Red Flags


Administration & Finance


Financial Services

Contact Information: 

John Gates / Executive Director of Financial Services / (415) 405-7320 /

Effective Date: 

Thursday, November 3, 2022

Revised Date: 

Tuesday, October 4, 2022


This policy describes SF State’s alignment with the Federal Trade Commission’s Red Flags Rule. The Red Flags Rule requires certain organizations to implement a written identity theft prevention program designed to detect the “Red Flags” of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate its damage.



In 2007, the Federal Trade Commission (FTC) issued a regulation known as the Red Flags Rule. The rule requires “financial institutions” and “creditors” holding “covered accounts” to develop and implement a written Identify Theft Prevention Program (referred to as the “Program”) designed to identify, detect, and respond to identity theft “Red Flags.”

Definition - Creditor

The Red Flags Rule defines “creditor” based on conduct. Specifically a creditor satisfies one or more of the following criteria:

  • Defers payment for goods and services
  • Grants or arranges credit
  • Participates in the decision to extend, renew, or set the terms of credit

As well as satisfying one or more of the additional criteria below:

  • Acquires or uses consumer reports in connection with a credit transaction
  • Provides data to credit reporting companies in connection with a credit transaction
  • Advances funds to — or for — someone who must repay

Definition - Covered Account

A covered account under the Red Flags Rule regulation is a consumer account designed to permit multiple payments or transactions. These are accounts where payments are deferred and made by a borrower periodically over time such as a tuition or fee installment payment plan.

A covered account may also be any other account that a creditor offers or maintains for which there is a reasonably foreseeable risk to customers from identity theft.

Red Flags Programs

Each campus functional unit that qualifies as a creditor and holds covered accounts is hereby required to develop and implement a documented Program aimed at preventing and mitigating identity theft. The documented Program must include reasonable policies and procedures to:

  • Identify relevant patterns, practices, and specific forms of activity that are “Red Flags” signaling possible identity theft
  • Detect Red Flags that have been incorporated into the Program;
  • Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft
  • Ensure the Program is updated periodically to reflect changes in risks from identity theft.

The FTC offers detailed guidance on how to develop and compose a Program.


Red Flags Programs on campus are established and centrally administrated by the President or an individual designated by the President. The larger administration of annual review and legal determination of applicability is established by the CSU Board of Trustees.

Incidents involving Red flags that entail suspected cases of identity theft must following the reporting process described by the Reporting Fraud and Financial Crimes at SF State knowledge base article.

Individual Responsibility

Identity theft continues to be an ongoing threat in online communities. Although SF State's Red Flags Policy aims to prevent and mitigate identity theft the individual mechanisms and system cannot detect all forms of identity theft and still requires vigilance by individuals to protect their own sensitive information.