Pursuant to regulations (the Red Flag Rules) issued by the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions (FACT) Act of 2003, “financial institutions” and “creditors” are required to develop and implement written identity theft prevention programs. Colleges and universities that accept deferred payments or extend credit will fall within the definition of “creditor” under Red Flag Rules and must develop and implement written identity theft prevention programs to comply with these new regulations. Although the rules originally required a written program be adopted by a Board of Trustees or other governing body by November 1, 2008, the FTC announced in October 2008 that it will delay enforcement actions for violations of the Red Flag Rules for six months, until May 1, 2009.
What is the purpose of the Red Flag Rules?
The purpose of the written identity theft prevention program is to detect, prevent, and mitigate identity theft in connection with new or existing covered accounts. The program must be appropriate to the size and complexity of the creditor and the nature and scope of its activities.
Who must comply with the Red Flag Rules?
The Red Flag Rules apply to “financial institutions” and “creditors” with “covered accounts.” Under the rules, a “creditor” is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. A “covered account” is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions, such as a loan that is billed or payable monthly.
Colleges and universities that accept deferred payments on accounts or extend credit for nonbusiness purposes fall within the definition of “creditor,” requiring compliance with these rules. Other activities that could cause colleges and universities to be considered “creditors” subject to the Red Flag Rules include:
- participating in the Federal Perkins Loan program;
- participating as a school lender in the Federal Family Education Loan Program;
- offering institutional loans to students, faculty or staff; and
- offering payment plans for tuition that extend payments throughout an academic period rather than requiring payment at the beginning of the academic period.
Complying with the Red Flag Rules
Under the Red Flag Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or “Red Flags” – of identity theft. The written program must include reasonable policies and procedures to:
- Identify relevant Red Flags for the covered accounts that the creditor offers or maintains and incorporate those Red Flags into its program;
- Detect Red Flags that have been incorporated into its program;
- Respond appropriately to any Red Flags that are detected;
- Train relevant staff, as necessary;
- Exercise sufficient oversight over service providers; and
- Update the program periodically to reflect changes in risks from identity theft to customers and to the safety and soundness of the creditor from identity theft.
Importantly, the Red Flag Rules require each creditor to develop its written identity theft prevention program based on the specific Red Flags relevant to that creditor. As such, it is important to evaluate the specific risks of identity theft that your college or university faces, evaluate what Red Flags are relevant to your college or university, and develop a policy to address each identified Red Flag.
Additional Address Discrepancy Policy Required for Users of Consumer Reports
In addition to the adoption of a written identity theft prevention program, the Red Flags impose additional requirements on users of consumer reports, in the event the user is notified of an address discrepancy. Specifically, any user of credit reports must develop and implement policies and procedures designed to enable the user to form a “reasonable belief” that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.