Red Flags Rule

[Guest Dune]

We are a regional TPA who work with numerous financial institutions. Recently, one of the banks we work with interpreted the rule to mean that we must have a policy in place. Also, after reviewing the rule, it looks like the plan sponsors who have loan provisions might also be required to impliment a policy.

Have any of you dealt with this? If so, what is your interpretation?

Thanks

Dune

[Peter Gulia]

The so-called “red-flags” rule MIGHT require a retirement plan that has “covered accounts” for which there is a reasonably foreseeable risk of identity theft to use an identity-theft-prevention program. (So far, I haven’t yet had a retirement plan client ask for my opinion about whether the rule applies.) Among other provisions, a program must identify relevant patterns, practices, and specific forms of activity that are “red flags” that signal possible identity theft.

The “red-flags” idea presumes that one is capable of identifying some set of facts that, if it occurs, suggests a more-than-normal probability that an actor might not be the person that a business expects to deal with. But that idea assumes that the business has a compare-to source to check whether a person who presents identifying information is an impostor.

If a retirement plan’s recordkeeper receives an instruction that was delivered through a computer using a personal identification number and password that the plan had assigned to a participant, how would a recordkeeper know that the faceless user of the identifying information isn’t the participant?

If a retirement plan’s recordkeeper receives a telephone call from someone who presented the identifying information that the plan requires, how would a recordkeeper know that the caller isn’t the participant? (Let’s assume that the impostor is smart enough not to use a male voice when impersonating a female participant.)

In typical operations of an individual-account retirement plan, a recordkeeper doesn’t see the participant’s physical appearance, often doesn’t hear his or her voice, and often has no source to compare a currently presented document to other documents believed to have been made by the participant.

Some recordkeepers put a delay on paying a distribution soon after an address change (and send a confirmation of the change to the participant’s previous address and to the plan’s administrator. But they do this regarding all address changes, because there’s no way to know whether a change is real. Is the typical “hold” on a distribution after an address change good enough?

Is an identity-theft-prevention program just another written procedure? Or are there real things that recordkeepers are doing, or could be doing, to detect identity theft?

I recognize that my query veers a little from the ‘does-it-apply-or-not’ question in Dune’s originating post. But some of the answers to my query might help Dune and others evaluate whether there is a “reasonably foreseeable risk of identity theft” for the purposes of the FTC rule. If there isn’t such a risk, a plan’s administrator might decide that a separate identity-theft-prevention program isn’t an essential. Or if there is a significant risk, a plan’s administrator might decide to use a program even if the FTC rule doesn’t require it.

I’d appreciate information and suggestions from BenefitsLink’s many smart people.

[Guest Sieve]

Dune --

I thought I read somewhere that the FTC indicated that qualified plans are not swept up in the new red-flag rules, but I can't find the source of that information.

Here, though, are a few discussions of the issue of whether or not qualified plans fall under the rules:

http://www.sutherland.com/files/News/a1cda...andFTC31209.pdf

http://www.whitecase.com/files/Publication...uary_2009_2.pdf

And here's the FTC guidebook: http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf

[k man]

has there been any further interpretation as to whether the Red Flag Rules apply to participant loans.

[rcline46]

Recent item in Dave Baker's newsletter says FTC says qualified plan loans are not subject to the Red Flag rules.