FACTA Red Flags Rule Compliance Program

Issue/Question

How does USD stay compliant with FACTA

Environment

  • FACTA Red Flags
  • Finance
  • Registrar
  • Identity

Cause

FACTA Red flags is a compliance item at USD

Resolution

USD STAFF ONLY

FACTA Red Flags Rule Compliance Program – University of South Dakota (USD)

Overview

The Fair and Accurate Credit Transactions Act (FACTA) includes the Red Flags Rule, which requires organizations to develop and implement programs to detect, prevent, and mitigate identity theft.

The University of South Dakota (USD) is subject to the Red Flags Rule due to the collection and processing of personally identifiable information (PII) by:

  • Financial Aid
  • Registrar
  • Admissions

This includes sensitive data such as:

  • Social Security Numbers (SSNs)
  • Dates of birth
  • Financial and identity-related information

USD maintains a formal Identity Theft Prevention Program aligned with regulatory expectations and institutional security practices.


FACTA Governance and Oversight
  • Red Flags Compliance Officer: Shelley Brunick
  • Program Support: IT Security, Registrar, Financial Aid, Admissions
  • Regulatory Oversight: Federal Trade Commission and federal banking agencies

USD’s Red Flags Rule compliance is implemented through a written Identity Theft Prevention Program integrated with its broader cybersecurity and data governance framework.


FACTA Red Flags Rule Compliance Status by Requirement

The Red Flags Rule requires institutions to identify patterns, practices, or specific activities (“red flags”) that indicate possible identity theft and respond appropriately.

  1. Identification of Red Flags
    • Requirement: Identify relevant identity theft warning signs
    • USD Status: ✅ Compliant
      • USD has identified applicable red flags, including:
        • Suspicious or inconsistent personal information
        • Alerts or notifications from fraud detection systems
        • Unusual account activity or access patterns
        • Attempts to use stolen or synthetic identities
      • Red flags are documented and incorporated into operational procedures
  2. Detection of Red Flags
    • Requirement: Detect red flags in day-to-day operations
    • USD Status: ✅ Compliant
      • Identity verification procedures are in place for student records and financial transactions
      • System monitoring and alerting performed through Microsoft Sentinel and MDR services
      • Authentication controls (MFA, Conditional Access) help detect anomalous access attempts
      • Staff are trained to recognize suspicious behavior during interactions
  3. Prevention and Mitigation of Identity Theft
    • Requirement: Respond appropriately to detected red flags
    • USD Status: ✅ Compliant
      • Procedures exist to:
        • Escalate suspicious activity
        • Restrict or suspend access when needed
        • Validate identity prior to processing sensitive requests
      • Incident response processes are aligned with USD’s Major Incident Response Plan
      • Coordination between departments ensures timely response and containment
  4. Program Administration and Oversight
    • Requirement: Maintain and oversee an Identity Theft Prevention Program​​​​​​​
    • USD Status: ✅ Compliant
      • A formal Red Flags Rule compliance program is in place
      • Oversight provided by designated compliance officer and institutional leadership
      • Program is reviewed and updated periodically​​​​​​​
  5. Staff Training and Awareness
    • Requirement: Train relevant personnel to detect and respond to red flags​​​​​​​
    • USD Status: ✅ Compliant
      • ​​​​​​​Employees in Financial Aid, Registrar, and Admissions receive training on:
        • Identifying identity theft indicators
        • Proper handling of sensitive data
        • Escalation procedures
      • Training is reinforced through institutional security awareness programs
  6. Service Provider Oversight
    • Requirement: Ensure service providers address identity theft risks​​​​​​​
    • USD Status: ✅ Compliant
      • Vendor risk management processes are in place
      • Contracts require appropriate safeguards for PII
      • Third-party services handling student or financial data are monitored​​​​​​​
  7. Data Protection and Access Controls
    • Requirement: Protect PII used in covered accounts​​​​​​​
    • USD Status: ✅ Compliant
      • Role-based access controls enforced via Microsoft Entra ID​​​​​​​
      • Multi-factor authentication (MFA) required for sensitive systems
      • Data classification and DLP policies enforced through Microsoft Purview
      • Secure sharing restricted to approved platforms (Teams, SharePoint)
  8. Monitoring and Detection Capabilities
    • Requirement: Monitor systems for indicators of identity theft​​​​​​​
    • USD Status: ✅ Compliant
      • Centralized logging and monitoring via Microsoft Sentinel
      • Threat detection and response supported by Red Canary MDR
      • Alerts generated for anomalous access and suspicious activity​​​​​​​
  9. Incident Response and Reporting
    • Requirement: Respond to identity theft incidents​​​​​​​
    • USD Status: ✅ Compliant
      • Incident response procedures align with institutional security program
      • Includes:
        • Investigation and containment
        • Notification where applicable
        • Post-incident review and improvement
      • Coordination across departments ensures effective response
  10. Program Review and Continuous Improvement
    • Requirement: Update program to reflect evolving risks​​​​​​​
    • USD Status: ✅ Compliant
      • Program reviewed periodically and updated based on:
        • Emerging threats
        • Regulatory changes
        • Lessons learned from incidents
      • Integrated with USD’s broader risk management program

Integration with Data Governance and Security Programs

FACTA compliance at USD is integrated with enterprise programs:

  • Data Governance Program
    • Data classification (Public, Internal, Restricted)
    • Data steward accountability
  • Cybersecurity Program
    • CIS Critical Security Controls (v8.1)
    • NIST Cybersecurity Framework
  • Technology Stack
    • Microsoft Defender Suite
    • Microsoft Sentinel
    • Microsoft Purview
    • Red Canary MDR

This ensures identity theft prevention is embedded across people, process, and technology layers.


Summary

The University of South Dakota:

  • ✅ Meets FACTA Red Flags Rule requirements
  • ✅ Maintains a formal Identity Theft Prevention Program
  • ✅ Detects and responds to identity theft risks across key departments
  • ✅ Protects sensitive PII through strong access, monitoring, and data controls
  • ✅ Trains staff to recognize and respond to red flags
  • ✅ Continuously improves its program based on evolving threats
Print Article