The Red Flags Rule (the "Rule") is a set of regulations and guidelines that require financial institutions and creditors with certain types of consumer accounts to implement steps and programs to help identify certain patterns and other activities that constitute “red flags” for possible identity theft. The Federal Trade Commission ("FTC"), the Federal Reserve System, and the Federal Deposit Insurance Corporation, among other agencies, issued the Rule under the Fair and Accurate Credit Transactions Act of 2003 (the “FACT Act”). The Rule became effective on January 1, 2008, with mandatory compliance required as of November 1, 2008, but enforcement of the Rule has since been suspended until November 1, 2009. At first glance, the Rule raised the specter that sponsors of individual account plans (e.g., 401(k) plans, and health flexible spending arrangements (“Health FSAs”)) would be subject to the Rule. The FTC recently released Frequently Asked Questions (“FAQs”) clarifying different aspects of the Rule and addressing some of the concerns regarding the possible application of the Rule to different employee benefit plans. However, concerns remain that the Rule applies to certain individual account benefit plans.


The Rule requires “financial institutions” and “creditors” that offer or maintain “covered accounts” to establish written programs to detect, prevent and mitigate identity theft in connection with the opening of an account or any existing account. These terms are defined broadly and you will need to closely review these definitions because they will apply to entities and institutions who do not normally consider themselves as financial institutions or creditors.

A “financial institution” is defined to include the following –

  • A state or national bank;
  • A state or federal savings and loan association;
  • A mutual savings bank;
  • A state or federal credit union; or
  • Any other entity that directly or indirectly holds a “transaction account” belonging to a customer.

A transaction account is a deposit or account from which an individual can make payments or transfers to third parties.

A “creditor” is defined to include the following –

  • Any business or organization that regularly provides goods or services to customers and allows the customers to pay for the goods or services later;
  • Any business or organization that regularly grants loans, arranges for loans or the extension of credit or makes credit decisions; or
  • Any person who regularly participates in the decision to extend, renew or continue credit including setting the terms of credit.

This is a broad definition of “creditor” and thus may include businesses or organizations such as finance companies, mortgage brokers, automobile dealers, utility companies, healthcare providers, third-party debt collectors who renegotiate debt terms, and retailers who offer financing or who collect or process credit applications for third party lenders.

If a business or organization determines it is a “financial institution” or “creditor,” it must maintain a “covered account” in order to be subject to the requirements of the Rule. A financial institution or creditor maintains a “covered account” if it maintains –

  • An account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; or
  • Any other account for which there is a reasonably foreseeable risk to customers of the safety and soundness of the financial institution or credit from identity theft.

401(k) Plans

The publication of the Rule led to some initial concerns that the Rule could apply to individual account balance plans such as 401(k) plans. Specifically, employers were concerned that if a 401(k) plan included a participant plan loan feature, the sponsor of such a plan could potentially be considered a “creditor” for purposes of the Rule because the plan extends credit to plan participants. The FTC addressed these concerns in its recently-released FAQs and clarified that a participant plan loan feature - by itself - was not sufficient to make a plan sponsor a creditor under the Rule. The FTC explained that when a participant in a 401(k) plan obtained a loan from the plan, that participant was merely borrowing from his/her own funds and no credit was being offered to the participant by the plan or plan sponsor. Thus, the existence of a plan loan feature under a 401(k) plan will not automatically make a plan sponsor a creditor. Further, in examining the operation of a typical 401(k) plan with a loan feature, it is unlikely that the plan will become subject to the Rule because the plan should not be a creditor and should also not be a financial institution (i.e., the plan account is not a transaction account because it usually only makes payments to the participant or to the participant’s account in another plan, rather than third parties).

In addition, there was some concern that if a business or organization determined that it was a “covered entity” and that business sponsored a 401(k) plan, the individual account balances in the 401(k) plan would automatically be considered “covered accounts” which would require the plan sponsor to develop a written identity theft program to cover the account balances in the 401(k) plan. The FTC clarified in its FAQs that while individual retirement accounts are “covered accounts,” individual account balances in a 401(k) plan, for instance, are accounts established with the plan, and not with the plan sponsor. Since the plan is a separate legal entity from the plan sponsor, if the plan sponsor determines that it is a covered entity that offers or maintains covered accounts (based on factors other than its sponsorship of a 401(k) plan), the plan sponsor’s written identity theft program does not have to include the individual account balances in the 401(k) plan.

Even though the FTC has made it clear that participant plan loan features in individual account balance plans or individual account balances in a retirement plan do not make plan sponsors “creditors” under the Rule, the Rule does raise a secondary question as to whether the fiduciaries of retirement plans should consider issues related to identity theft in their plan administration.

Individual Account Health and Welfare Plans

In addition to the concerns about 401(k) plans, there has been more of a concern regarding the applicability of the Rule to employers that maintain individual account health and welfare plans and their third-party administrators. The FTC makes it clear in its FAQs that an employer that sponsors a Health FSA or a third-party administrator that administers Health FSAs for plan sponsors will not be considered a creditor under the Rule. According to the FTC, Health FSAs operate like insurance plans in that employers must make the entire amount elected by participants available to them from the beginning of the plan year. Thus, the FTC concluded by stating that as a result, neither offering Health FSAs nor maintaining those accounts for other companies makes a business a “creditor” under the Rule. Although not specifically discussed in the FAQs, a sponsor or administrator of a health reimbursement arrangement (“HRA”), dependent care assistance program or transportation program should not be a “creditor” either because participants in those plans typically can only access what has been added to their plan balance and not any additional funds.

Individual Account Health and Welfare Plans with Debit Cards

Although a typical health and welfare plan should not give rise to “creditor” status, the application of “financial institution” status is more troubling. The FAQs also provide that the definition of “financial institution” includes businesses that have accounts a customer can use to make payments or transfers to third parties. Thus, the FAQs provide that if a business administers Health FSAs and gives its customers a debit card to access benefits, that business would be considered a “financial institution” (i.e., because it is administering a transaction account that allows payments to third parties). Despite this recent revelation in the FAQs, Health FSAs are employer plans and all funds under such plans belong to the employer, not the individual participants. Notwithstanding, it appears that the FTC has brushed aside this point or does not consider it relevant in the context of debit cards.

In addition, some have wondered whether Health FSAs could be exempt under the theory espoused above for 401(k) plans. Under this theory, because the Health FSA is a separate legal entity and the accounts are established under the plan, then the “plan” (and consequently its third-party administrators) should not be covered. The issue with extending this theory to Health FSAs is that for 401(k) plans, the 401(k) plan did not have a transaction account that made payments to third parties and thus was exempt on that basis. For Health FSAs with debit cards, those arrangements are considered transaction accounts in their own right (based on the FAQs), and thus the “plan exception” does not appear to apply.

Despite the arguments above, it appears that the FTC considers third-party administrators that administer Health FSAs that have debit cards as “financial institutions” covered by the Rule. However, with that said, it is unclear who should be responsible for compliance with the Rule. One could argue that based on the FAQs, it could be the third-party administrator for the Health FSA. However, typically third-party administrators do not issue the actual debit cards, but only administer the plan and the account balances. Thus, there is a good argument that the bank or other institution that issues the debit card should be responsible for compliance. This is supported by the fact that the FAQ states that it applies to a business that “gives” the debit card to participants – which implies the issuer. We have had informal conversations with the FTC on this issue, and we understand the FTC position is that the issuer of the debit card is responsible for compliance with the Rule. However, there may also be some liability for sponsors to make certain that someone will take the responsibility for compliance, and thus conservative sponsors may want to address this issue with their third-party administrators.

Further, while the FAQs do not directly address other benefit programs that have debit cards, such as HRAs and transportation programs, the language of the Rule and the FAQs would apply to an HRA or transportation program that includes a debit card. In that context, again the bank or other institution that issues the card should be responsible for compliance with the Rule. With respect to health savings accounts (“HSAs”), the issuer of a debit card for an HSA should also be covered by the Rule, and the bank or other trustee that holds the HSA accounts would also likely be covered by the Rule as a “financial institution” in its own right. Last, health and welfare plans that include arrangements to pay third-parties on a regular basis (outside of a debit card situation), may also be covered by the Rule as a “transaction account.”

Requirements of the Rule

The Rule became effective on January 1, 2008, and financial institutions and creditors with covered accounts were initially required to comply with the Rule as of November 1, 2008, but the FTC (through serial suspensions) has suspended enforcement of the Rule until November 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. If a financial institution or creditor determines that it offers or maintains covered accounts, it must design a written identity theft prevention program to include policies and procedures that will –

  • Identify the relevant "red flags" for covered accounts and incorporate those "red flags" into its identity theft prevention program;
  • Detect the "red flags" that have been incorporated into its identity theft prevention program;
  • Respond appropriately to any "red flags" that are detected to prevent and mitigate the identity theft; and
  • Ensure that the identity theft prevention program is updated periodically to reflect changes in the risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.

The written identity theft prevention program must be approved by the entity's board of directors or a committee of the board of directors, and the board of directors (or its designee) must be involved in the administration and implementation of the program, including the training of staff as needed to implement the program. The FTC has determined that it will not provide sample written programs but instead, will only require that each business or organization develop a reasonable program, taking into account the nature of its business and the risks it typically faces.