Red Flags Program: Identity Theft Prevention

Mission:  Prevent the unauthorized access, use, or release of personally identifiable information, in any form, that could lead to identity theft.

Statutory and Regulatory Basis:  The Fair and Accurate Credit Transaction Act (FACTA) of 2003 and the subsequent Federal Trade Commission (FTC) Red Flags Rule of 2007.

UVA Policy:  FIN-031, Prevention, Detection, and Mitigation of Identity Theft, articulates the University's commitment to protect stakeholder (employee, student, etc.) information, which the loss or misuse of could result in identity theft.

Scope of Covered Activities: Your University business unit or department must participate in Red Flags Program if:

  • You provide goods or services for which payment can be deferred to an account established with the University.  For example, you allow students to purchase goods or services by presenting their University I.D. and having the charges posted to their student account.
  • You have management and/or oversight responsibility for established accounts.  (Ex: student accounts).
  • You provide loans to students or other customer groups.

Program Elements:  The program is designed to detect the “Red Flags” of identity theft, prevent it, and mitigate the damage by implementing practices in your day-to-day operations. We have aligned this program with another framework used at UVA - the NIST Cybersecurity Framework (designed to promote the protection and resilience of critical infrastructure). 

For each of the following steps, expand to see more:

Questions:  If you aren't certain whether your unit's activity is subject to the Red Flag Rule or you have questions about the Red Flag Rule Program, please email the financial compliance team at redflags@virginia.eduYou may also contact an FOC team member directly, see our Contacts page for individual bios and contact information.

Additional Resources: