Red Flags for Identity Theft
Purpose and Scope of Red Flag Rules
-
What is the purpose and why do we need Red Flag rules?
The purpose of Red Flag rules is to establish an identity theft program to detect, prevent and mitigate identity theft pursuant to the Federal Trade Commission (FTC) Red Flag rules.
Red Flags program is aimed at having companies set up procedures to look for and respond to "Red Flags" that indicate an identity thief is trying to use someone else's information. By doing so, Red Flag rules seek to reduce the damage identity thieves can inflict on victims of identity theft and on businesses left with accounts receivable balances that they'll never be able to collect. Companies set up procedures to look for and respond to "Red Flags" that indicate an identity thief is trying to use someone else's information
-
What are the definitions of the terminology used in Red Flag Rules?
"Account"--means a continuing relationship established by a person with a creditor to obtain a product or service for personal, family, household or business purposes. It includes:
- an extension of credit, such as the purchase of property or services involving a deferred payment (payment plan)
- a deposit account
"Covered Account" is:
- an account that a creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transaction and
- any other account that the creditor offers to maintain for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks
"Identity Theft" is a fraud committed or attempted using the identifying information of another person without authority
"Red Flag" is a pattern, practice, or specific activity that indicates the possible existence of identity theft
"Service Provider" is a person that provides a service directly to the financial institution or creditor
-
What are some examples of Red Flags?
- Notifications and Warnings from Credit Reporting Agencies
- Report of fraud accompanying a credit report
- Notice or report from a credit agency of a credit freeze on an applicant
- Notice or report from a credit agency of an active duty alert for an applicant
- Receipt of a notice of address discrepancy in response to a credit report request
- Indication from a credit report of activity that is inconsistent with an applicant's usual pattern or activity
- Suspicious Documents:
- Identification document or card that appears to be forged, altered, or inauthentic
- identification document or card on which a person's photograph or physical description is inconsistent with the person presenting the document
- Other document with information that is inconsistent with existing identifying information
- Application for service that appears to have been altered or forged
- Suspicious Personal Identifying Information
- Identifying information presented that is inconsistent with other information provided (ex.-inconsistent birth dates)
- Identifying information presented that is inconsistent with other sources of information (such as an address not matching an address on a loan application)
- Identifying information presented that is the same as information shown on other applications that were found to be fraudulent
- Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address)
- Social Security number presented that is the same as one given by another person
- An address or phone number presented that is the same as that of another person
- A person fails to provide complete personal identifying information on an application when reminded to do so
- A person's identifying information is inconsistent with the information that is on file for that person
- Suspicious Covered Account Activity or Unusual Use of Account
- Change of address for an account followed by a request to change the person's name
- Payments stop on an otherwise consistently up-to date account
- Account used in a way that is inconsistent with prior use
- Mail sent to the individual is repeatedly returned as undeliverable
- Notice to the University that a person is not receiving mail sent by the University
- Notice to the University that an account has unauthorized activity
- Notice to the University that an account has unauthorized activity
- Breach in the University's computer system security
- Unauthorized access to or use of student account information
- Alerts from Others
- Notice to the University from an individual, identity theft victim, law enforcement official, or other person that the University has opened or is maintaining a fraudulent account for a person engaged in identity theft
- Notifications and Warnings from Credit Reporting Agencies
-
What are some examples of Covered Accounts that apply to the University?
Examples of Covered Accounts that apply to the University are:
- Student Billing and Receivables
- Accounts in collection
- Payment plans, including housing payment plans
- Repayment plans
- Student Refunds
- Student Records
- Student ID card (Osprey card)
- Payroll advances
- Credit bureau data
-
How are Red Flags typically detected?
Enrollment
- Require certain identifying information such as photo identification, name, date of birth, academic records, home address, or other identification before opening a covered account or allowing access to a covered account
Business Services
- Verify the person's identity at time of issuance of identification card (review of driver's license or other government-issued photo identification to ensure the photo, name, address, date of birth matches)
Existing Accounts
- Verify the identification of the individual if they request information (in person, via telephone, via facsimile, via email)
- Verify the validity of requests to change billing addresses by mail or email and provide a reasonable means of promptly reporting incorrect billing address changes
- When certain changes are made online, students and individuals holding covered accounts shall receive notification to confirm the change was valid and to provide instruction in the event the change is invalid
- Verify changes in banking information given for billing and payment purposes
- Any suspicious changes made to covered accounts that relate to an account holder's identity, administration of the account, and billing and payment information shall be verified
Consumer Credit Report Requests
- Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency
- In the event that notice of an address discrepancy is received, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the University has reasonably confirmed to be accurate
University Staff Roles and Responsibilities
-
How do I find out if the Red Flags policy applies to my department?
Red Flags policy applies to your department if your department engages in any of the following activities:
- Enters or alters personally identifying information in a university system or database
- Maintains systems that generate personally identifying information
- Offers goods or services that individuals can pay for later on an account administered by, or on behalf of, your office
- Administers billing, declining balance, debit, or other accounts whether on behalf of your own department or another university department
- Makes loans, such as short-term loans to students, faculty, or staff
- Administers student loans
- Issues cards to individuals that can be used to access accounts
- Uses consumer credit reports such as Experian, Transunion or Equifax
- Reports information to credit reporting agencies
- Bills for fines
- Pursues debt collection
- Offers leases to individuals for personal/non-business purposes
- Sells or transfers debts to a third party
-
What is the University's Policy regarding identifying and mitigating Identity Theft?
It is the University's Policy to:
- Identify covered accounts
- Verify identification for any student, faculty or staff member requesting services. Look to see if the identification appears to have been altered or forged
- Verify the picture and physical description match the appearance of the person presenting the identification
- Verify the information on the identification is consistent with other information on file at the University
- Verify requests for information updates have not been altered or forged, or that the paperwork does not appear to have been destroyed and reassembled
- Decline to share any information over the phone, or in person without picture ID, if the student has a "Confidential" marker on his/her account
- Investigate the correctness of unauthorized charges or transactions assessed in connection with a student's account
- University departments that are responsible for unique types of covered accounts should establish additional policies and procedures for detecting and responding to Red Flags
- Include standard contractual language requiring entities that provide services associated with covered accounts to have policies and procedures to detect, prevent, and mitigate the risk of identity theft
-
What training is required?
All personnel who play a role in processing of transactions related to covered accounts are required to take course on Red Flags-ID Theft Protection. This is an annual training requirement.
Department managers with covered accounts should conduct training for their staff to reinforce knowledge, discuss any changes to the program caused by internal business processes or the identification of new Red Flags, perform procedures to evaluate the effectiveness of the Red Flags program and implement changes, if needed.
-
As a staff member, is it my responsibility to notify appropriate University personnel that a Red Flag has been detected?
Yes. As a University employee, it is your duty to comply with University programs and policies. You must act if you observe a violation of the Red Flags Rule. -
I may have detected a red flag. What do I do now?
- Make sure to follow your department's Red Flags program in determining the appropriate response and steps for risk mitigation
- Fill out the Red Flags Incident Report and email it to the Program Administrator
- Depending on the degree of risk posed by the red flag, the following may b recommended:
- Continue to monitor the covered account for evidence of identity theft
- Contact the individual (for which the credit report was run)
- Change any passwords or other security devices that permit access to covered accounts
- Do not open a new covered account
- Provide a new identification number
- Attempt to identify the cause and source of the Red Flag
- Notify the program administrator for determination of the appropriate steps to take
- Notify law enforcement
- File or assist in filing a Suspicious Activities Report
- Determine that no response is warranted under the particular circumstances
-
My office responded to a Red Flags incident and successfully prevented a potential case of identity theft. Am I still required to file an incident report?
Yes. One of the many benefits the University will have by your filing an incident report will be the opportunity to review the incident and offer advice to other departments who may experience similar Red Flags. -
What steps must be taken to protect personal identifying information?
In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, the University will take the following steps related to its internal operating procedures to protect identifying information:
- Ensure that its website is secure or provide clear notice that the website is not secure
- Subject to state record retention requirements, ensure complete and secure destruction of paper documents and computer files containing account information when a decision has been made to no longer maintain such information
- Ensure that office computers with access to covered account information are password protected
- Avoid use of Social Security numbers
- Ensure that computer virus protection is up-to-date
- Require and keep only the kinds of individual information that are necessary for University purposes
-
Should I worry about third-party providers?
If they process personal identifying information related to covered accounts, then we are responsible to ensure that they are Red Flag compliant. Language regarding their compliance is included in purchasing agreements. -
What are the consequences to the University if it fails to comply with the Red Flags Rule?
An incident of identity theft can have serious consequences to the University:
- The FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule
- Where the complaint seeks civil penalties, the US Department of Justice (DOJ) typically files a lawsuit in federal court on behalf of the FTC
- Each instance in which the University violated the rule is a separate violation
- Injunctive relief often requires the parties being sued to comply with the law in the future and provide reports, retain documents, and take other steps to ensure compliance with both the rule and court order. Failure to comply with the court order could subject the parties to further penalties and injunctive relief
Moreover, an incident of identity theft would be damaging to the University and your department's reputation. It would be detrimental to have fraud associated to the University in any way. A successful Red Flag program helps the University guard against damage to our reputation.
-
Where can I find more information?
Additional information can be found at the following websites: