Red Flags Rule - Identity Theft Prevention Program
The purpose of this policy is to establish a Red Flags Rule Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program. The Program shall include reasonable policies and procedures to:
- Identify relevant Red Flags for covered accounts the University offers or maintains and incorporate those Red Flags into its Program;
- Detect Red Flags that have been incorporated into the Program of the University;
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft;
- Ensure the Program is updated periodically to reflect changes in risks to students and borrowers and to the safety and soundness of the University from identity theft; and
- The Program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.
Existing Policies and Practices
The University has policies to ensure compliance with Gramm-Leach-Bliley Act (GLB), Family Educational Rights and Privacy Act (FERPA), system and application security, and internal control procedures which provide an environment where identity theft opportunities are mitigated. Records are safeguarded to ensure the privacy and confidentiality of student and borrower records.
In addition, the University adheres to the following practices:
- All paper files are kept in locked offices and/or filing cabinets while not being used.
- Access to confidential information is limited to only those employees who need access in order to properly perform the duties for which they were hired.
- Employees with access to confidential information understand that this is confidential business information and is not to be discussed with anyone who does not “need to know.”
- Identity theft means fraud committed or attempted using the identifying information of another person without authority.
- Account means a continuing relationship established by a person with the creditor to obtain a product or service for personal purposes. Account includes an extension of credit involving a deferred payment.
- Covered account means an account that a creditor offers or maintains primarily for personal purposes that involves or is designed to permit multiple payments or transactions.
- Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
- The University participates in the Federal Perkins Loan Program
- The University offers and establishes student payment plans
Identifying Relevant Red Flags
- The photograph or physical description on the identification is not consistent with the appearance of the student or borrower presenting the identification.
- The SSN provided is the same as that submitted by other students or borrowers.
- The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other students or borrowers.
- The person opening the covered account or the student or borrower fails to provide all required personal identifying information on an application or in response to notification that the application is complete.
- A covered account is used in a manner that is not consistent with established patterns of activity on the account – nonpayment when there is no history of late or missed payments.
- The University is notified of unauthorized charges or transactions in connection with a student or borrower’s covered account.
- The University is notified by a student or borrower, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
Detecting Red Flag Activity
Covered accounts are opened as follows:
- Federal Perkins Loan Program
- Perkins borrowers sign their promissory notes using an electronic signature, which requires a PIN number that is unique to each borrower.
- Perkins borrowers can allow a third party to have access to his/her account information by completing the FERPA form in the electronic exit interview process. If no one is listed, a third party will not have access to any account information without the borrower’s written permission. The borrower can log onto the exit site at any time to update this information if he/she decides that it would be beneficial for another party to have access to account information.
Student Payment Plans
Students must call, e-mail, or come into the Director of Student Account’s Office to request their account be placed on a tuition payment plan.
Responding to Red Flags
The Program shall provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The appropriate responses to the relevant red flags are as follows:
- Contacting the student or borrower;
- Changing any passwords, security codes, or other security devices that permit access to a covered account;
- Reopening a covered account with a new account number;
- Closing an existing covered account;
- Not attempting to collect on a covered account;
- Notifying law enforcement; and/or
- Determining that no response is warranted under the particular circumstances.
Updating the Program
The University will update the Program annually in December, to reflect changes in risks to students or borrowers or to the safety and soundness of the University from identity theft, based on factors such as:
- The experiences of the University with identity theft;
- Changes in methods of identity theft;
- Changes in methods to detect, prevent, and mitigate identity theft; and
- Changes in the types of accounts that the University offers or maintains.
Oversight of Service Provider Arrangements
The University shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft whenever the University engages a service provider to perform an activity in connection with one or more covered accounts.
Currently the University uses Campus Partners to administer the Perkins Loan Program. Students contact Campus Partners directly through its website or by telephone and provide personal identifying information to be matched to the records that the University has provided to Campus Partners.