Are the employee benefits that your company offers subject to the new Red Flag Rules? Under new guidance issued by the FTC, the answer is probably not. But if your cafeteria plan includes a Flexible Spending Arrangement (FSA) benefit with a debit card, you may want to take some steps to ensure that the third party administrator issuing the debit card is in compliance with the Red Flag Rules by November 1, 2009. You may also want to take similar steps with the trustee of your 401(k) or other pension benefits.
In 2008, the Federal Trade Commission issued regulations that require "financial institutions" and "creditors" to adopt policies and procedures to identify and prevent instances of identity theft—generally referred to as the Red Flag Rules. The idea behind these rules is to identify certain "red flags" that might indicate that identity theft or fraud is occurring. This is essentially a consumer protection law designed to ensure that businesses are watching for identity theft and that consumers receive protection from fraudulent charges when someone has engaged in identity fraud.
Although it was unclear whether or how these rules might apply to employee benefits, the FTC has recently issued guidance that clarifies the interplay between the Red Flag Rules and employee benefits plans.
There has been speculation that a Flexible Spending Arrangement (FSA) benefit may have to comply with the Red Flag Rules, but the IRS has clarified that simply having an FSA benefit does not make an employer-sponsored cafeteria plan subject to the the Red Flag Rules.
However, if the FSA benefit includes a debit card feature, the Red Flag Rules will apply. The FTC explained that a business that sets up a debit card account is considered a "financial institution" subject to the Red Flag Rules. Thus, the organization that administers the debit card—typically, the third party administrator for the FSA benefit—must comply with the Red Flag Rules. If your company's FSA benefit includes a debit card feature, you will want to confirm that your third party administrator will be in compliance with the Red Flag Rules. You may even want to consider a provision in your agreement with the third party administrator requiring such compliance.
The FTC has also clarified that sponsoring a 401(k) plan will not subject the sponsoring employer to the Red Flag Rules—even if the 401(k) plan allows participants to take loans. The trustee for your 401(k) plan, however, will likely need to comply with the Red Flag Rules. Thus, you will want to confirm that your plan's trustee will be in compliance, and you may want to consider a contractual provision requiring such compliance.
Companies that are subject to the Red Flag Rules must put into place by November 1, 2009, written policies that (1) identify "red flags" of identity theft; (2) are designed to detect the red flags that have been identified; (3) spell out appropriate action to take when a red flag is detected; and (4) are re-evaluated from time to time to reflect the company's experience with red flags and new risks from identity crimes. The written policy must initially be approved by the company’s board of directors (or a committee created by the board to deal with this issue), and reports must be made to the board (or the special committee) on an annual basis regarding the program.
If you have questions about the Red Flag Rules or need help putting a Red Flag compliance program into place, please contact Norbert F. Kugele, at firstname.lastname@example.org or by phone at 616.752.2186, or any other member of the Warner Employee Benefits Practice Group.