Red Flags Rule (Preventing Identity Theft) (2024)

Red Flags Rule (Preventing Identity Theft)

Before you start
Purpose
Scope
Red flags - Student accounts
Red flags - Employee emergency loans
Red flags - External customers
Reporting an identity theft attempt
Covered accounts administered by third parties
References
Where to get help

  • Before you start

    A “covered account” is a receivable (billing) account that a department establishes and maintains for extending credit to a person for personal, family, household, or business purposes.

    A “red flag” means a pattern, practice or specific activity that indicates the possible existence of a fraud being committed or attempted using the personal identifying information of another person without authorization.

    “Personally Identifiable Information” (PII) means a person’s first name or initial and last name, in combination with any one or more of the following:

    • Social Security number (SSN)
    • Drivers license number or State-issued Identification Card number
    • Account number, credit card number, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s account
    • Medical information, which includes any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
    • Health insurance information, which includes a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person, or any information in a person’s application and claims history, including any appeals records

    Back to Top

  • Purpose

    See Also
    A Psychologist Explains: How Do You Recognise Red Flags in a Relationship?

    A red flag is intended to serve as an indicator of an attempt by an unauthorized party to steal the identity of an accountholder.

    Each campus unit maintaining covered account information or having responsibilities that include disclosing or sharing covered account information must:

    • Implement red flags controls and triggers in its account management processes,
    • Implement a plan and procedures for effectively reacting to the triggering of a red flag, and
    • Ensure employees involved in account management processes receive adequate training and guidance on protecting accountholder information.

    Back to Top

  • Scope

    The Red Flags Rule applies to the following types of UCSC covered accounts:

    • Deferred student tuition and fee payment plan
    • Student emergency loan
    • Employee emergency loan
    • Departmental account facilitating the sale of ancillary products and services to a person (in person or via the web)

    Back to Top

  • Red flags - Student accounts

    Applicability

    • Deferred student tuition and fee payment plan
    • Student emergency loan
    Enrollment Process Red Flags:
    ControlRed Flag
    Verify the identity of the student before registering studentStudent is unable to provide identifying information, such as name, date of birth, academic records, home address or other identification
    Verify the identity of the student before identification card is issuedGovernment-issued photo identification reviewed at the time of issuance of student identification card does not match appearance of the student
    In person, student account identity verification process red flags:
    ControlRed Flag
    Student identification documents are examined for alterations, or other signs of forgery or tampering. Request additional identification documentation. (student admission or enrollment may be held until verification occurs)Identity documents appear to be altered or forged
    Government-issued photo ID of a student is examined to verify identity (request additional identification documentation)Identification card photo does not match appearance of the student
    Compare name and/or other identifying information provided to identifying information that may be on file. (Notify college advisor, appropriate units, and student of incident, monitor for unusual activity. Campus police may be notified.) Identifying information provided matches that of another student or account holder
    Access to accountholder records is restricted to authorized individuals:
    ControlRed Flag
    The record keeping system is monitored for unauthorized access or unusual activity. (Notify UCSC Security Team and accountholder of security breach. Security team freezes account. The password and/or challenge questions enabling the account holder access to account information are reset. Monitor account for unusual activity.)An unauthorized party has accessed accountholder information.
    An accountholder is provided with instructions on how to report non-receipt of departmental communications (verify identity of accountholder and accuracy of addresses on record. Update accountholder information and provide confirmation of changes to the accountholder via email. The password and challenge questions enabling the account holder access to account information are reset. Monitor account for unusual activity.)Notification received from accountholder of not having received account-related communications
    Account maintenance and inquiry process red flags:
    Control: For phone, portal, email, or mailed account inquiry or change requestRed Flag
    Phone: For phone requests, prior to allowing access or making changes, validate identity of requester by requiring identity information likely to be known only by the accountholder and/or correct responses to challenge questions. (Notify accountholder of potential unauthorized access, deny access to account and do not process inquiry or change request. Close the account and open a new one. Monitor account for unusual activity.)Information provided does not match information on file.
    UCSC Portal: Requests for account information or an account change received through the portal. Require that the individual requesting information provide a valid password or correctly answer challenge questions(s). Notify accountholder of (potential) unauthorized access and monitor account for unusual activity. (Deny access to account. Do not process inquiry or change request.) An invalid password or response to challenge questions is provided
    Email: The identity of an individual requesting account information or an account change by email is verified to be that of the accountholder prior to allowing access or making a change. (Contact accountholder at the telephone number on file to validate request before processing. Send a confirmation to accountholder only at the email address on file and monitor account for unusual activity.)The individual requesting information asks that it be sent to someone other than the accountholder or to an email address or location other than the one on file
    Mail: The identity of an individual requesting account information or an account change by mail is verified to be that of the accountholder prior to allowing access or making a change. (Match the signature provided on the request to the accountholder signature on file, and/or validate the request through a confirming phone call or email sent to the email address or phone number on record. Monitor account for unusual activity.)Signature on file does not match signature on mailed request.
    Contact accountholder by phone, mail or email on file to validate request. Send confirmation to accountholder at the email or mailing address on file and monitor account for unusual activityThe requester asks that the information be sent to someone other than the accountholder or to an email address or location other than the one on file
    Control: For in-person account inquiry or change requestRed Flag
    Verify the identity of the requester by examining photo identification before responding to request (deny access to account and do not process inquiry or change request. Notify account holder of potential unauthorized access and monitor account for unusual activity.)The identification photo and/or signature does not match the requester’s appearance and/or signature. Identification documents appear to be altered or forged
    Request confirmation of the validity of a request by contacting the accountholder through UCSC portal (myucsc.ucsc.edu), by mail to the address on file, or by telephone at the number on file.Accountholder indicates the request was not authorized in response to emailed, mailed, or telephoned confirmation request
    Match information provided by the individual, such as address, telephone number, and/or challenge questions to information kept on file. (Deny access to account and do not process inquiry or change request. Notify accountholder of potential unauthorized access and monitor account for unusual activity.)Information provided does not match information on file
    Control: Accountholder notification:Red Flag
    Provide an accountholder with instructions for reporting suspected unauthorized account accessNotification is received that there has been unauthorized access to an account
    Inform accountholder to notify unit if he or she has been a victim of identity theftNotification is received that an accountholder has been a victim of identity theft
    Review accounts on a periodic basis for unusual transaction activity. (Confirm the validity of transaction activity with the accountholder, monitor account for unusual activity, deny access to the account.)Unusual transaction activity, such as uncharacteristic amounts, volumes, and/or timing observed
    Accountholders are provided with instructions on reporting non-receipt of account statements. (Confirm mailing address with accountholder through a phone call or email to the phone or email on file. Deny access to the account. Monitor account for unusual activity.)Accountholder notifies department of non-receipt of account statement.

    Red Flag Trigger Response Options
    The department plan for responding to the triggering of a red flag may include one or more of the following actions:

    • Request additional identification documentation
    • Notify existing accountholder of identity theft attempt
    • Monitor account of existing accountholder for suspicious inquiry requests or transactions
    • Refer incident to supervisor
    • Report an identity theft attempt or information breach through one of the options described under the "Where to get help"
    • Notify campus police

    Back to Top

  • Red flags - Employee emergency loans

    Applicability: Employee emergency loans

    Loan application review process red flags:
    ControlRed Flag
    Review loan application for alteration or other indications of fraudulent applicationLoan application has been altered, destroyed and reassembled, or there are other signs the application is fraudulent
    Review loan application for use of a social security number, address, or phone number of an accountholder already on fileLoan application contains the same social security number, address, or phone number as that of another accountholder already on file
    Review loan application for use of identifying information associated with fraudulent activityLoan application contains suspicious information, such as mail drop address, prison address, pager telephone number, or answering service telephone number
    For loan applications in which a consumer credit report is obtained, thoroughly review the credit reportConsumer credit report contains a fraud alert, credit freeze, and/or address discrepancy notice
    For in-person loan applicants, verify identity by checking photo IDPhoto and/or signature on identification does not match that of the applicant
    For applications requiring documentation of identity or other information, carefully review the documentation and information for forgery or alterationA document provided to verify identification appears forged, contains altered information, or has a signature that does not match that provided on the application
    Account maintenance and inquiry process red flags:
    Control: For phone or e-mail account inquiry or change request:Red Flag
    Validate identity of requester by requiring correct response(s) to challenge questionsAccount information requester is unable to answer challenge questions, such as providing a birth date or other information likely only to be known by the accountholder
    Request confirmation of the validity of request by contacting the accountholder by mail at the address on file, or via their campus E-mail, or by telephone at the number on fileAccountholder indicates the request was not authorized in response to a mailed, e-mailed or telephoned confirmation request
    Control: For in-person account inquiry or change requestRed Flag
    Verify the identity of the requester by examining photo identification before responding to requestThe identification photo and/or signature does not match the requester's appearance and/or signature
    Request confirmation of the validity of request by contacting the accountholder by mail at the address on file, by E-mail to their UCSC email address, or by telephone at the number on fileAccountholder indicates the request was not authorized in response to a mailed, E-mailed, or telephoned confirmation request.
    Control: Accountholder notificationRed Flag
    Provide an accountholder with instructions on reporting suspected unauthorized account accessNotification is received that there has been unauthorized access to the account
    Inform accountholder to notify unit if he or she has been a victim of identity theftNotification is received that an accountholder has been a victim of identity theft.

    Red flag trigger response options
    The department plan for responding to the triggering of a red flag may include one or more of the following actions:

    • Do not open account until identity is verified
    • Request additional identification documentation
    • Request completion of a new application
    • Notify existing accountholder of identity theft attempt
    • Monitor account of existing accountholder for suspicious inquiry requests or transactions
    • Refer incident to Human Resources
    • Notify the appropriate supervisor or manager
    • Report an identity theft attempt or information breach through one of the options described under the "Where to get help" topic

    Back to Top

  • Red flags - External customers

    Applicability

    • Departmental credit account facilitating the sale of ancillary products and services to a person
    Credit application review process red flags:
    ControlRed Flag
    Review credit application for alteration or other indications of fraudulent applicationCredit application has been altered, destroyed and reassembled, or there are other signs the application is fraudulent
    Review credit application for use of a social security number, address, or phone number of a accountholder already on fileCredit application contains the same social security number, address, or phone number as that of an accountholder already on file
    Review credit application for use of identifying information associated with fraudulent activityCredit application contains suspicious information, such as mail drop address, prison address, pager telephone number, or answering service telephone number
    For credit applications in which a consumer credit report is obtained, thoroughly review the credit reportConsumer credit report contains a fraud alert, credit freeze, and/or address discrepancy
    For in-person applicants, verify identity by checking government-issued photo IDPhoto and/or signature on identification does not match that of the applicant
    For applications requiring documentation of identity or other information, carefully review the information for forgery or alterationA document provided to verify identification appears forged, contains altered information, or has a signature that does not match that provided on the application
    Account maintenance and inquiry process red flags:
    Control: For phone or e-mail account inquiry or change requestRed Flag
    Validate identity of the requester by requiring correct response(s) to challenge questionsAccount information requester is unable to answer challenge questions, such as providing a birth date or other information likely only to be known by the accountholder.
    Request confirmation of the validity of request by contacting the accountholder by mail at the address on file or by telephone at the number on fileAccountholder indicates the request was not authorized in response to a mailed or telephoned confirmation request.
    Control: For in-person account inquiry or change requestRed Flag
    Verify the identity of the requester before responding to requestThe identification photo and/or signature does not match the requester’s appearance and/or signature
    Request confirmation of the validity of request by contacting the accountholder by mail at the address on file or by telephone at the number on fileAccountholder indicates the request was not authorized in response to a mailed or telephoned confirmation request.
    Control: Accountholder notificationRed Flag
    Provide an accountholder with instructions on reporting suspected unauthorized account accessNotification is received that there has been unauthorized access to the account
    Inform accountholder to notify unit if he or she has been a victim of identity theftNotification is received that an accountholder has been a victim of identity theft
    Transaction activity monitoring process red flags:
    ControlRed Flag
    Review account for significant changes or unusual activitySignificant changes or unusual account activity is observed, such as unusually large charges being incurred or frequent transaction activity on an account that is infrequently used
    Implement a process for responding to instances of accountholder mail being repeatedly returned as undeliverableAccountholder mail is repeatedly returned as being undeliverable
    Provide an accountholder with instructions on reporting non-receipt of account statements or other account informationAccountholder provides notification that account statements are not being received
    Provide an accountholder with instructions on reporting suspected unauthorized account accessNotification is received that there has been unauthorized access to the account
    Inform accountholder to notify unit if he or she has been a victim of identity theftNotification is received that an accountholder has been a victim of identity theft

    Red flag trigger response options:
    The department plan for responding to the triggering of a red flag may include one or more of the following actions:

    • Do not open an account until identity is verified
    • Deny access to the account
    • Close the account and open a new one
    • Do not provide information or make an account change until identity is verified
    • Request additional identification documentation
    • Request completion of a new credit application
    • Notify existing accountholder of identity theft attempt
    • Change the account access password or challenge question
    • Monitor account of existing accountholder for suspicious inquiry requests or Notify credit reporting agency
    • Monitor account of existing accountholder for suspicious inquiry requests or transactions
    • Report an identity theft attempt or information breach through one of the options described under the “Where to get help” topic
    • Notify campus police

    Back to Top

  • Reporting an identity theft attempt

    Departments must have established procedures to respond to identity theft attempts. Some examples of responses to the triggering of a red flag include the following:

    Transaction activity monitoring process red flags:
    TriggerPotential Response
    Suspicious or fraudulent information provided to confirm identity or apply for creditImplement departmental procedure for denying access to information or rejecting change requests
    Accountholder informs department of unauthorized account accessImplement departmental procedure for restricting access to account and/or closing old account and opening a new one
    Accountholder informs department of not receiving billing statements and/or other correspondenceImplement departmental procedure for researching account problems
    Suspected information system breachReport incident to ITS Help Desk
    Release of accountholder information to an unauthorized partyReport situation to controller@ucsc.edu
    Loss of paper-based customer account recordsReport situation to controller@ucsc.edu

    Back to Top

  • Covered accounts administered by third parties

    Third-party service providers administering UCSC covered accounts are responsible for complying with Red Flag Rules requirements.

    In the agreement with the provider, the responsible campus unit must ensure the provider has in place reasonable policies and procedures:

    • designed to detect, prevent, and mitigate the risk of identity theft in administering accounts, and
    • that are subject to periodic review and reporting requirements by UCSC representatives.

    Back to Top

  • References

    Federal Trade Commission: Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business

    UCSC Implementation Plan for Protection of Electronic Restricted Data


    Back to Top

  • Where to get help

    Assistance is available for the following topics:

    • Identity theft attempt related to application for credit, account inquiry, or account change request: controller@ucsc.edu
    • Information system or records breach:
      • Online: https://itrequest.ucsc.edu/security/report.html
      • Email: help@ucsc.edu
      • Phone: 831-459-4357
      • In-person: 54 Kerr Hall
    • Red Flags Rule implementation assistance: controller@ucsc.edu

    Back to Top

There are no results.

Red Flags Rule (Preventing Identity Theft) (2024)
Top Articles
Euro 2024 fixtures, schedule, teams, venues: All you need to know about summer tournament in Germany
Exit Poll 2024: Don't bow down to any unconstitutional means, says Kharge
Fearmonger Madden 23
Hdmovie2 .Com
What happens if you don't use your credit card balance?
Is it hard to get a car loan with a 570 credit score?
Fire Emblem Heroes Tier List (July 2024)
Sorcerer - Heroes of Hammerwatch wiki
Craigslist Middletown Ohio
Guide:Crafting | PoE Wiki
Cartel Funkytown Video: Unveiling the Dark Side of the Music Industry
Unveiling The Enigma: Exploring Funkytowngorevideo's Impact And Controversy
Latest Posts
Cities with the fewest community pools per capita - Swimply Blog
AP Exit Poll 2024 Result Live: Jagan Mohan Reddy vs Chandrababu Naidu. Who wins Andhra's vote?
Article information

Author: Gregorio Kreiger

Last Updated:

Views: 5469

Rating: 4.7 / 5 (57 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Gregorio Kreiger

Birthday: 1994-12-18

Address: 89212 Tracey Ramp, Sunside, MT 08453-0951

Phone: +9014805370218

Job: Customer Designer

Hobby: Mountain biking, Orienteering, Hiking, Sewing, Backpacking, Mushroom hunting, Backpacking

Introduction: My name is Gregorio Kreiger, I am a tender, brainy, enthusiastic, combative, agreeable, gentle, gentle person who loves writing and wants to share my knowledge and understanding with you.