The Federal Trade Commission (FTC) is responsible for enforcing the federal Red Flags Rule, which requires “financial institutions” and “creditors” to develop written programs designed to detect warning signs or “red flags” that indicate a potential case of identity theft. Although the Rule became effective January 1, 2008, full compliance was initially not required until August 1, 2009. In recent guidance, however, the FTC delayed the compliance date until November 1, 2009.

The FTC also issued guidance that answers several open questions regarding the Rule’s application to employers that sponsor a 401(k) plan or offer a health flexible savings account (FSA). Specifically, the guidance provides:

  • Merely allowing 401(k) plan participants to borrow money form their individual accounts does not, by itself, cause an employer to become a “creditor” under the Rule.
  • An employer that otherwise meets the definition of “creditor” under the Rule, and thus is required to implement a written program to detect “red flags,” is not required to include the individual 401(k) plan accounts of participants in its 401(k) plan in the red flag program, because the retirement plan accounts are set up between the individual participants and the 401(k) plan, which is a separate legal entity apart from the employer.
  • An employer does not become a “creditor” subject to the Rule merely by offering and maintaining a health FSA.

A copy of the FTC’s press release regarding the compliance extension can be obtained here. A copy of the guidance regarding the application to employee benefit plans can be obtained here.