Red Flags Rule FAQs

What is the Red Flags Rule?

The Federal Trade Commission (FTC) has issued a set of rules and guidelines whose purpose is to detect and prevent identity theft by defining red flags or alerts that refer to a pattern, practice, or specific activity that indicates possible identity theft. The Red Flags Rule mandates that all financial institutions and creditors with covered accounts develop and implement an identity theft prevention program. The rule applies to an extremely broad range of businesses, not just banks, and most higher education institutions, including UB, have been identified as creditors under the FTC definition.

Why does the university need to comply with the Red Flags Rule?

The FTC requires that any entity that lends money for non-business use, issues financial transaction cards, or is a user of credit reports, have an identity theft program in place. The university is required to comply with the Red Flags Rule because it:

·   handles many aspects of transactions related to loans

·   issues debit cards that can be used at external entities (UBCard)

·   uses credit reports on occasion.


What are my department's responsibilities with respect to complying with the Red Flags Rule?

All departments having covered accounts are responsible for developing departmental Red Flags Rule Procedures in support of the University’s Identity Theft Prevention and Red Flags Policy. The policy includes a framework for what each department needs to do. While certain units, such as Financial Aid, need more elaborate, comprehensive procedures, other low risk units may be able to follow a less complex, more streamlined approach. A template is available to assist departments develop their procedures. In addition, any activity identified as a covered account must be re-examined on a regular basis as part of the University’s Red Flags Program. You will need to re-evaluate your procedures annually and modify them if your unit experiences identity theft, you change your operations relative to your covered accounts, or your organization’s structure changes.

What is a covered account and what isn't a covered account?

Covered accounts, as the Red Flags Rule defines that term, will include:

a.            Any new or existing consumer account that permits multiple or deferred payments or transactions.  In other words, this includes any record made or account established when a service is provided if payment is NOT fully collected at the time of service. This would include loans, deferred billings, and payment plans. It would also include collecting payment for an event, such as a registration fee, if the payment is split into a deposit followed by the payment in full at a later date. 

It is less likely that the rules would apply if you collect all payments up front. If you are selling tickets to a special event and full payment is required when the ticket is purchased, and you retain no information as detailed in item b. below, then it would not be a covered account and the rule would not apply.

It is less likely that the rules would apply if you collect all payments up front. If you are selling tickets to a special event and full payment is required when the ticket is purchased, and you retain no information as detailed in item b. below, then it would not be a covered account and the rule would not apply.

The rule also does not apply if you accept credit cards as long as the credit card is used to make payment in full at the time of the service, because that is not considered a deferred payment .

The rule does not apply if you are the buyer or receiver of the service. For example, payments you make for office supplies, to rent an outside facility, or for travel expenses are not covered accounts. 
 b.       Any other new or existing account that may pose a reasonably foreseeable risk to consumers or the institution from identity theft due to information retained and/or maintained by the institution. This would include single transaction, one-time payment accounts or records that may be vulnerable to identity theft because of the information collected and retained such as date of birth, copies of checks, credit card numbers, social security number, and other personal identifying information.

The best practice is to collect and retain as little information as necessary to complete any transaction in order to avoid the risk of exposure and the need to comply with the requirements. For example, when collecting registration fees for a special event do not retain a copy of the check if all you need is a record indicating the amount of the payment collected.

Does the rule require departments have specific procedures—like checking photo IDs or using Social Security numbers to verify someone's identity?

The rule does not require any specific practice to verify identity. It gives you the flexibility to tailor your procedures to the nature of your business and the risks you face. The FTC will assess compliance based on the reasonableness of your procedures. Departments with a high risk for identity theft may need more complex procedures — like using other information sources to confirm identity or incorporating fraud detection software. Departments with a low risk for identity theft may have less complex procedures — for example, simply having a plan for how they'll respond if they find out there has been an incident of identity theft involving their area. The university has developed a template to assist departments develop their procedures. 

What about covered accounts handled through a third party service?

Covered accounts that have been outsourced or contracted to an outside third party continue to be subject to the Red Flags Rule.  The business unit overseeing the relationship with the third party is responsible for verifying compliance. This includes ensuring that:

a.       Applicable contracts or agreements include a covenant by the vendor or third party that they will comply with all applicable laws and regulations;

b.      The vendor or third-party has developed and will implement an Identity Theft Prevention Program with respect to the university covered accounts serviced under the relationship;

c.       The Program, in section b. above, will be monitored and updated on a periodic basis;

d.      The vendor or third party has or will establish appropriate data collection and reporting processes so that information concerning identity theft incidents is forwarded to the responsible business unit as necessary to facilitate the university’s obligations for monitoring and reporting under the Red Flags Rule.

Contract or agreements in existence need to be amended if they do not contain section a. above.


Departments with covered accounts should identify any service providers with access to those covered accounts. The department’s Red Flags Contact Person must submit the service providers’ names and contact information in writing to the University Program Administrator. The Associate Vice President and Controller has been designated as the University’s Program Administrator.


What about student cards, like the UBCard?

It depends on what the cards can do. If the cards are used for identification purposes to provide access to services such as athletic facilities and ticket discounts, and are not used as a debit/credit account they are generally not subject to the Red Flags Rule. However, if the cards have a link to a credit account, or like the UBCard, can be used as a debit card for purchases at off-campus retailers, they are subject to the Red Flags Rule. 

Moreover, if the cards meet the criteria for a covered account, they need to be considered for inclusion in the university’s identity theft program.

Are all student loans subject to the Red Flags Rule?

How a student loan is managed may make a difference in whether it is subject to the Red Flags Rule. Loan accounts where UB is considered the creditor, such as Federal Perkins Student Loans and Health Professions Student Loans, are considered covered accounts and are subject to the rule. For these accounts, the loans are originated, managed and serviced by UB. Loans where UB functions as the middle man, such as Stafford and PLUS loans, are different. With these loan types UB is not the creditor. UB’s role in the loan process is to initiate the paperwork and pass it on to the guarantee agency or the lender and then accept the loan proceeds from the guarantee agency or lender and pass the funds on to the student. For these types of loans you need to consider if the information retained and/or maintained by UB may pose a reasonably foreseeable risk to consumers or the institution from identity theft.

Are short-term loans made to students, faculty, and staff considered covered accounts and subject to the Red Flags Rule?

Yes, short-term loans are personal transactions in which the university is acting as a creditor and they would be subject to the Red Flags Rule.

How about the transactions that fall within the employer/employee relationship?

Activities involving employee disbursements, such as payroll or expense report reimbursement are not subject to the Red Flags Rule. Transactions that fall within the employee/employer relationship are not covered accounts. Examples include payroll, benefit pension plans, and reimbursement of employee expenditures. 

Are physicians, medical centers, clinics, and health centers subject to the rule?

In most cases physicians and healthcare professionals are required to comply. The Red Flags Rule will NOT apply if services are only provided on a cash basis, meaning only cash or credit cards are accepted for payment and no one is on a payment plan. If patients make payments toward their bills, or the patient has a co-pay or deductible and insurance is billed, then they are subject to the Red Flags Rule. This includes physicians and all specialties and sub-specialties; chiropractors, dentists, physical therapists, even veterinarians who allow multiple payments on account must comply. Even though identity theft is most often associated with financial transactions, there are increasing concerns about identity fraud in the context of medical care. Medical identity theft can surface when a patient seeks care using the name or insurance information of another person, which can result in both false billing and the potentially life-threatening corruption of patient medical records.

How do I report a suspected identity theft situation?

If the suspected activity is covered within your departmental Red Flags Procedures, you should follow the procedure. If the suspected activity is either not covered by your Red Flags Procedures or is observed outside your normal operations, it is your responsibility as a university employee to comply with policy. First consult a supervisor who may take steps, such as contacting University Police, to investigate and respond. If a supervisor is not available, and someone seeking services related to a covered account has just presented you with identity documents that you strongly feel are forged, call University Police immediately at 716-645-2228 and request a patrol to respond to a possible false ID.

In addition to the actions taken above, any identity theft incidents need to be reported to the designated University Program Administrator, the Associate Vice President and Controller.

When does the Red Flags Rule take effect?

The rule became effective on January 1, 2008, with full compliance originally scheduled for November 1, 2008. The FTC has delayed the enforcement date of the Red Flags Rule until after December 31, 2010. This latest delay in enforcement was at the request of Congress, but the FTC has stated that if Congress passes legislation with an effective date earlier than December 31, 2010, the FTC will begin enforcement as of that effective date.  

However, the university Identity Theft Prevention and Red Flags Policy has been approved and requires compliance of all constituencies.

Who can I contact if I need more information?

Contact Carolann G. Lazarus by email or by phone at (716) 829-6947. Ms. Lazarus is the current Red Flags Rule contact person for the Office of the Associate Vice President and Controller (the designated Program Administrator for the University Identity Theft Prevention and Red Flags Rule).

Webpage Feedback

Didn't Find What You Were Looking For?

(We'd like to respond to you.)