Red Flags Identity Theft Prevention Policy
Requirements of the Federal Trade Commission’s Red Flags
Rule must be followed when extending credit to individuals for
services provided by the university.
The University at Buffalo (UB, university) has established a
Program to detect, prevent, and mitigate activities related to
identity theft with respect to University Covered Accounts. The Red
Flags Identity Theft Prevention Program includes:
- designation of the Associate Vice President and Controller as
the University Program Administrator
- guidance for the development of departmental Red Flags Rule
- identifying departmental Covered Accounts
- detecting potential indications of identity theft
- responding to potential or actual incidents of identity
- training employees on the Red Flags Rule Procedures
- mitigating risks associated with identity theft related to
- periodic evaluation and update of the Program to reflect the
current threat environment
- monitoring service providers and service provider agreements to
ensure that providers have adequate identity theft prevention
programs in place
- retaining records relevant to the Program, including:
- the Red Flags Identify Theft Prevention Policy
- the departmental Red Flags Rule Procedures
- documentation on instances of significant identity theft and
attempted identity theft
- contracts with service providers that perform activities
related to Covered Accounts.
The Federal Trade Commission (FTC) Red Flags Rule 16 C.F.R. Part
681.1, as pursuant to the Fair and Accurate Credit Transactions Act
(FACTA), requires the development and implementation of a written
identity theft prevention, detection, and mitigation program. The
purpose of the program is to detect patterns, practices, and
specific forms of activity that indicate the existence of identity
theft and prevent an individual from using false identifying
information to obtain goods, services, or credit.
The FTC rule 16 C.F.R. Part 641requires development of policies
and procedures in association with debit cards and change of
address requests to assess the validity of a request for a change
of address that is followed closely by a request for an additional
or replacement card.
The FTC rule 16 C.F.R. Part 681.2 requires development of
policies and procedures to verify when a notice of address
discrepancy is received from a consumer reporting agency in
response to a credit check.
This policy applies to all university entities and employees,
students, contractors, service providers, and volunteers who have
access to Covered Account information.
For purposes of the UB Red Flags
Identity Theft Prevention Program, a Covered Account includes the
- an account that receives multiple payments or transactions,
deferred payments, extensions of credit, loans, or which
establishes a continuing relationship with an individual who has
received services from the university (e.g., student accounts,
tuition payment plans, patient accounts, accounts associated with
student lending activity, debit cards for use at off-campus
- Any other new or existing account that may pose a reasonably
foreseeable risk to consumers or the institution from identity
theft due to information retained and/or maintained by the
institution. This includes single transaction, one-time payment
accounts or records that may be vulnerable to identity theft
because of the information collected and retained such as date of
birth, copies of checks, credit card numbers, social security
number, and other personal indentifying information.
Any use or attempt by an individual
to use another person’s identifying information to obtain a
thing of value to which the individual is not entitled including,
but not limited to money, credit, goods, or services such as
education or medical care.
Notice of Address Discrepancy
Notice from a consumer reporting
agency indicating a substantial difference between the address
provided by the employee or applicant and the address the consumer
reporting agency has on file.
Personal Identifying Information
Any name or number that may be used,
alone or in conjunction with any other information, to identify a
specific person, including:
- name, social security number, date of birth, official state or
government-issued driver license or identification number, alien
registration number, government passport number, employer or
taxpayer identification number
- unique biometric data, such as fingerprint, voice print, retina
or iris image, or other
- unique physical representation
- unique electronic identification number, address, or routing
- debit/credit card or any other access device including any
card, plate, code, account number, electronic serial number, mobile
identification number, personal identification number; other
telecommunications service, equipment, or instrument identifier; or
other means of account access that can be used, alone or in
conjunction with another device to obtain money, goods, services,
other items of value, or to initiate a transfer of funds.
A pattern, practice, or specific
activity that indicates the possible existence of identity
Contractor engaged by the university
to perform an activity in connection with a Covered Account.
University Program Administrator
- Implement the Red Flags Identity Theft Prevention Program.
- Periodically evaluate the Program considering incidents of and
attempts at identity theft, and update to reflect the current
- Take necessary corrective action if it is determined that a
department is not adequately guarding against threats of identity
- Ascertain that service provider agreements are monitored so
that, where applicable, such providers have adequate identity theft
prevention programs in place.
- Retain records relevant to the Program, including:
- Red Flags Identify Theft Prevention Policy
- documentation on instances of identity theft and attempted
- allow auditors and compliance officers access to the
- Schedule periodic reviews of departmental Red Flags Rule
Departmental Red Flags Rule Contact Person
- Document the department’s Red Flags Rule Procedures.
- Report incidents of identity theft by completing the Red Flags
Incident Reporting form and submitting a copy to their supervisor
and the University Program Administrator.
- Report noncompliance with the Red Flags Rule Procedures to
their supervisor, and if unresolved, to the University Program
- Maintain relevant records and make them available for review,
- Red Flags Rule Procedures
- documentation on training, including name, title, and date
- documentation on instances of and attempts at identity
- contracts with service providers that perform activities
related to Covered Accounts
- Annually review the departmental Red Flags Rule Procedures to
identify new Covered Accounts, changes to existing Covered
Accounts, and changes in procedures for detecting, mitigating, and
preventing identity theft. Maintain documentation of the
- Develop departmental awareness of the Red Flags Identity Theft
Prevention Policy and appropriate responses to incidents of
attempted identity theft.
- Perform the day-to-day application of the Red Flags Rule
Procedures to Covered Accounts by detecting and responding to red
- Notify their Red Flags Rule Contact Person, supervisor, or the
University Program Administrator if they become aware of an
incident of identity theft or a failure to comply with the Red
Flags Rule Procedures.
The UB Red Flags Identity Theft Prevention Program requires that
each department with Covered Accounts develop Departmental Red
Flags Rule Procedures that consist of the following components:
- Identify Covered Accounts
- Identify Red Flags
- Detect Red Flags
- Respond to Detected Red Flags
- Train Responsible Staff
- Monitor Service Providers
- Update the Program and the Departmental Red Flags Rule
Departmental Red Flags Rule Procedures must be approved by a
senior manager within the unit and maintained in the
department. A template is available to assist departments in
the development of their procedures.
1. Identify Covered Accounts
University departments are responsible for determining whether
they have oversight of Covered Accounts. The Departmental Red Flags
Rule Procedures template provides helpful information for
identifying Covered Accounts. Departments having Covered Accounts
must develop their Red Flags Rule Procedures and include a list of
their Covered Accounts.
2. Identify Red Flags
Each department will identify the red flags associated with
their Covered Accounts taking into consideration the types of
accounts offered and maintained, the methods provided to open and
access accounts, and previous experiences with identity theft.
The following types of notices, documents, personal information,
and activities may be indicators or red flags that an
individual’s identity may be compromised.
- Documents provided for identification appear to have been
altered or forged.
- The photograph and/or physical description on the
identification is not consistent with the appearance of the
customer presenting the identification.
- Other information on the identification is not consistent with
information provided by the person opening an account or presenting
- Other information on the identification is not consistent with
readily accessible information that is on file with the
- An application appears to have been altered or forged, or gives
the appearance of having been destroyed and reassembled.
Suspicious Personal Identifying Information
- Personal identifying information provided is not consistent
with external information sources used by the university.
- Personal identifying information provided by the customer is
not consistent with other personal identifying information provided
by the customer.
- Personal identifying information provided is associated with
known fraudulent activity as indicated by internal or third-party
sources used by the University.
- Suspicious addresses are supplied, such as a mail drop or phone
numbers associated with pagers or an answering service.
- The social security number provided is the same as that
submitted by another individual opening an account or another
- The address or telephone number provided is the same as or
similar to the address or telephone number submitted by an
unusually large number of other persons opening accounts or to
- The person opening the account fails to provide all required
personal identifying information on an application or in response
to notification that the application is incomplete.
- Personal identifying information provided is not consistent
with personal identifying information that is on file with the
- If the university uses a challenge question, the customer
cannot provide authenticating information beyond that which
generally would be available from a wallet or consumer report.
Unusual Use of, or Suspicious Activity Related to, the
- Shortly following the notice of a change of address, the
university is made aware of a new cell phone number or the addition
of authorized users on the account.
- A new revolving credit account is used in a manner commonly
associated with known patterns of fraud.
- An account is used in a manner that is not consistent with
established patterns of activity on the account.
- An account that has been inactive for a reasonably lengthy
period of time is used.
- Mail sent to the customer is returned repeatedly as
undeliverable although transactions continue to be conducted in
connection with the account.
- Unusual credit activity such as an increased number of accounts
Notice from Customer, Victims of Identity Theft, Law
Enforcement Authorities, or Other Persons Regarding Possible
Identity Theft in Connection with Covered Accounts
- The university is notified that the customer is not receiving
paper account statements.
- The university is notified of unauthorized charges or
transactions in connection with a customer's account.
- The university is notified by a customer, victim of identity
theft, law enforcement authority, or any other person that a
fraudulent account has been opened.
Alerts, Notifications, or Warnings from a Consumer Reporting
- A fraud or credit alert is included with a consumer
- A notice of credit freeze on a consumer report is provided from
a consumer reporting agency.
- A consumer reporting agency provides a notice of address
- A consumer report indicates a pattern of activity inconsistent
with the history and usual pattern of activity of a customer.
- Detection of compromised or breached systems that store Covered
Accounts or personally identifiable information.
Additional Red Flags
- Additional red flags may be identified by UB entities, units,
and/or departments for specific types of Covered Accounts.
3. Detect Red Flags
Departments should develop and implement procedures to detect
red flags associated with opening new or accessing existing Covered
- Monitor account transactions for possible red flags. Require
certain identity information such as name, date of birth,
residential or business address, driver license, or other photo
- Require multi-factor identification before conducting any
transaction over the phone that relates to a Covered Account.
- Require that online transactions come through a secure,
password protected portal in accordance with the Standards for
Securing Regulated Private Data policy.
- Thoroughly follow up on each billing inquiry, especially
inquiries regarding services not received and/or billing
- Verify the validity of a change of address request on an
existing account and provide the customer with a means to promptly
report an incorrect address.
4. Respond to Detected Red Flags
Departments should respond appropriately to detected red flags
in order to prevent and mitigate identity theft. The response
should be commensurate with the degree of risk posed.
Once potentially fraudulent activity is detected, an employee
must act quickly as a rapid response can protect customers and the
university from damages and loss.
If red flags are detected, one or more of the following steps
may be taken:
- monitor the Covered Accounts for evidence of identity
- request additional documentation to validate identity
- contact the consumer and verify if the activity is
- where appropriate, disable access or change passwords, security
codes, or other security devices
- close the Covered Account, and if needed reopen with a new
- refuse to open a new Covered Account for the customer
- notify the department’s Red Flags Contact Person and, the
university’s Program Administrator
- determine if law enforcement should be notified and if a
Suspicious Activity Report (SAR) should be filed
- not pursue collection of an account
- other responses as determined by the department
- determine that no response is warranted under the particular
When a Notice of Address Discrepancy is received from a consumer
reporting agency indicating the address given by the employee or
applicant differs from the address the consumer reporting agency
has on file, the following steps are recommended to reasonably
confirm that the address is accurate:
- determine that the consumer report individual is a match to the
employee or applicant for which it was requested
- verify the address with the employee or applicant
- verify the address of the employee or applicant through a
review of the individual’s records, a third party source, or
other reasonable method
- if an accurate address is confirmed, the department will
provide the employee or applicant’s address to the consumer
reporting agency from which it received the Notice of Address
- a continuing relationship is established with the employee or
- in the ordinary course of business, information is regularly
provided to the consumer reporting agency.
When a change of address request is followed within 30 days by a
request for an additional or replacement card, an additional or
replacement card will not be issued until validity of the address
change has been determined. Validity of requests for duplicate or
replacement cards may be established by:
- providing written or electronic notification to the cardholder
of the request for an additional or replacement card
- providing the cardholder with reasonable means of promptly
reporting address changes.
5. Train Responsible Staff
Each department having Covered Accounts will compile a list of
their staff that are responsible for performing the day-to-day
application of the Red Flags Rule Procedures to a specific Covered
Responsible staff should receive training on the UB Red Flags
Identity Theft Prevention Program and their department’s Red
Flags Rule Procedures. The departmental Red Flags Rule Contact
Person is responsible for maintaining documentation on training,
including the employee’s name, title, and date training
6. Monitor Service Providers
The university will exercise appropriate and effective oversight
of arrangements with service providers having access to Covered
Accounts. Third party contractors and service providers are
expected to be compliant with federal, state, and local laws and
regulations as well as UB policies and procedures pertaining to
identity theft prevention. Specific terms and issues of compliance
must be addressed in the individual contractual agreements, and
will include requiring service providers to:
- have identity theft prevention policies and procedures in
- review the UB Identity Theft Prevention and Red Flags Policy
and the departmental Red Flags Rule Procedures
- report relevant red flags.
Departments will identify service providers with access to
Covered Accounts. The department’s Red Flags Contact Person
will submit the service providers’ names and contact
information in writing to the University Program Administrator on
an annual basis.
7. Update the Program and the Departmental Red Flags Rule Procedures
The UB Identity Theft Prevention Program and associated
departmental Red Flags Rule Procedures will be periodically
evaluated. The University Program Administrator will monitor
changes in legal requirements in the area of identity theft to
determine if changes in the University’s Program are
warranted. Departments will review their Red Flags Rule
Procedures annually and revise considering:
- incidents of and attempts at identity theft
- changes in identity theft methods
- new procedures for detecting, mitigating, and preventing
- changes in the types of Covered Accounts maintained by the
- changes in business and service provider arrangements.
Documentation of the review must be maintained in the
148 Parker Hall
Buffalo, NY 14214
Related Documents, Forms, Links