Covered Activities

Being "covered" means that the Red Flags Rule and University policy apply. The University's program groups covered activities into four categories: accounts, cards, goods and services, and personal information.

Accounts

The Red Flags Rule applies to units that:

• Administer financial accounts (open, maintain, bill, close, and so on)
• Use consumer credit reports, such as those issued by Experian, TransUnion, and Equifax
• Report information to credit reporting agencies
• Sell or transfer debts to a third party

Covered accounts are as follows:

• Declining balance and debit accounts, such as meal plans, Campus Cash or Dragon Dollars, or scholarships or aid
• Campus-based student loans
• Loans to students, faculty, or staff
• Other financial loans

Cards

Units must comply with the Rule if they:

• Issue cards that can be used to access accounts
• Mail cards directly to cardholders

Examples of University cards that can access financial accounts

University-issued cards include but are not limited to:

• i-cards
• Visitor identification cards
• Pay cards
• Loan cards
• Other University of Illinois photo IDs

Some of the financial accounts University cards can access are:

• Meal plans
• Campus debit plans (such as Campus Cash, Dragon Dollars, or Extra Credits)
• Checking accounts linked to student i-cards
• Bank accounts (for employees issued pay cards)
• Loan funds (for students issued loan cards)
• Photocopying services

Note: The preceding list is not exhaustive: any other covered accounts that units establish with card-based access are included.

Goods and services

The Red Flags Rule Units applies to units that:

• Provide goods or services that patrons can pay for later. This applies whether you bill and collect through Banner Accounts Receivable, payroll deduction, a third party vendor, or any other system.
  Require payment at time of sale or service but accept payment over the phone
• Pursue debt collection (directly or from another unit's services) from nonpaying patrons
• Bill for fines (which can only be paid for later)

Note: Credit card payments don't apply, because the relevant credit card company pays the unit and pursues payment from its individual customers.

Personal information

The Red Flags program covers units that:

• Enter new information into any record system
• Alter data that is already in a system
• Maintain a system that generates UINs, NetIDs, email addresses, or login names
• Grant 0% appointments for persons without I-9 forms.

Note: Units that enter or alter data only for the purpose of hiring comply with the Red Flags program because they must file an I-9 (Employee Eligibility Verification) form for every new hire.

Examples of personally identifying information

Personally identifying information for the Red Flags Rule means any data that is or may become associated with covered accounts at the University. It does not matter which system your unit uses to handle personal data; it matters whether that data could be used for covered accounts.

The following identifiers can be used alone or in combination with each other to uniquely identify an individual account holder. This list is not exhaustive; your unit may know of other identifiers.

• Name (first name, middle name, surname or last name, suffix)
• Address*
• Phone number*
• Email address*
• Birth date
• Gender
• University Identification Number (UIN)
• NetID
• Login names
• Social Security number (SSN)

*Note: Many University records include several different instances of the same type of identifier. For example, most students and employees have more than one phone number and address on file. Similarly, many systems include a preferred email address in addition to others. Due to name and/or gender changes, multiple names can be associated with one person. Remember: The Rule applies to any identifying information that is or may become associated with a covered account—not just one particular set of identifiers.

Last Updated: January 27, 2016