Identity Theft Prevention Program

“Red Flags Rule”

Click here to download Red Flags Incident Report Form (Word File) 



Purpose and Scope

To establish an Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide continued administration of the Program in compliance with Federal Trade Commission (FTC) 16 C.F.R. Part 681.

http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf

Elements of the Program include:

  1. Identifying Covered Account Transactions / Requests.
  2. Identifying relevant Red Flags for the covered accounts.
  3. Detecting Red Flags.
  4. Responding appropriately to any Red Flags that are detected to prevent and mitigate identity theft.
  5. Ensuring the Program is updated periodically to reflect changes in risks.

ADMINISTRATION OF THE PROGRAM

VP for Administration & Legislative Affairs shall be responsible for the development, implementation, oversight, and continued administration of the Program. Under the direction of the VP, the Red Flags Committee shall be responsible for performing and conducting the annual risk assessment, providing training, and reviewing and responding to identity theft incidences. The annual report is provided to the Board of Trustees for review.

Definitions

Account. -- A continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household, or business purposes. Account includes an extension of credit, such as the purchase of property or services involving a deferred payment, and a deposit account.

Card Issuer. -- Financial institution or creditor that issues a debit or credit card.

Consumer Reporting Agency. -- Entities that collect and disseminate information about consumers to be used for credit evaluation and certain other purposes.

Consumer Reports. -- Any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

Covered Accounts. -- (1) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and, (2) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identify theft, including financial, operational, compliance, reputation, or litigation risks.

Creditor. -- Any person, corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative, or association who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

Customer. -- A person that has a covered account with a financial institution or creditor.

Debit Card. -- Any card issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account of the consumer at such financial institution for the purpose of transferring money between accounts or obtaining money.

Identity Theft. -- A fraud committed or attempted using the identifying information of another person without authority.

Red Flag. -- A pattern, practice, or specific activity that indicates the possible existence of identity theft.              

PROCEDURES

University Agents

Each University department which offers or maintains Covered Accounts will be responsible for managing and protecting information related to covered accounts. Each department will be responsible for taking the proper action to detect, prevent, and mitigate Identity Theft in connection with opening of a Covered Account, which is appropriate to the department’s size, complexity, and the scope of its activities. Specifically, each department should:  

  1. Identify transactions and/or requests related to Covered Accounts.
  2. Identify related potential Red Flags associated with these transactions and requests.
  3. Detect Red Flags that have been incorporated into the Program of the department.
  4. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.

Identifying Covered Account Transactions and Requests

The following situations must be monitored closely for Red Flags:

  1. Opening or closing Covered Accounts.
  2. Inquiries regarding Covered Accounts.
  3. Requests for changes to Covered Accounts.

Identifying Red Flags

The following list represents the general potential Red Flags:

  1. Documents provided for identification appear to have been altered or forged.
  2. The photograph or physical description on the identification is not consistent with the appearance of the student (person) presenting the identification.
  3. A request made from a non-University issued E-mail account.
  4. A request to mail something to an address not listed on file.
  5. Notice from customers, victims of identity theft, law enforcement authorities, or other person regarding possible identity theft in connection with covered accounts.

Detection of Red Flags

The department shall address the detection of red flags in connection with the opening of covered accounts and existing covered accounts, such as:

  1. Obtaining identifying information about, and verifying the identity of, a person opening/closing/changing a covered account; and
  2. Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts.

Responding to Red Flags

The Program shall provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The response shall be commensurate with the degree of risk posed.

Once potentially fraudulent activity is detected, an employee must act quickly as a rapid appropriate response can protect customers and the University from damages and loss. The employee must gather all related documentation and write a description of the situation. This information must be presented to a department supervisor for determination. The supervisor will complete additional authentication to determine whether the attempted transaction was fraudulent or authentic.           All incidences will be reported to the Red Flags Committee using the University’s Incidence Report Form.

Appropriate responses to the detection of red flags include:

  1. Monitor a covered account for evidence of identity theft.
  2. Contact the customer.
  3. Change any passwords, security codes or other security devices that permit access to a covered account.
  4. Reopen a covered account with a new account number.
  5. Not open a new covered account.
  6. Close an existing covered account.
  7. Notify law enforcement.
  8. Determine no response is warranted under the particular circumstances.

Red Flags Committee

The Red Flags Committee will be responsible for the following:

  1. Reviewing all incidences and responding if necessary.
  2. Providing training and support to all university agents as necessary.
  3. Performing and conducting risk assessment. Preparation of the Program’s risk assessment includes:
    1. Reviewing FTC Guidelines to ensure proper compliance with the law.
    2. Maintaining and providing incidence report forms and collecting and reviewing past incidences.
    3. Performing internal audits to identify gaps based on incidence reports.
    4. Updating the Red Flags Program, and distributing changes across campus.
    5. Preparing an annual report for the Board of Trustees.

ANNUAL REVIEW OF THE PROGRAM

The program will be re-evaluated annually to determine whether all aspects of the Program are up to date and applicable in the current business environment. This re-evaluation will include:

  1. Annual risk assessment by the Red Flag Committee.
  2. Annual reporting to the Board of Trustees.
  3. Annual distribution and training of the Red Flags Program to relevant employees.
  4. Annual distribution of Code of Conduct to relevant employees.

 

Red Flag Rules Risk Assessment Training

An Overview

1) What is a “Red Flag”?

A “Red Flag” is defined as a pattern, practice, or specific activity that indicated the possible existence of identity theft. Examples of “Red Flag” incidents include presentation of suspicious identity documents or frequent address changes.

The law requires that a Red Flag policy (from which a Red Flag program will be developed) be approved by the organization’s governing board. Oversight of the program is to be assigned to a senior management level staff member, with program reviews conducted annually.

2) What is the rule regarding Red Flags?

The Red Flag rule requires any organization that maintains a “covered account” to establish, document, and maintain an identity theft prevention program that identifies potential Red Flags, detects the occurrence of Red Flags, and appropriately responds to Red Flags.

3) What is a “Covered Account”?

“Covered accounts” are defined as accounts a creditor holds which are designed to allow multiple payments or transactions after services have been delivered.

Specifically, covered accounts are:

  • Accounts offered or maintained, primarily for personal, family, household or commercial (e.g., occupational health, employee screening) purposes, that involve or are designed to permit multiple payments or transactions.
  • Any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the issuing organization from identity theft.

4) What is a “creditor”?

Under the Rules, a creditor is defined as:

  • Any entity that regularly extends, renews, or continues credit.
  • Any entity that regularly arranges for the extension, renewal, or continuation of credit.
  • Any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.

5) UVU and Red Flags:

UVU is subject to Red Flag rules because we participate in or offer:

  • Student tuition and fee payment plans.
  • Human Resources – applies only when credit checks are utilized.
  • Health Insurance and Health Care Providers (Health Sciences and Student Health Services).

Procedures for Each Department

1) University Agents

Each University department which offers or maintains covered accounts will be responsible for managing and protecting information related to covered accounts as well as for taking the proper action to detect, prevent, and mitigate identity theft in connection with opening a covered account, which is appropriate to the department’s size, complexity, and the scope of its activities.

2) Policies, Procedures, and Documentation

Each department should document and include policies and procedures to:

  • Identify transactions and/or requests related to covered accounts.
  • Identify related potential Red Flags associated with these transactions and requests.
  • Detect Red Flags that have been incorporated into the Program of the department.
  • Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.

3) Identifying Covered Accounts Transactions and Requests

The following situations must be monitored closely for Red Flags:

  • Opening or closing covered accounts.
  • Inquiries regarding covered accounts.
  • Requests for changes to covered accounts.

4) Identifying Red Flags

The following list represents the general potential Red Flags:

  • Documents provided for identification appear to have been altered or forged.
  • The photograph or physical description on the identification is not consistent with the appearance of the student (person) presenting the identification.
  • A request made from a non-University issued E-mail account.
  • A request to mail something to an address not listed on file.
  • Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.

5) Detection of Red Flags

The department shall address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as:

  • Obtaining identifying information about, and verifying the identify of, a person opening/closing/changing a covered account; and
  • Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts.

6) Responding to Red Flags

Once potentially fraudulent activity is detected, an employee must act quickly as a rapid appropriate response can protect customers and the University from damage and loss. The employee must gather all related documentation and write a description of the situation. This information must be presented to a department supervisor for determination. The supervisor will complete additional authentication to determine whether the attempted transaction was fraudulent or authentic. All incidences will be reported to the Red Flags Committee using the University’s Red Flags Incidence Report Form.

Appropriate responses to the detection of Red Flags include:

  • Monitor a covered account for evidence of identity theft.
  • Contact the customer.
  • Change any passwords, security codes, or other security devices that permit access to a covered account.
  • Reopen a covered account with a new account number.
  • Not open a new covered account.
  • Close an existing covered account.
  • Notify Law Enforcement.
  • Determine no response is warranted under the particular circumstances.
  • File a “Red Flags Incidence Report Form.”
  • Click here to download Red Flags Incident Report Form (Word File)