'Red Flags' Rule Applies to Benefit Accounts with Debit Cards

Federal Trade Commission will enforce new identity theft rule

By Stephen Miller Feb 19, 2010

Updated 6/1/2010:

On May 28, 2010,the Federal Trade Commission (FTC) announced that, at the request of several members of Congress, it was further delaying enforcement of its “red flags” rule on identity theft through Dec. 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the rule. Enforcement had been set to begin on June 1, 2010, after a series of prior delays.


The rule requires creditors and financial institutions to implement a written program to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account. (To learn more, see the SHRM Online article Red Flags Rule on Identity Theft Explained.

As part of its guidance on the rule, the FTC has posted frequently asked questions (FAQs) on its web site, some of which explain the application of the rule to employer-provided health and welfare plans. Specifically, the FAQs clarify that the rule applies to health care flexible spending accounts (FSAs) if they feature a debit card or similar option for accessing funds (e.g., checks or wire transfers).

Group health plans that offer FSAs with a debit card or similar option should work with their third-party administrators (TPAs) to ensure that there is a written identity theft program in place to protect sensitive information.

On another issue of concern, the FTC clarified that allowing participants to borrow from their 401(k) or other retirement accounts would not, by itself, make the plan sponsor a covered creditor as defined under the rules.

Other Account-Based Plans

The FTC guidance did not specifically address employer-provided health reimbursement arrangements (HRAs), dependent care assistance programs (DCAPs) or transportation plans. But benefit consultants advise that the guidance regarding FSAs should be interpreted broadly with regard to these account-based arrangements.

Based on the FTC guidance, if these arrangements do not include a debit card and do not extend or process credit to the employee, employers and TPAs should not be subject to the red flags rule. But any time a debit card or similar option is used, employers or TPAs should establish a written identity theft protection program for these accounts.

"The FTC has said that a business that provides a debit card account is considered a “financial institution” subject to the red flags rule," comments Ben Cohen, practice leader for health and welfare benefits at Kushner & Co., a benefits consultancy. "Ordinarily, a third party administrator is responsible for adhering to the rule. If your company’s FSA and/or HRA benefit includes a debit card feature, you will want to confirm that your third-party administrator will be in compliance with the red flags rule."

Health savings accounts (HSAs) are provided through banks and other financial institutions, which are responsible for compliance with the rule.

Below are the FTC's posted FAQs that relate to health and welfare plans.

Retirement Plan Accounts

Question: If our company meets the definition of a financial institution or a creditor, are the individual retirement accounts we make available to our employees considered "covered accounts" that must be included in our written Identity Theft Prevention Program under the red flags rule?

Answer: Individual retirement accounts generally qualify as "covered accounts." However, in certain cases—for example, 401(k) plans—the account that a participant establishes isn't with the employer or plan sponsor. Instead, the participant establishes an account with the plan itself, which is a separate legal entity. Under those circumstances, the employer would not need to include the retirement plan accounts in a written Identity Theft Prevention Program.

Loans from Retirement Accounts

Question: Our company offers individual retirement plans that allow participants to get loans from their own plan account. Does that make us or the plan a creditor under the red flag rule?

Answer: When participants in an individual retirement plan—say, a 401(k) plan—get loans, they're generally borrowing from their own funds. Just allowing participants to borrow from their funds would not by itself make the plan sponsor or the plan into a creditor under the rule.

Health FSAs

Question: Am I a creditor if I offer my employees health care flexible spending accounts (FSAs) that reimburse them for elected amounts that are more than they have contributed to date? Am I a creditor if I serve as a third-party administrator that maintains those accounts for employees of other companies?

Answer: No. Health care FSAs operate like insurance plans in that employers must make the entire amount elected by participants available to them from the beginning of the plan year. If they leave your company before the end of the plan year, they are not required to make up any difference between the amount they contributed and the benefits they received. As a result, neither offering your employees health care FSAs nor maintaining those accounts for other companies makes your business a creditor under the rule.

Debit Cards, Checks and Wire Transfers

Question: Are we a financial institution under the rule if we have accounts for our clients and offer a way for them to make payments or transfers to third parties with a debit card, check, or wire transfer?

Answer: Yes. The definition of a financial institution includes businesses that have accounts a customer can use to make payments or transfers to third parties. For example, a university may hold student funds in an account and give students a card they can use to make purchases at local stores. This type of arrangement would make the university a financial institution under the rule. If you provide government benefits or administer flexible spending accounts and give your customers a debit card to access benefits, you would be considered a financial institution.

Stephen Miller is an online editor/manager for SHRM.

Related Article:

Red Flags Rule on Identity Theft Explained, SHRM Online Legal Issues, October 2009

Express Request: SHRM members can receive additional resources on this topic. Visit SHRM's HR Hot Topics Express Request web site and select key term Red Flags Rule(Benefits).

Quick Link:

SH​RM Online Benefits Discipline

Sign up for SHRM’s free Compensation & Benefits e-newsletter


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect