Have you been seeing anything “red” lately? One piece of regulation that affects many schools that may often time be overlooked is a little thing called the “Red Flags Rule”. This piece of regulation is applicable to all schools that participate in the Federal Perkins Loan program, and may apply to many institutions that offer an extension of credit to their students, e.g., granting institutional loans or allowing students to make installment payments.
The definition that most likely is applicable to educational institutions that makes the “Red Flag Rules” pertinent is the part that refers to “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” If an account is subject to a reasonably foreseeable risk to consumers (students) or to the institution from identity theft, it may be considered a “covered account” to which the “Red Flag Rules” apply. Thus, it is possible that an educational institution may have what are called “covered accounts”. Since this regulation is risk-based by nature of the definition, each institution must determine which of its accounts, if any, meet the definition of “covered accounts” that must be included in its Identity Theft Prevention Program. The Federal Trade Commission (FTC) recommends that when determining if the rules apply to an institution, the institution should do a risk evaluation that includes a consideration of the ways in which the institution establishes accounts with its customers (i.e., students), how such accounts are able to be accessed by the customer (students) and/or others, as well as the type of experience it has had previously with identity theft.
This regulation is not one put forth by the U.S. Department of Education (ED), but rather an FTC regulation. It was published by the FTC in the Federal Register on November 9, 2007. The federal bank regulatory agencies and the National Credit Union Administration were also jointly involved in issuing the regulations. While the rule became effective on January 1, 2008, there were a number of delays in the enforcement of the regulation. The last announced effective date of enforcement was January 1, 2011. The delay in enforcement did not mean that the regulations were not still in effect, but simply that they were not being enforced until January 1, 2011.
The FTC has provided a compliance guide, as well as a template for low-risk entities to use in developing an identity theft program. The “Do-it-Yourself” template is on the FTC’s Web site at https://www.ftc.gov/bcp/edu/microsites/redflagsrule/diy-template.shtm.
ED recommends that schools that may be affected by the “Red Flags Rule” consult with their attorneys to review these regulations to ensure compliance and to learn the potential impact on the school operations. More information about the “Red Flags Rule”, as well as the regulation itself, may be found on the FTC Web site at https://www.ftc.gov/opa/2007/10/redflag.shtm.