The FTC issued the Red Flags Rule under sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACT Act), which amended the Fair Credit Reporting Act (FCRA). The rule requires "financial institutions" and "creditors" that hold "covered accounts" to develop and implement a written identity theft prevention program for new and existing accounts. While aimed primarily at financial institutions, parts of the rule cover many colleges and universities and the FTC has stated that nonprofit and government entities can be subject to parts of the rule. To comply with the Red Flags Rule, Hamline University (“HU”) developed this Identity Theft Prevention Program (“Program”).
Definitions and Program
A. Red Flags Rule Definitions Used in this Program
- Identity Theft is a fraud committed or attempted using the identifying information of another person without authority.
- A Red Flag is a pattern, practice, or specific activity that indicates the possibility of identity theft.
- A Covered Account is a consumer account that involves multiple payments or transactions, such as a loan that is billed or payable monthly.
- The Program Administrator is the individual designated with primary responsibility for oversight of the program. The Information Security Officer for HU will serve as the Program Administrator.
- Identifying information is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer’s Internet Protocol address, or routing code.
B. Fulfilling Requirements of the Red Flags Rule
Under the Red Flags Rule, HU is required to establish an Identity Theft Prevention Program tailored to the size, complexity and the nature of its operation. Due to the limited number and scope of covered accounts, the risk level at HU is low. A student’s identity is verified at the time of admission. This is essentially when any “account” is opened. This program must contain reasonable policies and procedures to:
- Identify relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the Program;
- Detect Red Flags that have been incorporated into the Program;
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program is updated periodically to reflect changes in risks to students or to the safety and soundness of the student from identity theft.
C. Covered Accounts at Hamline University
HU has identified the following accounts that are considered covered accounts per the above definition.
- Deferment of tuition payments through Special Payment Agreements
- Deferment of tuition payments through the Employer Reimbursement Program
- Perkins loans
- Emergency loans
In addition, HU has identified these service provider covered accounts:
- Tuition payment plan administered by Tuition Management Systems (TMS)
- Perkins Loan servicing by University Accounting Service (UAS)
Identification of Relevant Red Flags
The Program identifies the following red flags:
A. Documents provided for identification appear to have been altered or forged;
B. The photograph or physical description on the identification is not consistent with the appearance of the person presenting the identification;
C. A request to mail something to an address not listed on file;
D. A request to email identifying information to an unknown and unverified email address;
E. Alerts, notifications, and warning from a Credit Reporting Company including a fraud or active duty alert on a credit report; and
F. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.
Detect Red Flags
The Program defines the following procedures to detect red flags:
A. Request picture ID. Due to the low risk, a HU ID card is sufficient unless card shows evidence of tampering or alteration. At that point, a government issued ID card will be requested.
B. Examine ID and documents for evidence of tampering;
C. On the phone, ask identifying questions (more specific than SSN, date of birth, mother’s maiden name, or mailing address). A list of suggested questions will be developed prior to training.
D. Monitor suspicious activity on account such as change in payment pattern;
E. Monitor and record returned mail.
F. Verify addresses in the system prior to sending any personal identification information by mail.
G. Deny requests to send personal identification information via email.
Responding to Red Flags
The Program shall provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The appropriate responses to the relevant red flags are as follows:
A. The staff member will report any possible instances of identity theft to his/her direct supervisor. The supervisor, in consultation with the Program Administrator if necessary, will determine if further action is required.
B. Monitor account for evidence of identity theft;
C. Deny access to the covered account until other information is available to eliminate the red flag;
D. Contact the student;
E. Change any passwords, security codes or other security devices that permit access to a covered account;
F. Notify law enforcement; or
G. Determine no response is warranted under the particular circumstances.
Oversight of the Program
Responsibility for developing, implementing and updating this Program lies with the Vice President for Finance. The Program Administrator ensures that:
A. Appropriate HU staff are trained;
B. Staff reports regarding the detection of Red Flags are reviewed;
C. Steps for preventing and mitigating Identity Theft are taken; and
D. Periodic review of the Program is conducted.
E. A report on the effectiveness of the Program and results over the previous reporting period will be provided annually.
Updating the Program
At periodic intervals or as required, this policy will be re-evaluated by the Program Administrator to determine whether all aspects of the program are up to date and applicable in the current business environment. The following factors may lead to a re-evaluation or review:
A. The experiences of HU with identity theft;
B. Changes in methods of identity theft;
C. Changes in methods to detect, prevent, and mitigate identity theft;
D. Changes in the types of accounts that HU offers or maintains; and
E. Changes in the business arrangements of HU, including service provider arrangements.
After considering these factors, the Program Administrator in consultation with the Vice President for Finance will determine whether changes to the Program, including the listing of Red Flags, are warranted.
HU staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected. Training will include Student Accounts staff members, Student Service Administrators, and staff members in the Deans’ Offices who work with the Emergency Loan Program.
Oversight of Service Provider Arrangements
It is the responsibility of the Program Administrator to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
A. A service provider that maintains its own identity theft prevention program, consistent with the guidance of the red flag rules and validated by appropriate due diligence, may be considered to be meeting these requirements.
B. Any specific requirements should be specifically addressed in the appropriate contract arrangements.
C. All contracts for service providers that fall under the Red Flags Rule should expressly set forth that the service provider maintains an identity theft program of its own or that it is subject to the school’s program.
This program was developed with oversight and approval of the Finance Committee of the Board of Trustees. After consideration of the size of the University's operations and account systems, and the nature and scope of the University's activities, the Board of Trustees determined that this Program was appropriate for Hamline University, and therefore approved this Program on May 15, 2009.