Click to show/hide contact information.

Red Flags Rule (Preventing Identity Theft)

The information provided in this guide is intended to assist a campus department in developing a plan for protecting customer account information from identity theft in compliance with the Federal Trade Commission (FTC) “Red Flags” Rule.

Various campus departments establish and maintain “covered” accounts used to bill students, employees, and individual members of the public for the sale of ancillary products and services on credit. The FTC Red Flags Rule requires organizations, like UCSC, to have in place control procedures aimed at detecting attempts by identity thieves to access an accountholder’s personal identifying information or fraudulent use of an account. The information provided in this guide is intended to assist campus departments in protecting accountholder information, and identifying and responding appropriately to identity theft attempts.

Expand or contract all step headings
printer
printer
increase font size Decrease Font Size
 
 
 
 magnifying glassDelete Circle
  • Before you start

    A “covered account” is a receivable (billing) account that a department establishes and maintains for extending credit to a person for personal, family, household, or business purposes.

    A “red flag” means a pattern, practice or specific activity that indicates the possible existence of a fraud being committed or attempted using the personal identifying information of another person without authorization.

    “Personally Identifiable Information” (PII) means a person’s first name or initial and last name, in combination with any one or more of the following:

    • Social Security number (SSN)
    • Drivers license number or State-issued Identification Card number
    • Account number, credit card number, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s account
    • Medical information, which includes any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
    • Health insurance information, which includes a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person, or any information in a person’s application and claims history, including any appeals records

    Back to Top
  • Purpose

    A red flag is intended to serve as an indicator of an attempt by an unauthorized party to steal the identity of an accountholder.

    Each campus unit maintaining covered account information or having responsibilities that include disclosing or sharing covered account information must:

    • Implement red flags controls and triggers in its account management processes,
    • Implement a plan and procedures for effectively reacting to the triggering of a red flag, and
    • Ensure employees involved in account management processes receive adequate training and guidance on protecting accountholder information.

    Back to Top
  • Scope

    The Red Flags Rule applies to the following types of UCSC covered accounts:

    • Deferred student tuition and fee payment plan
    • Student emergency loan
    • Employee emergency loan
    • Departmental account facilitating the sale of ancillary products and services to a person (in person or via the web)

    Back to Top
  • Red flags - Student accounts

    Applicability

    • Deferred student tuition and fee payment plan
    • Student emergency loan
    Enrollment Process Red Flags:
    Control Red Flag
    Verify the identity of the student before registering student Student is unable to provide identifying information, such as name, date of birth, academic records, home address or other identification
    Verify the identity of the student before identification card is issued Government-issued photo identification reviewed at the time of issuance of student identification card does not match appearance of the student
    In person, student account identity verification process red flags:
    Control Red Flag
    Student identification documents are examined for alterations, or other signs of forgery or tampering. Request additional identification documentation. (student admission or enrollment may be held until verification occurs) Identity documents appear to be altered or forged
    Government-issued photo ID of a student is examined to verify identity (request additional identification documentation) Identification card photo does not match appearance of the student
    Compare name and/or other identifying information provided to identifying information that may be on file. (Notify college advisor, appropriate units, and student of incident, monitor for unusual activity. Campus police may be notified.) Identifying information provided matches that of another student or account holder
    Access to accountholder records is restricted to authorized individuals:
    Control Red Flag
    The record keeping system is monitored for unauthorized access or unusual activity. (Notify UCSC Security Team and accountholder of security breach. Security team freezes account. The password and/or challenge questions enabling the account holder access to account information are reset. Monitor account for unusual activity.) An unauthorized party has accessed accountholder information.
    An accountholder is provided with instructions on how to report non-receipt of departmental communications (verify identity of accountholder and accuracy of addresses on record. Update accountholder information and provide confirmation of changes to the accountholder via email. The password and challenge questions enabling the account holder access to account information are reset. Monitor account for unusual activity.) Notification received from accountholder of not having received account-related communications
    Account maintenance and inquiry process red flags:
    Control: For phone, portal, email, or mailed account inquiry or change request Red Flag
    Phone: For phone requests, prior to allowing access or making changes, validate identity of requester by requiring identity information likely to be known only by the accountholder and/or correct responses to challenge questions. (Notify accountholder of potential unauthorized access, deny access to account and do not process inquiry or change request. Close the account and open a new one. Monitor account for unusual activity.) Information provided does not match information on file.
    UCSC Portal: Requests for account information or an account change received through the portal. Require that the individual requesting information provide a valid password or correctly answer challenge questions(s). Notify accountholder of (potential) unauthorized access and monitor account for unusual activity. (Deny access to account. Do not process inquiry or change request.) An invalid password or response to challenge questions is provided
    Email: The identity of an individual requesting account information or an account change by email is verified to be that of the accountholder prior to allowing access or making a change. (Contact accountholder at the telephone number on file to validate request before processing. Send a confirmation to accountholder only at the email address on file and monitor account for unusual activity.) The individual requesting information asks that it be sent to someone other than the accountholder or to an email address or location other than the one on file
    Mail: The identity of an individual requesting account information or an account change by mail is verified to be that of the accountholder prior to allowing access or making a change. (Match the signature provided on the request to the accountholder signature on file, and/or validate the request through a confirming phone call or email sent to the email address or phone number on record. Monitor account for unusual activity.) Signature on file does not match signature on mailed request.
    Contact accountholder by phone, mail or email on file to validate request. Send confirmation to accountholder at the email or mailing address on file and monitor account for unusual activity The requester asks that the information be sent to someone other than the accountholder or to an email address or location other than the one on file
    Control: For in-person account inquiry or change request Red Flag
    Verify the identity of the requester by examining photo identification before responding to request (deny access to account and do not process inquiry or change request. Notify account holder of potential unauthorized access and monitor account for unusual activity.) The identification photo and/or signature does not match the requester’s appearance and/or signature. Identification documents appear to be altered or forged
    Request confirmation of the validity of a request by contacting the accountholder through UCSC portal (myucsc.ucsc.edu), by mail to the address on file, or by telephone at the number on file. Accountholder indicates the request was not authorized in response to emailed, mailed, or telephoned confirmation request
    Match information provided by the individual, such as address, telephone number, and/or challenge questions to information kept on file. (Deny access to account and do not process inquiry or change request. Notify accountholder of potential unauthorized access and monitor account for unusual activity.) Information provided does not match information on file
    Control: Accountholder notification: Red Flag
    Provide an accountholder with instructions for reporting suspected unauthorized account access Notification is received that there has been unauthorized access to an account
    Inform accountholder to notify unit if he or she has been a victim of identity theft Notification is received that an accountholder has been a victim of identity theft
    Review accounts on a periodic basis for unusual transaction activity. (Confirm the validity of transaction activity with the accountholder, monitor account for unusual activity, deny access to the account.) Unusual transaction activity, such as uncharacteristic amounts, volumes, and/or timing observed
    Accountholders are provided with instructions on reporting non-receipt of account statements. (Confirm mailing address with accountholder through a phone call or email to the phone or email on file. Deny access to the account. Monitor account for unusual activity.) Accountholder notifies department of non-receipt of account statement.

    Red Flag Trigger Response Options
    The department plan for responding to the triggering of a red flag may include one or more of the following actions:

    • Request additional identification documentation
    • Notify existing accountholder of identity theft attempt
    • Monitor account of existing accountholder for suspicious inquiry requests or transactions
    • Refer incident to supervisor
    • Report an identity theft attempt or information breach through one of the options described under the "Where to get help"
    • Notify campus police

    Back to Top
  • Red flags - Employee emergency loans

    Applicability: Employee emergency loans

    Loan application review process red flags:
    Control Red Flag
    Review loan application for alteration or other indications of fraudulent application Loan application has been altered, destroyed and reassembled, or there are other signs the application is fraudulent
    Review loan application for use of a social security number, address, or phone number of an accountholder already on file Loan application contains the same social security number, address, or phone number as that of another accountholder already on file
    Review loan application for use of identifying information associated with fraudulent activity Loan application contains suspicious information, such as mail drop address, prison address, pager telephone number, or answering service telephone number
    For loan applications in which a consumer credit report is obtained, thoroughly review the credit report Consumer credit report contains a fraud alert, credit freeze, and/or address discrepancy notice
    For in-person loan applicants, verify identity by checking photo ID Photo and/or signature on identification does not match that of the applicant
    For applications requiring documentation of identity or other information, carefully review the documentation and information for forgery or alteration A document provided to verify identification appears forged, contains altered information, or has a signature that does not match that provided on the application
    Account maintenance and inquiry process red flags:
    Control: For phone or e-mail account inquiry or change request: Red Flag
    Validate identity of requester by requiring correct response(s) to challenge questions Account information requester is unable to answer challenge questions, such as providing a birth date or other information likely only to be known by the accountholder
    Request confirmation of the validity of request by contacting the accountholder by mail at the address on file, or via their campus E-mail, or by telephone at the number on file Accountholder indicates the request was not authorized in response to a mailed, e-mailed or telephoned confirmation request
    Control: For in-person account inquiry or change request Red Flag
    Verify the identity of the requester by examining photo identification before responding to request The identification photo and/or signature does not match the requester's appearance and/or signature
    Request confirmation of the validity of request by contacting the accountholder by mail at the address on file, by E-mail to their UCSC email address, or by telephone at the number on file Accountholder indicates the request was not authorized in response to a mailed, E-mailed, or telephoned confirmation request.
    Control: Accountholder notification Red Flag
    Provide an accountholder with instructions on reporting suspected unauthorized account access Notification is received that there has been unauthorized access to the account
    Inform accountholder to notify unit if he or she has been a victim of identity theft Notification is received that an accountholder has been a victim of identity theft.

    Red flag trigger response options
    The department plan for responding to the triggering of a red flag may include one or more of the following actions:

    • Do not open account until identity is verified
    • Request additional identification documentation
    • Request completion of a new application
    • Notify existing accountholder of identity theft attempt
    • Monitor account of existing accountholder for suspicious inquiry requests or transactions
    • Refer incident to Human Resources
    • Notify the appropriate supervisor or manager
    • Report an identity theft attempt or information breach through one of the options described under the "Where to get help" topic

    Back to Top
  • Red flags - External customers

    Applicability

    • Departmental credit account facilitating the sale of ancillary products and services to a person
    Credit application review process red flags:
    Control Red Flag
    Review credit application for alteration or other indications of fraudulent application Credit application has been altered, destroyed and reassembled, or there are other signs the application is fraudulent
    Review credit application for use of a social security number, address, or phone number of a accountholder already on file Credit application contains the same social security number, address, or phone number as that of an accountholder already on file
    Review credit application for use of identifying information associated with fraudulent activity Credit application contains suspicious information, such as mail drop address, prison address, pager telephone number, or answering service telephone number
    For credit applications in which a consumer credit report is obtained, thoroughly review the credit report Consumer credit report contains a fraud alert, credit freeze, and/or address discrepancy
    For in-person applicants, verify identity by checking government-issued photo ID Photo and/or signature on identification does not match that of the applicant
    For applications requiring documentation of identity or other information, carefully review the information for forgery or alteration A document provided to verify identification appears forged, contains altered information, or has a signature that does not match that provided on the application
    Account maintenance and inquiry process red flags:
    Control: For phone or e-mail account inquiry or change request Red Flag
    Validate identity of the requester by requiring correct response(s) to challenge questions Account information requester is unable to answer challenge questions, such as providing a birth date or other information likely only to be known by the accountholder.
    Request confirmation of the validity of request by contacting the accountholder by mail at the address on file or by telephone at the number on file Accountholder indicates the request was not authorized in response to a mailed or telephoned confirmation request.
    Control: For in-person account inquiry or change request Red Flag
    Verify the identity of the requester before responding to request The identification photo and/or signature does not match the requester’s appearance and/or signature
    Request confirmation of the validity of request by contacting the accountholder by mail at the address on file or by telephone at the number on file Accountholder indicates the request was not authorized in response to a mailed or telephoned confirmation request.
    Control: Accountholder notification Red Flag
    Provide an accountholder with instructions on reporting suspected unauthorized account access Notification is received that there has been unauthorized access to the account
    Inform accountholder to notify unit if he or she has been a victim of identity theft Notification is received that an accountholder has been a victim of identity theft
    Transaction activity monitoring process red flags:
    Control Red Flag
    Review account for significant changes or unusual activity Significant changes or unusual account activity is observed, such as unusually large charges being incurred or frequent transaction activity on an account that is infrequently used
    Implement a process for responding to instances of accountholder mail being repeatedly returned as undeliverable Accountholder mail is repeatedly returned as being undeliverable
    Provide an accountholder with instructions on reporting non-receipt of account statements or other account information Accountholder provides notification that account statements are not being received
    Provide an accountholder with instructions on reporting suspected unauthorized account access Notification is received that there has been unauthorized access to the account
    Inform accountholder to notify unit if he or she has been a victim of identity theft Notification is received that an accountholder has been a victim of identity theft

    Red flag trigger response options:
    The department plan for responding to the triggering of a red flag may include one or more of the following actions:

    • Do not open an account until identity is verified
    • Deny access to the account
    • Close the account and open a new one
    • Do not provide information or make an account change until identity is verified
    • Request additional identification documentation
    • Request completion of a new credit application
    • Notify existing accountholder of identity theft attempt
    • Change the account access password or challenge question
    • Monitor account of existing accountholder for suspicious inquiry requests or Notify credit reporting agency
    • Monitor account of existing accountholder for suspicious inquiry requests or transactions
    • Report an identity theft attempt or information breach through one of the options described under the “Where to get help” topic
    • Notify campus police

    Back to Top
  • Reporting an identity theft attempt

    Departments must have established procedures to respond to identity theft attempts. Some examples of responses to the triggering of a red flag include the following:

    Transaction activity monitoring process red flags:
    Trigger Potential Response
    Suspicious or fraudulent information provided to confirm identity or apply for credit Implement departmental procedure for denying access to information or rejecting change requests
    Accountholder informs department of unauthorized account access Implement departmental procedure for restricting access to account and/or closing old account and opening a new one
    Accountholder informs department of not receiving billing statements and/or other correspondence Implement departmental procedure for researching account problems
    Suspected information system breach Report incident to ITS Help Desk
    Release of accountholder information to an unauthorized party Report situation to controller@ucsc.edu
    Loss of paper-based customer account records Report situation to controller@ucsc.edu

    Back to Top
  • Covered accounts administered by third parties

    Third-party service providers administering UCSC covered accounts are responsible for complying with Red Flag Rules requirements.

    In the agreement with the provider, the responsible campus unit must ensure the provider has in place reasonable policies and procedures:

    • designed to detect, prevent, and mitigate the risk of identity theft in administering accounts, and
    • that are subject to periodic review and reporting requirements by UCSC representatives.

    Back to Top
  • References

    Federal Trade Commission: Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business

    UCSC Implementation Plan for Protection of Electronic Restricted Data


    Back to Top
  • Where to get help

    Assistance is available for the following topics:


    Back to Top
There are no results.