Financial Policies

FN23 Identity Theft Detection, Prevention and Mitigation Program

Policy Status: 


Subject Matter Expert: 

University Bursar,

Policy Steward: 

Associate Vice President for Finance



In compliance with the Red Flags Rule issued by the Federal Trade Commission (FTC), The Pennsylvania State University ("University") has established an Identity Theft Prevention Program (the "Program").  Through this policy and related practices and procedures, the Program is intended to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing account and to provide administration of the Program in compliance with FTC requirements, 16 CFR Part 681.

This policy outlines the parameters by which the program will be coordinated and administered. It applies at all University locations.


This policy is effective throughout the University.


(appear in the policy in bold & italic fonts)

Covered Accounts - For the purposes of the Program, covered accounts specifically refer to any account the University offers or maintains primarily for personal, family or household purposes, that involves multiple payments or transactions. A covered account also includes any other accounts offered or maintained for which there is a reasonable, foreseeable risk to customers or to the safety and soundness of the University from identity theft.

Creditor - Entities that defer payment for services rendered and bill customers later and/or who regularly participate in the decision to extend, renew, or continue credit. The term includes University departments, as well as third-party contractors and service providers of the University.

Customer - An individual who has a “covered account” with the University.

Identity Theft - A fraud committed or attempted using the "personally identifying information" of another individual without that individual's authority.

Personally Identifying Information (PII) - Any full name (first and last) or last name and first initial used in conjunction with other information to identify a specific person, as defined in University Policy AD53 - Privacy Policy. Other identifying information may include, but is not limited to address, telephone number, and/or date of birth.

Program Administrator - The University Bursar has been designated as the administrator of the University's Identity Theft Prevention Program.

Red Flag – A practice, pattern of behavior, or specific activity that indicates the possible existence of identity theft.

Red Flags Steering Committee - The University's standing committee chaired by the Program Administrator and designed to assist in providing operational oversight of the Program and provide advice and counsel to the Program Administrator.


This program outlines the efforts of the University, in its capacity as a creditor, to protect existing consumers, reduce risk from identity fraud, and minimize potential damage from fraudulent accounts with the least possible impact on business operations.

Note Regarding Third-Party Contractors and Service Providers: Third-party contractors and service providers are expected to follow and be compliant with all federal, state, and local laws or regulations which are applicable to the University and this Program. Third-party contractors and service providers are required to report any "red flags" to the Program Administrator. The specific terms and issues of such compliance are addressed in contractual documents between the University and these providers.

This Program applies to business practices used by employees, third-party contractors and service providers when conducting business activity relating to a "covered account," as defined below. In order to achieve program objectives, these parties will:

  • Identify risks and potentially fraudulent activity within new or existing covered accounts.
  • Follow the steps prescribed in Program training to detect and evaluate risks if/when they occur during the handling of covered accounts.
  • Respond to risks and act appropriately, if fraudulent activity has been attempted or committed.
  • Provide information to the University Red Flags Steering Committee, so the Committee may evaluate the effectiveness of the Program, and recommend improvements to the Program, as needed, to the Program Administrator.


A list of the University's "covered accounts" can be obtained, per request, from the Program Administrator by sending an email to


This program is intended to detect, prevent, and mitigate identity theft in connection with "covered accounts," and to provide guidelines for the administration of the Program per FTC requirements, 16 CFR Part 681.

Pursuant to authorization from the University Board of Trustees, the Corporate Controller has delegated operational responsibility of the Program to the University Bursar, who serves as the Program Administrator. The Program Administrator shall exercise appropriate and effective oversight over the Program and shall report regularly to the Corporate Controller on the program.

The Program Administrator is responsible for developing, implementing, and updating the program throughout the University system. The Program Administrator has established and chairs the University Red Flags Steering Committee who assists in providing operational oversight of the Program and provides advice and counsel to the Program Administrator as steward of this policy.

The program will be periodically reviewed and updated to assure reasonable practices and procedures are implemented and maintained to identify relevant red flags, detect red flags, and respond appropriately to red flags. The Program Administrator will consider the University’s experiences with identity theft; changes in identity theft methods; changes in types of accounts the University maintains; changes in the University’s business arrangements with other entities; and any changes in legal requirements in the area of identity theft.

The Program Administrator shall confer with the University Red Flags Steering Committee and appropriate University personnel as necessary to ensure compliance with the program. The Program Administrator shall annually report to the Corporate Controller on the effectiveness of the program. The Program Administrator shall present any recommended changes to the Corporate Controller for approval. The approval of the Corporate Controller shall be sufficient to make changes to Program.


Training is required for all employees whose responsibilities result in their conducting business activity relating to covered accounts. The required training is designed to equip employees working with covered accounts to identify, detect, respond to, and minimize the impact of identity theft at the University. Subsequent training will be required when significant changes occur, as recommended and announced by the by the Program Administrator. Each covered area/account is required to track training and maintain any necessary documentation associated with its completion.


For questions, additional detail, or to request changes to this policy, please contact the Program Administrator at



Most Recent Changes:

  • September  2, 2022 - Editorial change to change the Policy Steward from the Associate Vice President for Finance and Corporate Controller to Associate Vice President for Finance.

Revision History (and effective dates):

  • April 24, 2019 - The Program Administrator changed from the Chief Privacy Officer to the University Bursar.
  • November 8, 2018 - Subject Matter Expert added.
  • September 13, 2018 - Editorial changes to remove redundant Date Approved, Date Published, and Effective Date information.
  • January 29, 2014 - Editorial changes. Updated policy steward, per request of the Chief Privacy Officer.

  • September 27, 2013 - Editorial changes. Addition of policy steward information, in the event that there are questions or requests for changes to the policy.
  • June 29, 2010 - New Policy.

Date Approved: 

May 31, 2019

Date Published: 

May 31, 2019

Effective Date: 

May 31, 2019