The Federal Trade Commission (FTC) recently issued guidance concerning the application of the Red Flag Rules to employee benefit plans. The Red Flag Rules are designed to help prevent consumer identity theft by requiring financial institutions and creditors to implement procedures that identify the warning signs, or “red flags,” of identity theft. However, the applicability of the Red Flag Rules extends far beyond banks and lending institutions and may apply to employers that offer debit cards in conjunction with their Flexible Spending Accounts (FSAs).

The new FTC guidance expands the definition of “financial institution” to include providers of FSA debit card accounts, since debit cards facilitate customer payments or transfers to third parties. Any organization that administers a debit card in conjunction with a FSA must comply with the Red Flag Rules, whether that be an employer plan sponsor or a third party administrator. Although not directly addressed in the guidance, it is likely that these requirements also apply to debit cards issued in conjunction with Health Savings Accounts (HSAs).

An employer or administrator that is subject to the Red Flag Rules must implement a written program that includes policies and procedures to identify, detect, and respond to possible signs of identity theft. The program must be managed by the board of directors or senior employees of the covered entity, include appropriate staff training, and provide for oversight of any service providers.

The FTC plans to begin enforcement of the Red Flag Rules effective November 1, 2009. Employers sponsoring FSA and HSA benefits should confirm whether the Red Flag Rules will require them (or their third party administrators) to implement an identity theft prevention program.