Red Flags Rule: Application to Health Flexible Spending Accounts, Health Reimbursement Arrangements, Dependent Care Assistance Programs and Transportation Plans

Under the Red Flags Rule, certain businesses and organizations must establish and implement a written Identity Theft Prevention Program (ITPP). To comply with the Red Flags Rules, a written ITPP must have four basic elements: 

(1) The ITPP must establish reasonable policies and procedures to identify the "red flags" of identity theft that the entity may come across during the entity's day-to-day operations. Red flags are specific activities, patterns, or practices that indicate the possibility of identity theft.  For example, the entity may identify the use of a fake ID by a customer as a red flag

(2) The ITPP must be designed to detect the red flags that the entity has identified. For example, the entity may have a procedure in place to detect possible fake IDs.

(3) The ITPP must state the actions that will be taken when red flags are detected. For example, the entity may have a procedure for reporting potential fake IDs to a manager or a specialist in before proceeding with a customer.

(4) The entity must reevaluate the ITPP periodically for new risks of identity theft.