The Red Flags Rule (Rule) was issued in 2007 by the Federal Trade Commission (FTC) after the Fair and Accurate Credit Transactions Act (FACTA) added provisions to the Fair Credit Reporting Act (FCRA) designed to improve the accuracy of consumers' credit-related records and directed the FTC to issue guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. The Rule is actually three different but related rules, two of which apply to the University.
The Rule requires financial institutions and creditors that offer or maintain one or more covered accounts to implement a written Identity Theft Prevention Program (ITPP) designed to detect, prevent, and mitigate identity theft. Red Flags are suspicious patterns or practices or specific activities that indicate the possibility that identity theft may occur. The University's ITPP was approved by the University's Board of Trustees in 2009. All departments, colleges, and units who are involved with handling Personally Identifiable Information (PII) in connection with the opening of covered accounts and with respect to existing covered accounts must comply with the University's ITPP and develop reasonable processes and procedures to verify the identity of persons for whom services are being provided and to detect, prevent, and mitigate any instances of identity theft.
The Rule also requires a user of a consumer report to employ reasonable policies and procedures when the user receives a notice of address discrepancy. Therefore, to prevent identity theft regarding an employment or volunteer position for which a credit or background report is sought, University personnel shall take the following steps to assist in identifying address discrepancies:
- Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
If notice of an address discrepancy is received, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the University has reasonably confirmed is accurate.
Other links of interest
- Full text of the FTC’s Fair Credit Reporting Act FCRA 15 U.S.C. §§ 1681-1681x, as amended by the Fair and Accurate Transaction Act of 2003 (effective Sep. 1, 2011)
- Full text of the FTC's Red Flags Rule FTC 16 CFR Part 681, as amended by the Red Flag Program Clarification Act of 2010 (effective Jan. 1, 2011)
- SEC and CFTC's final Identity Theft Red Flags Rule rule (effective May 20, 2013)
- Other FTC resources:
- NACUBO Red Flags Rule resources
- IRS site on Identity Protection
- NC Identity Theft Protection Act of 2005, via S1048
- UNC System Guidance (Feb. 2009)
UNC Charlotte Procedures and Forms
Red Flags Rule Annual Survey, to be completed by Key Areas (as defined in Procedures).
Red Flag Detection Form, to be completed if Red Flags are detected in the course of University operations.
Note that, while Key Areas must comply with the University’s ITPP, from a Red Flags Rule risk management perspective, all employees who are involved with handling PII must comply with the following procedures related to information security and fraud prevention.
Protection of Personally Identifiable Information
To further prevent the likelihood of identity theft occurring during the conduct of University business, the University will take the following steps with respect to its internal operating procedures to protect PII:
- Ensure that its website is secure or provide clear notice that the website is not secure;
- Ensure complete and secure destruction of paper documents and computer files containing individual account information when a decision has been made to no longer maintain such information;
- Ensure that office computers with access to PII are password protected;
- Ensure that laptops are password protected and encrypted;
- Avoid use of social security numbers when possible;
- Ensure the security of physical facilities that contain PII;
- Ensure that transmission of PII is limited and encrypted when necessary;
- Ensure computer virus protection is up to date; and
- Require and keep only the kinds of individual information that are necessary for University purposes.
Hard Copy Distribution
Each employee and contractor performing work for the University will comply with the following security measures related to hard copy files with PII:
- File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with PII will be locked when not in use, when unsupervised, and at the end of each workday.
- Clear desks, workstations, work areas, printers and fax machines, and common shared work areas of all documents containing PII when not in use.
- Whiteboards, dry-erase boards, writing tablets, and other writing surfaces in common shared work areas with PII will be erased, removed, or shredded when not in use.
- When documents containing PII are discarded, they will be placed inside a locked shred bin or immediately shredded using a mechanical crosscut or Department of Defense-approved shredding device. Label locked shred bins as “Confidential paper shredding and recycling.”
The following can be used to educate your staff regarding the Red Flags Rule and University’s ITPP:
- UNC Charlotte’s Red Flags Rule - ITPP Procedures include definitions and specific actionable items on how to prevent and mitigate identity theft, including a “Red Flag Identification and Detection Grid.”
- A 3 ½-minute video overview of the Red Flags Rule can be viewed at any time by all faculty and staff via the University’s Security Awareness Training Course located in Canvas (in the Assignments area). Access guidance is also available via the security awareness FAQ.
- For information about data classification and handling, visit the University FAQ site.