banner image

FTC Red Flags Rule

Palo Alto University Red Flags Policy “Identity Theft Prevention Program”

I.  Scope and Purpose

This policy applies to Palo Alto University.  The policy establishes the University’s Identity Theft Prevention Program, which helps protect students, employees, and others who have certain financial related accounts with the university.  The program is designed to detect, prevent, and mitigate identity theft in accordance with the Federal Trade Commission’s (FTC) Red Flag Rule (16 CFR 681.2), which implements sections of the Fair and Accurate Credit Transactions Act (Pub L. 108-159).

II.  Definitions

Covered Account.  A consumer account designed to permit multiple payments or transactions, and any other account for which there is a reasonably foreseeable risk of identity theft, including:

  • student accounts established for the payment of tuition, fees, and other charges related to University activities; and
  • personal accounts through which employees receive wages or reimbursements

Customer - A person who has a covered account with the University.  A customer may be a student, employee, or other individuals.

Identify Theft - A fraud committed or attempted using the identifying information of another person without his or her authority.

Red Flag - A pattern, practice or specific activity that could indicate identity theft.


III. Policy: Identity Theft Prevention Program

The university is committed to protecting its students, faculty, staff, and others who entrust their personal information with the University.  Common Red Flags include:

  1. Receipt of Notice of Dispute from a credit agency;
  2. Identification document or card that appears to be forged, altered or inauthentic;
  3. Identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
  4. Inconsistencies in information among different documents presented by the customer (example: inconsistent birth dates);
  5. Identifying information presented by the customer that is inconsistent with other sources of information (for instance, an address not matching an address on a Perkins loan application);
  6. Social Security number presented that is the same as one given by another student or employee; and
  7. Notice to the university from an external source, student, or employee that an account has unauthorized activity.

The Identity Theft Prevention Program consists of this policy, which identifies common Red Flags, and other policies and procedures to detect and respond to any Red Flags that occur.  

The Vice President for Business Affairs and CFO will be responsible for the Policy and will establish an Identify Theft Prevention Committee to be charged with overseeing the Program. Members of the Committee may include representatives from Admissions, Bursar’s Office, Financial Aid, Human Resources, Information Technology, Payroll, the Registrar’s Office, and Student Affairs.  Other members may be appointed by the Vice President for Business Affairs and CFO as needed.

The committee will be responsible for developing new policies and procedures as needed to ensure that the university maintains a high level of due diligence with respect to preventing, detecting, and mitigating identity theft.  The Committee will also be responsible for establishing and maintaining routine training for staff in relevant positions, including training in how to identify a Red Flag, how to report a Red Flag, and how to mitigate against identity theft in Covered Accounts.

IV.  Red Flag Detection Examples

To detect the Red Flags identified above, the following actions will be taken, when appropriate given the particular covered account at issue and under the particular circumstances, to confirm the identity of students and individuals when they open and/or access their covered accounts:

  1. Refund of a credit balance involving a PLUS loan. As directed by federal regulation (US DOE) these balances are required to be refunded in the parent’s name and mailed to their address on file within the time period specified. No request is required. Red Flag - none as this is initiated by the University
  2. Refund of credit balance, no PLUS loan. - requests from current students must be made in person by presenting a valid picture ID or in writing from the student’s University issued email account. The refund check can only be mailed to an address on file or picked up in person by showing a picture ID. Requests from students not currently enrolled or graduated from University must be made in writing. Red Flag - Picture ID not appearing to be authentic or not matching the appearance of the student presenting it. Request not originating from students account.
  3. FURST Loan - request from the student must be made in writing or by their email account. If a student shows up in person they must provide a valid picture ID otherwise the check will be mailed to the address on file. Approval must be signed by CFO through DocuSign. Red Flag - Student doesn’t provide a picture ID or email that was sent does not belong to the student. The completed Docusign form must be obtained by CFO.
  4. Tuition payment plan - Student must contact use the portal and enroll with the Cashnet Payment Plans. Red Flag - none. The student must have an authorized account to sign up.

Red Flag Responses

The program shall provide appropriate responses to detected red flags to prevent and mitigate identity theft. The appropriate responses are outlined below.

  1. Deny access to the covered account until other information is available to remove the red flag.
  2. Contact the student, notify your supervisor, and IT staff at
  3. Change any passwords or related security controls that provide access to the covered account.
  4. Determine if a response is required based upon findings of the incident. If there a security incident it must be reported to The next steps may require forensics and possible law enforcement contact.
  5. Take appropriate actions to modify the applicable process to prevent similar activities in the future.


Subject Contact Telephone Email
FTC Red Flags Rule Business Office (650) 417-2027
Contact Date
David Leavitt - Created 05/06/19
David Leavitt - Revised 6/17/19