University of Illinois Red Flags Rule Best Practices for Units that Issue Cards that Can Be Used to Access Accounts
Use the guidelines below in conjunction with the main Red Flags Rule Identity-Theft Prevention Program Best Practices, which apply to all units.
What Cards Are Covered?
Any magnetic-stripe-enabled card issued through the i-card database can potentially be used to establish and access certain University accounts. The Red Flags Rule (the “Rule”) applies to i-cards, visitor cards, and other cards that are associated with an individual. Pay cards and loan cards that are issued to specific individuals are also covered.
What Accounts Can Be Accessed Using Cards?
- Meal plans
- Campus Cash at UIS
- Dragon Dollars at UIC
- Extra Credits at UIUC
- TCF Bank student checking accounts
- Bank accounts of employees who are issued pay cards in lieu of direct deposit
- Student loan accounts of students who are issued loan cards
- Any other covered accounts that units establish with card-based access
What Card-Related Activities Are Covered?
- Issuing cards that can be used to access accounts
- Mailing cards directly to cardholders
What Are My Unit’s Responsibilities?
Issue Cards in Person Whenever Possible
Issue cards in person whenever possible, and require a government-issued photo ID. For online students and other populations that cannot present in person, arrange for another University unit to distribute cards. In the arrangement, include a requirement for each cardholder to show a government-issued photo ID before receiving a card.
Verify Addresses for Mailed Cards
If there is an unavoidable business need to mail a card directly to a cardholder, have procedures in place to verify the cardholder’s address.
For replacement card requests, have procedures in place to know whether a cardholder’s address has changed within 30 days. If an address has changed, email the cardholder at his or her University email address to get confirmation of the new address before mailing a replacement card.
Be Able to Recognize Red Flags
Define which patterns, practices, or specific activities indicate the possible presence of identity theft; that is, identify red flags that alert your unit to potential cases. The Rule includes a list of 26 examples of red flags. The following table shows the examples that apply to issuing cards. Your unit should also monitor for other red flags that you have identified as relevant to your operations. Be sure to report these additional red flags to the Red Flags Steering Committee using the Red Flags Unit Registration and Update form .
FTC Red Flags Examples—Cards
- Documents provided for identification appear to have been altered or forged.
- The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
- Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
- Other information on the identification is not consistent with readily accessible information that is on file with [the University/unit], such as a signature card or a recent check.
- An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
Suspicious personal[ly] identifying information
- Personal[ly] identifying information provided is inconsistent when compared against external information sources used by [the University/unit]. For example:
- The address does not match any address in the consumer report; or
- The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.
- Personal[ly] identifying information provided by the customer is not consistent with other personal[ly] identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.
- Personal[ly] identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the [University/unit]. For example:
- The address on an application is the same as the address provided on a fraudulent application; or
- The phone number on an application is the same as the number provided on a fraudulent application.
- Personal[ly] identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by [the University/unit]. For example:
- The address on an application is fictitious, a mail drop, or prison; or
- The phone number is invalid, or is associated with a pager or answering service.
- The SSN provided is the same as that submitted by other persons opening an account or other customers.
- The address or telephone number provided is the same as or similar to the account number [sic] or telephone number submitted by an unusually large number of other persons opening accounts or other customers.
- The person opening the covered account or the customer fails to provide all required personal[ly] identifying information on an application or in response to notification that the application is incomplete.
- Personal[ly] identifying information provided is not consistent with personal[ly] identifying information that is on file with [the University/unit].
- For [units] that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Who To Ask
Direct any questions to the Red Flags Steering Committee at firstname.lastname@example.org.
Last Updated: June 3, 2011