Compliance with Red Flag Rules by Colleges and Universities
Page Content
In 2003, the U.S. Congress enacted the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”), which amended the Fair Credit Reporting Act (“FCRA”) by requiring the Federal Trade Commission (“FTC”) and other federal agencies to issue regulations requiring financial institutions and other “creditors” to adopt policies and procedures to prevent identity theft. 15 U.S.C. § 1681m(e). In 2007, the FTC and other federal agencies issued the regulations required under the FACT Act, which were named the “Red Flag Rules”. 16 C.F.R. §§ 681.1 et seq. The Red Flag Rules generally require financial institutions and “creditors” that maintain “covered accounts” to develop and implement a written Identity Theft Prevention Program and to provide for the continued administration of this Identity Theft Prevention Program.
The Red Flag Rules apply to all financial institutions and “creditors” that are subject to administrative enforcement of the FCRA by the FTC, and the Red Flag Rules impose obligations on those financial institutions and “creditors” that maintain “covered accounts”. 16 C.F.R. §§ 681.2, 681.3. The “creditors” to which the Red Flag Rules apply include any person or entity that “regularly extends, renews, or continues credit” and any person or entity that “regularly arranges for the extension, renewal, or continuation of credit”. 15 U.S.C. § 1691a(e). Colleges and universities are subject to administrative enforcement by the FTC, and any colleges and universities that regularly extend, renew, or continue credit, or regularly arrange for such extensions, renewals, or continuances of credit, are subject to the Red Flag Rules.
Even if subject to the Red Flag Rules, the obligations with respect to developing and implementing an Identity Theft Prevention Program apply only if the college or university maintains one or more “covered accounts”. 16 C.F.R. § 681.2(d), (e). A “covered account” maintained by a college or university is essentially a consumer credit account under which multiple payments are made, such as where payments are deferred and made by a borrower periodically over time. 16 C.F.R. § 681.2(b). If a college or university maintains any “covered accounts”, it will be required to develop, implement, and administer an Identity Theft Prevention Program designed to identify, detect and respond to “Red Flags”.
A “Red Flag” is a pattern, practice or specific activity that indicates the possible existence of identity theft. 16 C.F.R. § 681.2(b)(9). Examples of “Red Flags” include the following: (i) when documents provided for identification appear to have been altered or forged; (ii) when information on the identification provided by a person is not consistent with information provided by that person when making a credit application; (iii) when an application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled; and (iv) when a person opening a credit account fails to provide all required personal identifying information. 16 C.F.R. Part 681, Appendix A.
The Red Flag Rules require each college or university meeting the criteria above to develop and implement a written Identity Theft Prevention Program (“Program”) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a “covered account” or any existing “covered account”. 16 C.F.R. § 681.2(d). The Program must be appropriate to the size and complexity of the college or university and the nature and scope of its activities. 16 C.F.R. § 681.2(d). The Program must include reasonable policies and procedures to (i) identify relevant “Red Flags” for the “covered accounts” that the college or university maintains, and incorporate those “Red Flags” into its Program; (ii) detect “Red Flags” that have been incorporated into the Program of the college or university; (iii) respond appropriately to any “Red Flags” that are detected to prevent and mitigate identity theft; and (iv) ensure that the Program (including the “Red Flags” determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the college or university from identity theft. 16 C.F.R. § 681.2(d).
Each college or university that is required to implement a Program must provide for the continued administration of the Program and must: (i) obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors; (ii) involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program; (iii) train staff, as necessary, to effectively implement the Program; and (iv) exercise appropriate and effective oversight of service provider arrangements. 16 C.F.R. § 681.2(e).
Each college or university that is required to implement a Program must consider the guidelines that are set forth in 16 C.F.R. Part 681, Appendix A, and include in its Program those guidelines that are appropriate.
The Red Flag Rules became effective on January 1, 2008, with full compliance required by November 1, 2008. 72 F.R. 63718. However, on October 22, 2008, the FTC announced that it will delay enforcement of the Red Flag Rules until May 1, 2009, to give “creditors” under its jurisdiction additional time to develop their Identity Theft Prevention Programs.
Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601