FTC Red Flags Rule: 401(k) Plan Guidance Based on Participant Loans
Under the Red Flags Rule, the FTC requires financial institutions and “creditors” that have “covered accounts” to develop and implement a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft. According to the FTC definitions of “creditors” and “covered accounts”, retirement plan sponsors have questioned whether they are (1) a “creditor” for allowing their participants to take loans from their own plan account and (2) a retirement account sponsor of a “covered account” requiring them to implement this written program.
The Red Flags Rule defines a “creditor” as “broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later . . . the definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions.” The FTC has concluded that an individual retirement account generally qualifies as a “covered account” because it involves “a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household, or business purposes.”
Since these definitions could potentially require a retirement plan sponsor to comply with the Red Flags Rule, the FTC recently issued additional Frequently Asked Questions to clarify the Red Flags Rule as, among other issues, it relates to retirement plans. First, based solely on the fact that participants are “generally borrowing from their own funds,” the FTC stated that employers or sponsors of 401(k) plans are not considered a “creditor” and, therefore, are not subject to the Red Flags Rule. Second, the FTC explained that individual retirement accounts generally qualify as “covered accounts;” however, 401(k) plans are not with the employer or plan sponsor. Since the participants establish an account with the plan itself (a separate legal entity), the employer does not need to include the retirement plan accounts in a written Identity Theft Prevention Program.
For further details on Red Flags Rule, please visit The Red Flags Rule: Frequently Asked Questions web site.
This advisory is one in a series regarding the “Red Flags Rule.” If you have questions or would like copies of previous advisories related to this topic, please contact David N. Anthony or Paige S. Fitzgerald. Troutman Sanders LLP offers a full array of services to help bring companies into compliance with the Red Flags Rule.