Red Flags Rule

Overview

The Red Flags Rule is associated with a federal law that requires the University to implement an identity theft prevention program in order to detect the warning signs, or "red flags" of identity theft. 

Key Terms
  • Account - an account starts with a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household, or business purposes. In the University context, this includes student accounts adn loans associated with federal student assistance programs.
  • Covered Account - under the regulation, covered accountsw are those for which there is a reasonably foreseeable risk to customers or to the safety  and soundness of the financial institution or creditor by identity theft, including financial, operational, compliance, reputation, or litigation risks
  • Red Flag - a pattern, practice, or specific activity that indicates the possible existence of identity theft 
Regulation Requirements 

Periodic Identification of Covered Accounts

  • Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts.

Establishment of an Identity Theft Program

  • Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account 
  • The program must include reasonable policies and procedures to: 
    • Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its program
    • Detect Red Flags that have been incorporated into the program of the financial institution or creditor 
    • Respond appropriately to any Red Flags that are detected
    • Ensure the program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft

Administration of the Program

  • Each financial institution or creditor that is required to implement a program must provide for the continued administration of the program and must: 
    • Obtain approval of the initial written program from either its board of directors or an appropriate committee of the board of directors
    • Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation, and administration of the program 
    • Train staff, as necessary, to effectively implement the program 
    • Exercise appropriate and effective oversight of service provider arrangements
    • Consider the guidelines when developing the program 
Pitt Practices
  • At present, the University has identified student accounts associated with federal student assistance programs as covered accounts.
  • The University annually conducts risk assessments of those applications associated with student financial accounts to ensure their security. 
  • The CIE Office is working with the Office of Policy Development and Management to establish the University's Identity Theft Prevention Policy, procedures, and compliance program. 
  • Once policy work is complete, the CIE Office will ensure that:
    • designated employees at the level of senior management are responsible for the implementation and administration of the program
    • staff are trained as necesary, to effectively implement the program
    • appropriate and effective oversight of service provider arrangements is exercised