Federal Trade Commission (FTC) Red Flags Rule
The Federal Trade Commission (FTC) regulations entitled Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 (“Red Flags Rule” or “the Rule”), with the intention of reducing the risk of consumer identity theft by requiring “creditors” to implement an Identity Theft Prevention Program (“Program”). Under the Rule, the University is considered to be a creditor when it establishes a “continuing relationship” with consumers by conducting business such as:
- Engaging in loan and lending programs to students, faculty or staff (including federal programs);
- Offering a plan for payment of tuition throughout the semester rather than requiring full payment at the beginning of the semester;
- Offering future payment plans for supplies and services already rendered;
- Using consumer reports to conduct credit or background checks on prospective employees or applicants for credit;
- Maintaining financial accounts for individuals that permit multiple payments or transactions; or
- Overseeing accounts that may be vulnerable to identity theft.
The University’s Program design enables the University to comply with the Rule’s four components: (1) identify, (2) detect, (3) appropriately respond to any “red flags” in connection with new and existing “covered accounts;” and (4) ensure the Program is updated periodically, to reflect changes in risks to consumers or to the safety and soundness of the University from identity theft. For example, detection actions will include verifying and authenticating personally identifying information, monitoring transactions, and verifying the validity of change of address requests. Responsive actions taken when “red flags” occur may include contacting an account holder, changing account passwords or security codes, reopening a covered account with a new account number, not opening a new account, closing an existing account, not selling a covered account to a debt collector, notifying law enforcement, or determining that no response is warranted under the particular circumstances.
The first Program component involves identifying which departmental accounts may be considered “covered accounts.” For purposes of the Rule, covered accounts are those that involve paying for University-provided goods or services with multiple payments or transactions, such as a billing at the end of the month for services rendered the previous month, a loan that is billed or payable monthly, or other types of deferred payment arrangements. Potentially covered accounts include arrangements for:
- Billing students for purchases at the campus book store or for services received through Campus Health Services;
- Allowing students to directly receive loan checks for living expenses;
- Billing patients for clinical services; and
- Allowing employees to authorize future payroll deductions for goods or services received on campus.