As many as nine million Americans have their identities stolen each year. To help prevent identity theft, the Federal Trade Commission (the FTC or commission) developed regulations requiring financial institutions and creditors to address their risk by scrutinizing everyday credit and debit card transactions.
The commission developed an Identity Theft Red Flags Rule that requires certain entities to develop and implement written identity theft prevention programs. To facilitate this process, the FTC has issued helpful information about who needs to comply and how to develop and manage a program.
Who Is a Financial Institution
or a Creditor?
The rule defines a financial institution as: (1) a state or national bank, (2) a state or federal savings and loan association, (3) a mutual savings bank, (4) a state or federal credit union, or (5) any other entity that directly or indirectly holds a transaction account belonging to a consumer. Transaction accounts are deposits or accounts from which a consumer can make payments or transfers to third parties.
The definition of creditor is broad and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Health care providers, utilities, lawyers or accountants may fall into this definition. Finance companies, mortgage brokers and automobile dealers or retailers that offer financing would also be included.
What Does This Have to Do with
Flexible Spending Accounts?
As far as FSAs are concerned, a list of questions and answers issued by the FTC confirms that plan sponsors or plan service providers (PSPs) are generally not considered a financial institution. “…neither offering employees health care flexible spending accounts nor maintaining those accounts for other companies automatically makes a business a creditor under the rule.”
However, offering a debit card to access benefits tips the scale so that the financial institution definition applies, and thus, so does the requirement to comply with the Red Flags Rule. The FTC further states that if an entity provides government benefits or administers flexible spending accounts and gives customers a debit card to access benefits, it would be considered a financial institution.
Bottom Line?
If a PSP supplies debit cards to participants for flexible spending accounts, their business needs to comply with the Identity Theft Red Flags Rule. Also, employers should be verifying that their service providers have a Red Flags Rule program in place.
What Are the Requirements
of the Red Flags Rule?
Financial institutions and creditors must develop, implement and administer an Identity Theft Prevention program. The Red Flags Rule picks up where data security leaves off.
PSPs need to develop a list of situations that are an alert of fraud. For example, a caller who cannot provide his correct date of birth or the name of the company where he works may raise a “red flag” that the customer’s identity has been compromised.
A Red Flags Rule program seeks to prevent identity theft by ensuring that businesses and their employees are on the lookout for the signs that a person is using someone else’s information. They do this by first implementing data security practices that make it harder for anyone to get access to the personal information they use to open or access accounts, and second, by paying attention to the red flags that suggest that fraud may be occurring.
To establish a program, there are four simple steps.
1. Identify relevant patterns, practices and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the program.
2. Detect red flags that have been incorporated into the program.
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft.
4. Ensure the program is updated periodically to reflect changes in risks from identity theft.
Know someone who needs a written theft prevention program? A 32-page booklet located at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf steps through the process of creating and maintaining a valid program. A comprehensive list of questions and answers about the program can be found at www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm.
Still have questions? Visit www.ftc.gov.redflagsrule or email RedFlags@ftc.gov.
Ensure that your clients know about the Red Flags Rule and obtain a statement of compliance from their plan service provider. But be aware, although initiated in 2007, the requirement for financial institutions and creditors to institute a program has been delayed a number of times. The latest delay extends enforcement to January 1, 2011. After this date, unless enforcement is again delayed, all financial institutions and creditors must have their programs in place.
The information contained in this article is not intended to be legal, accounting, or other professional advice. We assume no liability whatsoever in connection with its use, nor are these comments directed to specific situations.