According to the red flag rules, institutions need to create a method for dealing with address discrepancies for a consumer reported by the credit bureaus. Because colleges sometimes use credit reports when reviewing job applicants or when determining a student's eligibility for education loans, this part of the FCRA rule may apply to them.
Under the FCRA, institutions that act as creditors must create a written plan to prevent identity theft from occurring to its new and existing covered account holders. While the rule primarily addresses financial institutions, the definitions of creditors and covered accounts used by the government in the law would include some colleges and universities. Under those definitions, schools that offer payment plans for tuition participate in the Federal Perkins or Federal Family Education programs. Offering loans from within to students or staff would be required to comply with this aspect of the red flag rules.
The third of the red flag rules would not apply to most colleges. Under this rule, institutions must determine a method for assessing whether or not a request for a replacement debt or credit card followed by a change of address request is valid. The connection of these two requests is a red flag of identity theft. While this rule applies primarily to banks or other financial institutions, it could be extended to student identification cards if they also operate as debit cards.
Colleges that must adhere to the red flag rules need to take several steps to obtain compliance. First, they must identify the so-called red flags suggestive of identity theft or fraud. Many of these red flags are already available in an appendix to the red flag rules guide. The institution must put in place a program that allows them to detect these red flags and to respond to them. Additionally, the program must be reviewed periodically to ensure that it is serving its purpose. Staff training is also required as part of the rules.
Any institution required to comply with the red flag rules must do so or face penalties. The Federal Trade Commission can fine them up to $2,500 for each offense. If the FTC believes the offenses were a result of deceptive or unfair practices by the institution then they can take further steps, including issuing cease and desist orders to the college. Identity theft victims who are financially damaged due to the failure of the university to comply with the red flag rules may also be able to sue them.