Red Flags Rule

Identity Theft Prevention Program: Updated April 17, 2018

The Red Flags Rule (RFR) requires the University to implement a written identity theft prevention program designed to detect the warning signs (or "red flags") of identity theft in day-to-day operations. Each unit that handles covered accounts must develop reasonable policies and procedures to identify, detect, and respond to red flags in their area. The regulation includes additional responsibilities for users of consumer reports and units that issue credit or debit cards (including certain declining balance cards such as Gopher Gold). Read more about Fighting Fraud with the Red Flags Rule (pdf) in this information provided by the Federal Trade Commission (FTC).

The Controller’s Office provides oversight for the University’s Identity Theft Prevention Program. The following materials are provided in support of this role.


Information about Gramm-Leach-Bliley Act (GLBA)

Information about PCIDSS

  • University’s Identity Theft Prevention Program (pdf)
    This document describes how the University complies with the Red Flags Rule. All units that handle covered accounts must comply with the guidelines described in this Program.
  • RFR Certification of Compliance Form (pdf) Annual completion required
    Colleges and administrative units that must comply with one or more sections of the Red Flags Rule must annually complete and submit this form to the Controller’s Office.

The following support documents can help you determine if you handle covered accounts; and if so, what steps you must take to comply with our Program.

  • RFR Self-Identification Questionnaire (pdf)
    This four-question form helps you decide quickly if your area is in-scope.
  • RFR Compliance Guidance (pdf)
    Use this document to determine which sections of the Red Flags Rule apply to your area and how to comply.
  • RFR Department Identity Theft Prevention Plan (docx)
    This document offers a starting point for in-scope units to identify processes and procedures that assure compliance. It is a good business practice to document processes and procedures employees are expected to follow. Units are encouraged to build on or reference existing practices.
  • FTC Examples of 26 Red Flags (pdf)
    Guidance information provided by the Federal Trade Commission (FTC).
  • Incident Log (Optional) (xlsx)
    This optional template may help you track identity theft attempts or incidents in your area that could suggest a need for changes to your processes or procedures. Completion is not required.

The following training document provides a quick overview of the Red Flags Rule regulation. This document can be used as part of a unit-specific initiative to train employees who must comply with the University’s Identity Theft Prevention Program.