FTC Announces Delay in Red Flag Rules
Susan Jordan, a partner in our Pittsburgh office, provides the following:
The Federal Trade Commission (FTC) recently announced that it is delaying enforcement of its “red flag” rules until November 1, 2009. The red flag rules were previously supposed to be enforced beginning August 1, 2009 after being delayed once already. The rules are part of anti-fraud regulation designed to identify and respond to warning signs that could indicate identity theft and were developed under the Fair and Accurate Credit Transactions Act of 2003. The red flag rules require certain entities to implement written identity theft prevention programs. Additionally, the FTC issued guidance addressing concerns for many employee benefit plan administrators about application of the rule to qualified plans.
The broad scope of the red flag rules have raised questions about whether the red flag rules applies to various entities, including qualified retirement plans. The concerns include whether a plan sponsor or plan become a creditor by permitting participants to take loans for the plan. In its guidance, the FTC has eased some concerns on this issue by taking the position that allowing participants to borrow from their fund would not, by itself, make the plan sponsor or the qualified plan a covered creditor, as defined under the red flag rules. The FTC guidance also addresses several issues surrounding health FSAs offered under Section 125 cafeteria plans and health reimbursements arrangements.
The FTC guidance also states that the FTC staff is unlikely to pursue law enforcement action under the following circumstances:
(1) You know your clients individually. For example, some medical practices and law firms are familiar with everyone who walks into the office. In those circumstances, the FTC acknowledges that the risk is low that an identity thief can defraud a business by impersonating someone else.
(2) You provide services to customers in or around their home, such as by operating a lawn care or a home cleaning business. The FTC reasons that the risk of identity theft is extremely low in these situations because identity thieves generally do not want people to know where they live.
(3) You are involved in a type of business where identity theft is rare. The FTC guidance suggests that if there are no reports in the news, trade press, or among people in your line of business about identity theft and your business itself has not experienced incidents of identity theft, it is unlikely that identity thieves are targeting your business sector.
A copy of the FTC guidance can be found at: http://www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm.
