FAIR AND ACCURATE CREDIT
TRANSACTIONS ACT (FACTA)RED FLAG RULES
University of Washington
Red Flag Rules
Protecting Against Identity Fraud
Objectives








Introduction to the law and why it applies to the
University
Understand what the law requires
Understand what type of information is used in identity
theft
Understand the types of Red Flags
What do to do if a Red Flag surfaces
Security of information
Describe the role of UW central office support
Provide resources regarding Red Flag rules
FACTA - Red Flag Rules
The Financial Institution Regulators have issued a final
rule (the Red Flag Rule) under sections 114 and 315 of
the Fair and Accurate Credit Transactions Act (FACTA),
which amended the Fair Credit Reporting Act (FCRA).
The Red Flag Rule requires financial institutions (the
University of Washington is considered a financial
institution) and creditors that hold covered accounts
(e.g..; student loan) to develop and implement an
identity theft prevention program for new and existing
accounts.
Requirements of the Law




Identify risks that signify potentially fraudulent
activity
Detect risks
Respond to risks to determine if fraudulent
activity has occurred
Update the program periodically
Personally Identifiable Information
Consumer’s

First, middle, or last name

Date of birth

Address

Telephone or wireless numbers

Social Security number

Maiden name

Account numbers
Credit card information

Account number (whole or part)

Expiration date

Cardholder name

Cardholder address
Medical information for any customer

Doctor names and claims

Insurance claims

Prescriptions

Treatment or diagnoses

Any related personal medical information
Red Flag Alerts











Documents provided for identification appear to have been altered or forged
The photograph or physical description on the identification is not consistent with the
appearance of the applicant or customer presenting the identification
An application appears to have been altered or forged, or gives the appearance of
having been destroyed and reassembled.
Personal identifying information provided is inconsistent when compared against
external information.
The Social Security number provided is the same as that submitted by others.
Social Security numbers do not match on all documents.
The customer fails to provide all required personal identifying information on an
application or in response to notification that the application is incomplete
Personal identifying information provided is not consistent with personal identifying
information on file.
Excessive address changes.
Unusual number of inquires on the account.
A student asking for their student number because they lost their ID card.
What To Do When A Red Flag
Surfaces?








Most important - notify your manager immediately
Gather all related documentation
Write a description of the situation
Monitor the account involved
Contact the customer
Change passwords if needed
Notify law enforcement
Or determine no response is warranted in this case
Protection of Customer Information
The University is committed to providing
protection from identity theft.
It is the law:
 The Gramm Leach-Bliley Act (GLB)


requires protection of customers’ information

https:www.washington.edu/admin/finacct/office/glb/glbprog.html
The Family Educational Rights and Privacy
Act(FERPA) of 1974 (20 U.S.C. §1232g ; 34 CFR Part
99)


is a federal law that protects the privacy of students
www.washington.edu/students/reg/ferpa.html
Information Safeguards
Safeguards to protect the security, confidentiality, and
integrity of customer information fall into 3 basic
categories:



Administrative
Technical
Physical
A department that handles non-public personal information must
assume responsibility for safeguard procedures. Each department
must have a security policy to comply with the law requirements for
safeguarding information. Employees must adhere to those
safeguard procedures.
Information Safeguards
Administrative Safeguards focus on departmental
processes and include, but are not limited to:






Adhering to standards for handling customer information
Following basic steps to protect customer information (see next
slide)
Promoting awareness and knowledge about applicable policies
and expectations
Limiting access to customer information to employees who have
a business need to see it
Referring calls or requests for customer information to staff
trained to respond to such requests
Being alert to fraudulent attempts to obtain customer information
and reporting these to management for referral to appropriate
law enforcement agencies
Information Safeguards
Technical Safeguards:
Technical safeguards regarding hardware and
networking are generally designed and provided to
campus by Computing and Communications.
Department staff must be aware and knowledgeable
regarding how their digital customer information is
safeguarded.
Information Safeguards
Technical Safeguards – Your Workstation:





Use anti-virus software that updates automatically
Maintain up-to-date firewalls if your department
manages them internally, particularly if your department
uses broadband Internet access or allows staff to
connect to the network from home
Use a password protected screensaver or logoff the
computer each time you step away
Do not store non-public personal information on
personal workstations, use the University network only
Do not send non-public personal information via email
Information Safeguards
Technical Safeguards – Your Passwords:




Do not post your passwords on or near your terminal
Do not give your passwords out to anyone
Change your passwords periodically (see C&C
recommendations on MyUW)
Use complex passwords
 “Ule@#NEVR!!!gessmy1285pazwRRd”
Information Safeguards
Technical Safeguards – Physical Environment:




Lock and Secure rooms and file cabinets where
customer information is kept and limit access to
authorized employees
Ensure that storage areas are protected against damage
from physical hazards, like fire or floods
Do not leave credit card slips, bank documents or other
similar documents in public view
Dispose of information appropriately (see next slide)
Information Safeguards
Physical Safeguards –Appropriate disposal:






Designate a trained staff member to supervise the disposal of
records containing customer personal information
Shred or recycle customer information recorded on paper and store
it in a secure area until the shredding/recycling service picks it up
Erase all data when disposing of computers, diskettes, magnetic
tapes, hard drives or any other electronic media that contains
customer information
Promptly dispose of outdated customer information within record
retention policies
Shred printed material containing financial or personal information
once it is no longer needed
NEVER throw documents containing Credit Card, banking, or other
non-public personal information directly into the trash or recycling
UW Support
The University of Washington provides support by:






periodically assessing security risks
communicating through this training program
providing guidelines for secure computer data
providing resource and educational materials
providing security tools and software
providing support for safeguard failure response
Every Department Plays a Role
Each department:




is required to have a security policy
is responsible for training staff
needs to be aware of red flags
needs to assure that staff are familiar with the web sites for
safeguarding information of these three types:



administrative
technical
physical
The University of Washington central office staff provide support and
resources for you to help protect non-public personal information.
Resources
Available resources:
Many policies, procedures and resources are available
that support our efforts to protect non-public personal
information. A list of related resources can be found on
the University of Washington Information Security
Program web page.