University of Illinois System
Accounting & Budgeting
Last item for navigation

General Requirements For All Units

The requirements listed here apply to each unit that performs or outsources any activity covered by the Red Flags Rule. Additional activity-specific requirements apply for account- and card-related activities. To determine whether your unit must comply with the Red Flags Rule, see Covered Activities.

Existing Policies

With other legislation addressing data security for personally identifying information, the Rule assumes that other mandates are being followed so that good data security and privacy measures are already in place. Other mandates include FERPA, HIPAA, and PIPA. The University of Illinois System's data security and privacy policies ensure that these other requirements are being met.

The U of I System’s Red Flags program is in addition to the information security policy and other system, university, and unit policies that address identity theft, fraud, and misuse of university ID cards. Links to many of these related policies can be found on AIT IT Policies page.

When Establishing or Changing Information in University of Illinois Systems

Ensuring the truth of personally identifying information and the person presenting it as his or hers is vital to preventing identity theft. Specific requirements apply for in-person, online, or phone service situations, and these are guided by three overarching requirements

  • When you establish (add) a record in any system, verify identity in person whenever possible.
  • When you change information in any system, verify identity in person or by secure login.
  • Use photo IDs to verify only the personally identifying information that ID contains. Elements not on an ID, such as an address, require other supporting documentation that matches the name on the photo ID.

In-Person Services

For in-person services the following requirements must be met:

  • ID check
  • University of Illinois ID card or a government-issued photo ID such as a driver's license or passport. See this list of acceptable government IDs.
  • Clear, legible IDs and documents. If a photo is too worn for you to compare with the person, ask for an alternate ID.
  • ID and supporting documents are valid and legitimate, as follows:
    • The ID is not expired, or the document(s) are recent.
    • The photo matches the person in front of you.
    • Any photo, text, or other elements have not been tampered with.
    • There are no other signs of fraud or alteration.
  • If any information is not legible or a document is suspicious, ask for alternate IDs or documents.

Note: If your unit provides services to people who have an iCard, visitor card, or other university-issued magnetic-stripe card, it is best to use an electronic card swipe to verify a cardholder's eligibility for service. Card swipes rely on current U of I System records.

For Online Services

For online services, a password-protected login is required for access and transactions. Logins must comply with the Section 19: Business Systems Access and Security of the Business and Financial Policies and Procedures manual. NetID logins are recommended.

Over the Phone

Avoid making changes to personally identifying information over the phone. If there is an unavoidable business need to allow phone access, require callers to verify identity by providing nonpublic information about themselves and checking it against office records.

Rely only on information that is truly nonpublic. (Date of birth, mother's maiden name, and other information can be found online and are often known to family, friends, and others.)

Have Appropriate Procedures, Training, and Supervision in Place

The Red Flags Rule mandates an identity theft protection program that is incorporated into daily operations. There is no "one size fits all" solution. The University of Illinois System requires that each unit's program must have documented procedures for:

  • Identifying red flags.
  • Detecting and responding to red flags.
  • Keeping current to detect new threats.

Units must also:

  • Ensure that staff members are trained to carry out your unit's Red Flags procedures.
  • Provide ongoing supervisory guidance.

Identify Red Flags

In order to form procedures for detecting and responding to red flags, you must first identify and list the red flags you know and expect your unit will encounter. The Examples of Red Flags are a good starting point, but your unit may know of even more.

Be Able to Detect and Respond to Red Flags

Document how you will monitor for and detect red flags. Include procedures for how your unit will respond when any red flag is detected. Your procedures must include instructions on how to handle all of the responsibilities related to your unit's covered activities.

Keep Your Program Current

Make a detailed plan of how your unit will keep current, so it is able to identify and detect new red flags.

Ensure that Service Providers Follow the Red Flags Rule

If any non-University of Illinois third parties handle account or debt-collection functions for your unit, you must:

  • Inform providers of the U of I System's Red Flags program and policy.
  • Require and maintain a Red Flags compliance statement from each provider.
  • Require providers to report confirmed incidents to you immediately that involve your accounts or the personally identifying information associated with them.
  • Keep a list of these providers and what services (ongoing or new) they provide, used for annual reporting.

Establish a Red Flags Unit Contact Person

Choose an employee to serve as a unit contact for Red Flags Rule activities. Ideally, this person should be well-informed about your unit's operations relating to covered activities and personal information. Identify your contact person on the Unit Registration and Update form.

Unit Contact Responsibilities

Unit contacts must participate in Red Flags related training and information sessions as well as report the following relevant information to the Red Flags Steering Committee.

What is considered relevant information? Your unit contact must report on:

  • Incidents of confirmed or attempted identity theft. Report these cases immediately using an Incident Report form.
  • Covered activities, third-party service provider arrangements, and new red flags encountered for the calendar year. Provide this information annually, when prompted to by the committee.
  • Possible red flag activities. Email any questions or concerns immediately to rfsc@uillinois.edu.
  • Sale or transfer of debt to any (non-U of I System) third parties.

Who to Ask

Direct any questions to the Red Flags Steering Committee: rfsc@uillinois.edu.