FTC Red Flags Rule
11/28/2011
The Federal Trade Commission, along with the banking regulatory agencies, has issued regulations intended to protect consumers from identity theft. Under the Red Flags Rule, as it is known, creditors with covered accounts are required to adopt and follow a written identity theft policy. Most colleges and universities are likely subject to the rule. After several delays, FTC began officially enforcing the identity theft rules under 16 CFR 681.2 on January 1, 2011.
NACUBO Resources
- Enforcement of Red Flags Rule Begins (January 26, 2011)
- FTC's Red Flags Rule Likely to Affect Colleges (September 23, 2008) A summary of the rule and an analysis of its applicability to institutions of higher education prepared for NACUBO by two attorneys from Hogan & Hartson, LLP.
FTC Resources
- Fighting Identity Theft with the Red Flags Rule. This "how-to guide for business" was prepared by the FTC to help you prepare and implement a program for identifying red flags and mitigating risk of identity theft. (May 2013)
- Federal Register notice--final rule (November 9, 2007)
- FTC Rules under 16 CFR Part 681. NACUBO has pulled out the relevant pages from the Federal Register notices and reformatted for easier reading.
- Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation, published as an appendix to the Red Flags Rule, provides an outline for developing a program (also reformatted).
Other Resources
- Sample Institutional Red Flags Policy #1: from "Green" University, a private research university in the south (November 24, 2008)
- Sample Institutional Policy #2--University of Puget Sound
- Sample Institutional Policy #3--University of California, Los Angeles
- Sample Institutional Policy #4--Xavier University
- Sample Institutional Policy #5--University of Connecticut