What is the Red Flags Rule ?

The Red Flags Rule was issued by the Federal Trade Commission (FTC) in 2009 to help organizations detect, prevent, and mitigate identity theft in their daily operations.  It requires banks and other institutions that maintain covered accounts to implement a formal Identity Theft Prevention Program.

The University's Identity Theft Prevention Program (ITPP) is defined in Department Fiscal Procedure 4. Department Fiscal Procedures are published at the bottom of the the UO Fiscal Policy Manual site under the heading Related Resources  

The program was originally developed by the former Oregon University System and was refined in 2020 by the UO Red Flags team.

Red Flags are suspicious patterns or practices encountered in our daily operations that indicate the possibility that identity theft may occur.

Identity Theft is the unauthorized use of another persons personal identifying information.

ITPUs

The UO ITPP identifies the following Identity Theft Prevention Units (ITPUs) across campus whose services and activities confer some risk of identity theft or have a role in the remediation of incidents,

Registrar, Admissions, Financial Aid, Division of Graduate Studies, Information Security Office, Office of the Provost, Global Engagement, ID Card Office, Transportation Services, Purchasing and Contracting Services, Accounts Payable, Payroll, Tax Accounting, Student Financial Services, Human Resources, UOPD, Dean of Students, Health Center, Housing/Dining, EMU Ticket Office, Advancement, and Safety and Risk Services.

ITPUs are responsible for:

1. Maintaining written procedures for detecting, preventing, mitigating, and reporting instances of identity theft.
2. Ensuring staff engaged in these activities participate annually in identity theft prevention training.
3. Verify the identity of persons before providing services, and sharing personal identfying information.
4. Ensuring service providers with access to identifying information are contractually obligated to safeguard it.
5. Participate each year in a survey conducted by the program administrator, to ensure the aforementioned responsibiities are carried out.

UO Materials:

1. Report a security incident (suspected identity theft).
2. UO Identity Theft Prevention Program document.  Contact program administrator Mark McCullloch mmccullo@uoregon.edu.
3. UO Identity Theft Prevention Red Flags Training in My Track Learning Library
4. Red Flags Team Charter
5. General advice for identity theft prevention and recovery.

External Resources:

• Full text of the FTC's Red Flags Rule FTC 16 CFR Part 681, as amended by the Red Flag Program Clarification Act of 2010 (effective Jan. 1, 2011)
• SEC and CFTC's final Identity Theft Red Flags Rule rule (effective May 20, 2013)
• Other FTC resources:
  • Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business
  • Consumer Information on Identity Theft
  • Protecting Personal Information: A Guide for Business
  • Consumer Sentinel Fraud Reports
  • Identity Theft Recovery Plan
• NACUBO Red Flags Rule resources
• IRS site on Identity Protection