What is the Red Flags Rule ?

The Red Flags Rule was issued by the Federal Trade Commission (FTC) in 2009 to help organizations detect, prevent, and mitigate identity theft in their daily operations.  It requires banks and other institutions that maintain covered accounts to implement a formal Identity Theft Prevention Program.

The University's Identity Theft Prevention Program (ITPP), section 4.0 of the UO Fiscal Procedures is available on the UO Fiscal Policy Manual site.  The program was originally developed by the former Oregon University System and was refined in 2020 by the UO Red Flags team.

Red Flags are suspicious patterns or practices encountered in our daily operations that indicate the possibility that identity theft may occur.

Identity Theft is the unauthorized use of another persons personal identifying information.

UO Red Flags Team

1. Registrar, Jim Bouse
2. BA Student Financial Services, Krista Borg
3. Payroll, Vacant
4. BA Financial Services, Kelly Wolf
5. University Health Center, Volga Koval
6. BA Information Systems, Mark McCulloch
7. Information Security Office and IS Accounts Team, Cleven Mmari
8. Financial Aid, Morgan Ramsey Daniel
9. UO Card Office, Tamarra White

The UO ITPP identifies several Identity Theft Prevention Units ITPUs across campus whose services and activities confer some risk of identity theft.  ITPUs are responsible for:

1. Maintaining written procedures for detecting, preventing, mitigating, and reporting instances of identity theft.
2. Ensuring staff engaged in these activities participate annually in identity theft prevention training.
3. Verify the identity of persons before providing services, and sharing personal identfying information.
4. Ensuring service providers with access to identifying information are contractually obligated to safeguard it.
5. Participate each year in a survey conducted by the program administrator, to ensure the aforementioned responsibiities are carried out.

UO Materials:

1. 2020/2021 Annual Report to be completed by Identity Theft Prevention Units (ITPUs),
2. Report a Security incident, if a Red Flag is detected.
3. UO Identity Theft Prevention Program document (contact program administrator Mark McCullloch mmccullo@uoregon.edu).
4. UO Identity Theft Prevention Red Flags Training in My Track Learning Library
5. Red Flags Team Charter

External Resources:

• Full text of the FTC's Red Flags Rule FTC 16 CFR Part 681, as amended by the Red Flag Program Clarification Act of 2010 (effective Jan. 1, 2011)
• SEC and CFTC's final Identity Theft Red Flags Rule rule (effective May 20, 2013)
• Other FTC resources:
  • Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business
  • Consumer Information on Identity Theft
  • Protecting Personal Information: A Guide for Business
  • Consumer Sentinal Network Data Book 2019
  • Identity Theft Recovery Plan
• NACUBO Red Flags Rule resources
• IRS site on Identity Protection