity theft. The FTC has developed an online tool to help covered entities design an identity theft program to meet their specific needs (http://www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm).