This policy applies to all UW System institutions that offer accounts as a means of continuing a relationship established by a person with the institution to obtain a product or service for personal, family, household or business purposes that involves or is designed to permit multiple payments or transactions. This policy also applies to any other account UW System institutions offer or maintain for which there is reasonably foreseeable risk to account holders or to the safety and soundness of the University from identity theft.
The purpose of this policy is to implement an identity theft prevention program at UW System institutions in compliance with Sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003, and its implementing regulations, commonly known as the “Red Flags Rule” (“Rule”) issued by the Federal Trade Commission, 16 Code of Federal Regulations, Part 681.
The policy of the University of Wisconsin System is to protect persons holding certain consumer accounts with a UW System institution from identity theft through an appropriate program of identity theft detection, prevention, and mitigation.
Establishment of Institutional Identity Theft Prevention Programs
Each UW System institution must develop a plan for identifying patterns, practices, and specific forms of activity that indicate possible identity theft in connection with accounts covered by FACTA and the Red Flags Rule, and for implementing an institutional program of identity theft detection, prevention, and mitigation. Each UW System institution’s plan must include procedures and/or processes to address the following four basic program elements: 1) identify relevant red flags for the covered accounts that the University offers or maintains; 2) detect red flags that have been incorporated into the University’s plan; 3) respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and 4) update the University’s plan (including the red flags determined to be relevant) periodically to reflect changes in risks to customers and to the safety and soundness of the University from identity theft.
Identification of “Covered Accounts”
There are two types of “covered accounts”:
- An account that a financial institution or creditor, which includes all universities, offers or maintains, as a means of continuing a relationship established by a person with a University to obtain a product or service primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions. Examples may include but are not limited to: accounts established under the Federal Perkins Loan Program; approved partial tuition payment plans; any loan that is billed or paid monthly; campus spending accounts; transactions that involve deferred payment for goods and services or that bill customers.
- Any other account that the University offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the University from identity theft, including financial, operational, compliance, reputation, or litigation risks.
UW System institutions shall review other billing accounts and arrangements to determine whether they are covered by FACTA and the Red Flags Rule.
Identification and Detection of Red Flags
As used in the Rule, a “red flag” is any pattern, practice, or activity that indicates the possible existence of identity theft. For all covered accounts, UW System institutions shall review the methods to open or access such accounts, and any previous instances of identity theft in connection with such accounts. Categories of red flags include: (a) notifications or warnings from customers, credit reporting agencies, and other third parties; (b) presentation of suspicious documents; (c) unusual account activity; and (d) presentation of suspicious identifying information. Each institution shall review current policies and procedures to address detection of red flags for each type of covered account, focusing on verifying identity, authenticating customers, monitoring transactions, and verifying the validity of change of address requests.
Responses to Red Flags
UW System institutions shall implement appropriate responses to detected red flags to prevent and mitigate identity theft. Appropriate responses may include: (a) denying access to the covered account until the red flag is eliminated; (b) contacting the account holder; (c) changing passwords, security codes, or other security devices that permit access to a covered account; (d) closing the account; (e) notifying law enforcement; or (f) determining that no response is warranted under the circumstances.
Each UW institution shall periodically report on compliance with the Red Flags Rule and this RPD. The report format and periodicity shall be developed by and submitted to the UW System Vice President for Finance and Administration.
Each UW institution shall identify appropriate employees to be trained on the Red Flags Rule and ensure they are properly trained in areas related to identity theft. The UW System Office of Information Security will make training available to UW System employees.
Oversight, Roles & Responsibilities
The Office of Financial Administration will exercise appropriate and effective oversight and in collaboration with the Office of General Counsel, interpret and communicate regulatory changes from the FTC that could impact UW System’s Red Flags Rule program compliance.
Delegation to Chancellor or Designee
The chancellor of each UW System institution, or his or her designee, shall have primary responsibility for developing, implementing, and updating an institutional identity theft prevention program. Each UW System institution shall:
- Designate an institutional lead, responsible office and primary manager for their institution’s Red Flags Rule program and submit that name to the Office of Compliance and Integrity; and
- Review, update and submit the plan for its identity theft prevention program to the UW System Vice President for Finance and Administration.
The designated official at each institution shall, as appropriate, periodically review the institution’s experiences with identity theft, changes in identity theft methods, risks, detection, and prevention, and make necessary changes to the institutional plan. New accounts or activities that may constitute covered accounts shall be reviewed for inclusion in the institutional program. Any subsequent changes to an institution’s plan shall be submitted to the UW System Vice President for Finance and Administration.
Related RPDs and Applicable Policies
- 16 CFR 681 “Identity Theft Rules”
History: Res. 9598, adopted 02/06/2009, created Regent Policy Document 21-4. Res. 10835, adopted 03/09/2017, authorized technical corrections. Res. 11749, adopted 12/10/2021, amended Regent Policy Document 21-4. Technical correction made on 03/02/2023, as authorized by Res. 10835 (adopted 3/9/2017).