Identity Theft Prevention Policy
In response to the growing threats of identity theft in the United States, Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which amended a previous law, the Fair Credit Reporting Act (FCRA). This amendment to FCRA charged the Federal Trade Commission (FTC) and several other federal agencies with promulgating rules regarding identity theft. On November 7, 2007 the FTC, in conjunction with several other federal agencies, promulgated a set of final regulations know as the “Red Flags Rule”. The Red Flags Rule became effective November 1, 2008, however, the FTC has deferred its enforcement of the rule through May 1, 2009 in order to permit institutions additional time in which to develop and implement the written identity theft prevention policies required by the Red Flags Rule regulations.
The Red Flags Rule regulations require entities with accounts covered by the Red Flags Rule regulations, including universities, to develop and implement a written Identity Theft Prevention Policy for combating identity theft in connection with certain accounts. The policy must include reasonable procedures for detecting, preventing and mitigating identity theft and enable the entity with covered accounts to:
- Identify relevant patterns, practices, and activities, dubbed “Red Flags”, signaling possible identity theft and incorporate those Red Flags into the Policy;
- Detect Red Flags;
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
- Ensure the policy is updated periodically to reflect changes in risks.
This document outlines the required Red Flags Rule Policy of the University of Saint Francis, but is extended to encompass not just financial or credit accounts, but any University account or database for which the University believes there is a reasonably foreseeable risk to the University, its students, staff, faculty, or business partners.
PURPOSE AND SCOPE
The purpose of the Policy is to ensure the compliance of the University of Saint Francis with the Red Flags Rule regulations, to identify risks associated with identity theft, and to mitigate the effects of identity theft upon the University, its students, staff, faculty, or business partners.
The requirements of this Policy apply to the University of Saint Francis and any other facilities operated by the University of Saint Francis and the employees associated with those facilities.
All definitions are derived from the Fair and Accurate Credit Transactions Act of 2003 and the Fair Credit Reporting Act. This list is not intended to be an all encompassing list of definitions; only a list of the most commonly used definitions as they pertain to the University of Saint Francis are addressed here. Please refer to the Fair and Accurate Credit Transactions Act of 2003 and the Fair Credit Reporting Act for a full list of definitions.
Account: Account means “a relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.” Account includes:
- An extension of credit, such as the purchase or property or services involving a deferred payment; and
- A deposit account.
Covered Account: The Red Flags Regulations define the term “covered account” to mean (1) “an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions…” and (2) “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers, or to the safety and soundness of the financial institution, or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”
Credit: Credit means “the right granted by a creditor to a debtor to defer payment of debt or to incur debts and deter its payment or to purchase property or services and defer payment therefore.”
Creditor: Creditor means “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.
Financial Institution: Financial Institution means “a State or National bank, a State of Federal savings and loan association, a mutual saving bank, a State of Federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.”
Identity Theft: Identity theft means “fraud committed using the identifying information of another person.”
Red Flag: Red Flag means “a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.”
Service Provider: Service Provider means “a person that provides a service directly to the financial institution or creditor.”
Transaction Account: Transaction Account means “a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others. Such term includes demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.”
IDENTIFICATION & DETECTION OF RED FLAGS
A “Red Flag” is a pattern, practice, or specific activity that indicates the possible existence of identity theft. The following Red Flags are potential indicators or warning signs of potential or actual identity theft or similar fraud. Any time a Red Flag, or a situation resembling a Red Flag, is apparent, it should be investigated for verification.
As an Appendix to the Red Flags Rule, the FTC has identified twenty-six Red Flags that the University may consider incorporating into its policy. These are subdivided into five sections, see below:
Alerts, Notifications or Warnings from a Consumer Reporting Agency
- A fraud or credits alert is included with a consumer report.
- A notice of credit freeze on a consumer report is provided from a consumer reporting agency.
- A consumer reporting agency provides a notice of address discrepancy.
- A consumer report indicates a pattern of activity inconsistent with the history and usual pattern of activity of a customer.
- Documents provided for identification appear to have been altered or forged.
- The photograph or physical description on the identification is not consistent with the appearance of the customer presenting the identification.
- Other information on the identification is not consistent with information provided by the person opening an account or presenting the identification.
- Other information on the identification is not consistent with readily accessible information that is on file with the University.
- An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
Suspicious Personal Identifying Information
- Personal identifying information provided is inconsistent when compared against external information sources used by the University.
- Personal identifying information provided by the customer is not consistent with the other personal identifying information provided by the customer.
- Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the University.
- Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by the internal or third-party sources used by the University.
- The social security number provided is the same as that submitted by other persons opening an account or other customers.
- The address and/or telephone number provided is the same as or similar to the address and/or telephone number submitted by an unusually large number of other persons opening account or other customers.
- The person opening the account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
- Personal identifying information provided is not consistent with personal identifying information that is on file with the University.
- If the University uses a challenge question, the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Unusual Use of, or Suspicious Activity Related to, the Covered Account
- Shortly following the notice of a change of address, the University receives a request for a new or replacement card or cell phone, or the addition of authorized users on the account.
- A new revolving credit account is used in a manner commonly associated with know patterns of fraud patterns.
- An account is used in a manner that is not consistent with established patterns of activity on the account.
- An account that has been inactive for a reasonably lengthy period of time is used.
- Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the account.
- The University is notified that the customer is not receiving paper account statements.
- The University is notified of unauthorized charges or transactions in connection with a customer’s account.
Notice from customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons regarding Possible Identity Theft in Connection with Covered Accounts
- The University is notified by a customer, a victim of identity theft, a law enforcement authority, or any person that it has opened a fraudulent account for a person engaged in identity theft.
APPROPRIATELY RESPONDING TO DETECTED RED FLAGS
Once potentially fraudulent activity is detected, an employee must act quickly as a rapid appropriate response can protect customers and the University from the effects of identity theft. The employee should inform his/her supervisor as soon as possible that he/she has detected an actual or potential Red Flag, or had identified a similar area of concern of identity theft. The supervisor should conduct any necessary inquiry to determine the validity of the Red Flag.
If it is determined that a situation of identity theft has occurred, the Director or Vice President should immediately contact the Director of Technology Security and Compliance to inform them of the matter so that the matter is properly documented as part of the monitoring portion of this policy.
If the Red Flag indicates that a fraudulent transaction has occurred, the Director or Vice President should ensure that appropriate actions to mitigate the effects of the transaction are taken immediately. Appropriate action will be dependent on the type of Red Flag identified, type of transaction, relationship with the victim of the fraud, availability of contact information for the victim of the fraud, and numerous other factors. However, by way of example, appropriate actions may include, but are not limited to:
- Canceling the transaction;
- Not opening a new account or closing the account in question;
- Notifying and cooperating with appropriate law enforcement;
- Notifying the Office of the Attorney General, the Director of Technology Security and Compliance and Senior Administration of the University; and/or
- Utilizing the University’s Security Breach Protocol procedures as defined in the University of Saint Francis’ Technology Security Policy.
- Notifying the actual customer that fraud has been attempted or that it has occurred;
- Changing any passwords or other security devices that permit access to relevant accounts and/or databases; and/or
- Continuing to monitor the account or database for evidence of identity theft.
- Alternatively, it may be determined that no response is warranted after appropriate evaluation and consideration of the particular circumstances.
In all situations where it is determined that a Red Flag has been positively identified, the office responsible for the account shall document what occurred, describe its review of the matter and any specific actions taken to mitigate the impact of the effects of the actual or potential identity theft discovered. Such documentation shall also include a description of any additional actions the office believes are systemically necessary within their office (such as updating policies and procedures) in response to identified Red Flag to handle or prevent similar situations in the future.
CONSUMER REPORT – ADDRESS VERIFICATION
Any University office that obtains and/or uses a consumer report from a Consumer Reporting Agency must ensure that the report it has obtained relates directly to the consumer about whom it requested the report when the office receives a notice of address discrepancy. A notice of address discrepancy means that the office has received notice of a substantial difference between the address(es) for the consumer that the office provided to request the consumer report and the address(es) in the office’s file on the consumer.
The office may reasonably confirm the accuracy of the consumer’s address by:
- Verifying the address with the consumer about whom it as requested the report;
- Reviewing its own records (job applications, enrollment applications, etc…)
- Verifying the address through third-party sources; or
- Using other reasonable means.
The office must provide the consumer’s address that it has reasonably confirmed to be accurate to the Consumer Reporting Agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer.
Staff training is required for all employees, officials and contractors for whom it is reasonably foreseeable that they may come into contact with account or personally identifiable information that may constitute a risk to the University or its customers.
The Director or Vice President of each office that maintains a covered account under this Policy is responsible for ensuring that appropriate identity theft training for all requisite employees, officials and contractors occurs at least annually.
As part of the training, all requisite employees, officials and contractors should be informed of the contents of the University’s Identity Theft Policy, and be provided with access to a copy of this document. In addition, all requisite employees, officials, and contractors should be trained how to identity Red Flags, and what to do should he/she detect a Red Flag or have similar concerns regarding an actual or potential fraud involving personal information.
OVERSIGHT OF THIRD PARTY SERVICE PROVIDERS
It is the responsibility of the University to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Before the University may engage a service provider to perform an activity in connection with one or more of the University’s covered accounts, the University must take the following steps to ensure the service provider performs its activities in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risks of identity theft:
- The University must require by contract that the service provider has such policies and procedures in place; and
- The University must require by contract that the service provider is aware of the University’s Identity Theft Policy, and will report any Red Flags it identifies as soon as possible to the Director of Technology Security and Compliance.
Successful implementation of the Identity Theft Policy ultimately is the responsibility of each office, the employees of each office that maintains accounts or databases covered by this policy, and the University community as a whole. As permitted by the Red Flags Rule regulations, responsibility for overseeing the administration of the Policy has been delegated by the University’s President to Director of Technology Security and Compliance. On an annual basis the Director of Technology Security and Compliance will confer with the University’s offices that maintain covered accounts under the Policy to review each office’s list of covered accounts training and policies, procedures and practices as they relate to preventing, detecting and mitigating identity theft, and any positively identified Red Flags or similar incidents documented by the offices who maintain covered accounts under this Policy.
UPDATING THE POLICY
On an annual basis the Policy will be re-evaluated to determine whether all aspects of the Program are up to date and applicable. This review will include an assessment of which accounts and/or databases are covered by the program, whether additional Red Flags need to be identified as part of the Policy, whether training has been implemented, and whether training has been effective. In addition, the review will determine if any changes in the Policy need to be made.
APPROVAL BY THE BOARD OF TRUSTEES
Under the Red Flags Regulations, implementation and oversight of the Identity Theft Policy is the responsibility of the governing body or an appropriate committee of such governing body. Approval of the initial Policy must be appropriately documented and maintained. After its initial approval of the Policy the governing body may delegate its responsibility to implement and oversee the Identity Theft Policy. As the governing body of the University of Saint Francis, the University of Saint Francis’ Board of Trustees, as of the date below, herby approved the initial Identity Theft Policy. Having made such initial approval, the Board of Trustees delegates the responsibility for implementing, monitoring and overseeing the University’s Identity Theft Policy to the University of Saint Francis’ Leadership Council and the Director of Technology Security and Compliance.
Approved by Board of Directors: 25 July 2012