We are a regional TPA who work with numerous financial institutions. Recently, one of the banks we work with interpreted the rule to mean that we must have a policy in place. Also, after reviewing the rule, it looks like the plan sponsors who have loan provisions might also be required to impliment a policy.
Have any of you dealt with this? If so, what is your interpretation?
Thanks
Dune

The so-called “red-flags” rule MIGHT require a retirement plan that has “covered accounts” for which there is a reasonably foreseeable risk of identity theft to use an identity-theft-prevention program. (So far, I haven’t yet had a retirement plan client ask for my opinion about whether the rule applies.) Among other provisions, a program must identify relevant patterns, practices, and specific forms of activity that are “red flags” that signal possible identity theft.

The “red-flags” idea presumes that one is capable of identifying some set of facts that, if it occurs, suggests a more-than-normal probability that an actor might not be the person that a business expects to deal with. But that idea assumes that the business has a compare-to source to check whether a person who presents identifying information is an impostor.

If a retirement plan’s recordkeeper receives an instruction that was delivered through a computer using a personal identification number and password that the plan had assigned to a participant, how would a recordkeeper know that the faceless user of the identifying information isn’t the participant?

If a retirement plan’s recordkeeper receives a telephone call from someone who presented the identifying information that the plan requires, how would a recordkeeper know that the caller isn’t the participant? (Let’s assume that the impostor is smart enough not to use a male voice when impersonating a female participant.)

In typical operations of an individual-account retirement plan, a recordkeeper doesn’t see the participant’s physical appearance, often doesn’t hear his or her voice, and often has no source to compare a currently presented document to other documents believed to have been made by the participant.

Some recordkeepers put a delay on paying a distribution soon after an address change (and send a confirmation of the change to the participant’s previous address and to the plan’s administrator. But they do this regarding all address changes, because there’s no way to know whether a change is real. Is the typical “hold” on a distribution after an address change good enough?

Is an identity-theft-prevention program just another written procedure? Or are there real things that recordkeepers are doing, or could be doing, to detect identity theft?

I recognize that my query veers a little from the ‘does-it-apply-or-not’ question in Dune’s originating post. But some of the answers to my query might help Dune and others evaluate whether there is a “reasonably foreseeable risk of identity theft” for the purposes of the FTC rule. If there isn’t such a risk, a plan’s administrator might decide that a separate identity-theft-prevention program isn’t an essential. Or if there is a significant risk, a plan’s administrator might decide to use a program even if the FTC rule doesn’t require it.

I’d appreciate information and suggestions from BenefitsLink’s many smart people.

Dune --

I thought I read somewhere that the FTC indicated that qualified plans are not swept up in the new red-flag rules, but I can't find the source of that information.

Here, though, are a few discussions of the issue of whether or not qualified plans fall under the rules:

http://www.sutherland.com/files/News/a1cda...andFTC31209.pdf

http://www.whitecase.com/files/Publication...uary_2009_2.pdf

And here's the FTC guidebook: http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf

has there been any further interpretation as to whether the Red Flag Rules apply to participant loans.

Recent item in Dave Baker's newsletter says FTC says qualified plan loans are not subject to the Red Flag rules.