Privacy Office T1

Identity Theft Prevention (Red Flags Rule)

Overview

The Red Flags Rule is associated with a federal law that requires the University to implement an identity theft prevention program in order to detect the warning signs, or "red flags" of identity theft. 

Key Terms 
  • Account - an account starts with a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household, or business purposes. In the University context, this includes student accounts and loans associated with federal student assistance programs.
  • Covered Account - under the regulation, covered accounts are those for which there is a reasonably foreseeable risk to customers or to the safety  and soundness of the financial institution or creditor by identity theft, including financial, operational, compliance, reputation, or litigation risks.
  • Red Flag - a pattern, practice, or specific activity that indicates the possible existence of identity theft.
Regulation Requirements 

Periodic Identification of Covered Accounts

  • Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts.

Establishment of an Identity Theft Program

  • Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account
  • The program must include reasonable policies and procedures to:
    • Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its program
    • Detect Red Flags that have been incorporated into the program of the financial institution or creditor
    • Respond appropriately to any Red Flags that are detected
    • Ensure the program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft

Administration of the Program

  • Each financial institution or creditor that is required to implement a program must provide for the continued administration of the program and must:
    • Obtain approval of the initial written program from either its board of directors or an appropriate committee of the board of directors
    • Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation, and administration of the program
    • Train staff, as necessary, to effectively implement the program
    • Exercise appropriate and effective oversight of service provider arrangements
    • Consider the guidelines when developing the program 
Pitt Practices

Identity theft protection program

Contact Us

For assistance of guidance regarding University-level compliance, investigations and ethics, please contact: 

compliance@pitt.edu