October 13, 2009,
Volume 56, No. 07
Red Flag Rules
In 2007, the Federal Trade Commission (FTC) issued final rules under the Fair and Accurate Credit Transactions Act (FACTA) called the Red Flag Rules. These rules require policy and procedural changes within Penn to assist in preventing identity theft as well as detecting and responding to identity theft. The rules took effect in January 2008, with compliance originally required by November 2008. Subsequently, the FTC delayed enforcement until May 2009.
In March 2009, a draft policy to implement the new rules at Penn was published in the Almanac for review and comment. See www.upenn.edu/almanac/volumes/v55/n26/redflag.html. It calls upon operational units engaged in extending credit, or using credit reports, to follow certain steps as required by the rules and to do our part in curbing the incidence and impact of the very concerning crime of identity theft. Comments on the draft policy were requested by April 20, 2009; no comments were received.
Subsequently, the FTC again delayed enforcement of the Red Flag Rules, first to August 2009, then November 2009. These extensions were based in part on issuance of new guidance by the FTC. The Office of Audit, Compliance and Privacy has reviewed that guidance, and has concluded that it does not affect the policy as proposed. Accordingly, we are pleased to announce that the policy is adopted as final and takes effect November 1, 2009. The policy can be viewed on the Penn Privacy website, at www.upenn.edu/privacy/; click on “Policy on Red Flag Rules,” under “What’s New!!”
—Mary Lee Brown, Associate Vice President, Audit, Compliance and Privacy