On March 19, 2009, a White & Case Client Alert noted that the Federal Trade Commission (FTC) had informally confirmed to White & Case that an employer which offers a 401(k) plan loan is not, solely by offering the loan, a "creditor" for purposes of the Red Flags Rule, and therefore the 401(k) plan is not subject to the Red Flags Rule. However, ongoing discussions with staff members at the FTC indicate that where such an employer otherwise triggers "creditor" status or is considered a "financial institution" under the Red Flags Rule, that employer's 401(k) plan may be considered a "covered account" to which the Red Flags Rule would apply.

The Red Flags Rule requires any "financial institution" or "creditor" which offers or maintains one of more "covered accounts" to establish and administer an identity theft prevention program which identifies and detects the relevant warning signs ("Red Flags") of identity theft in connection with that "covered account." A "financial institution" includes any "State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that directly or indirectly holds a transaction account...belonging to a consumer." As we discussed in our February Executive Compensation, Benefits and Employment Law Focus article on the Red Flags Rule, a "creditor" includes any entity that regularly extends, renews or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. The word "regularly" is not defined by the Red Flags Rule; however, FTC staff have informally clarified to White & Case that the determination of whether an entity "regularly" extends, renews or continues credit or "regularly" arranges such credit will generally depend on the facts and circumstances particular to each entity. In addition, the definition of "regularly" used for purposes of the Red Flags Rule will not rely on the Truth in Lending Act's definition of "regularly," which generally requires an entity to extend credit at least 25 times in the preceding calendar year; but will, according to FTC Staff, likely require more than an isolated or incidental occurrence of credit extension by the entity.

Entities which are considered to be either a "financial institution" or a "creditor" are required to comply with the Red Flags Rule if they offer or maintain "covered accounts." Because the Red Flags Rule's definition of "covered account" includes an account offered or maintained "primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings accounts," a 401(k) plan sponsored by a "financial institution" or a "creditor" might be considered a "covered account," thus requiring the employer plan sponsor to develop and implement an identity theft prevention program in connection with that 401(k) plan.

General information for businesses and organizations on the applicability of, and compliance with, the Red Flags Rule is available on the FTC's website.