Preventing, Detecting and Mitigating Identity Theft

Program Overview

The Red Flag regulations require all financial institutions (the University of Washington is considered a financial institution) to implement identity theft protection programs, including reasonable policies and procedures for preventing identity theft and the ability to track red flag activities and notify victims. The university has an administrative policy statement (APS 35.2) governing Red Flag Rules.

Purpose and Scope

In its capacity as a creditor to protect existing consumers, reduce risk from identity fraud, and minimize potential damage from fraudulent new accounts with the least possible impact on business operations, the University of Washington is subject to 16 CFR 68.12 “Identify Theft Rules” which requires the establishment of a written Identify Theft Prevention Program (ITPP) for covered accounts. This Program applies to business practices used by employees when conducting business activity relating to a Covered Account.

The program must include reasonable policies and procedures to:


  • Identify relevant Red Flags for the covered accounts that the UW offers or maintains and incorporate those Red Flags into its Identity Theft Prevention Program
  • Detect Red Flags that have been incorporated into the University's Identity Theft Prevention Program
  • Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft
  • Ensure the Identity Theft Prevention Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution