Red Flag Rules WELCOME Iowa State University Identity Theft Prevention Program.
-
Upload
melany-vassel -
Category
Documents
-
view
217 -
download
0
Transcript of Red Flag Rules WELCOME Iowa State University Identity Theft Prevention Program.
Red Flag Rules
WELCOMEIowa State University
Identity Theft Prevention Program
Red Flag Rules
The Reason Behind the Red Flag Rules
• More than 10 million Americans are victims of identity theft each year.
• The total financial losses due to identity theft are estimated to be about $50 billion every year.
Red Flag Rules
Risks to Iowa State University
• Lost productivity• Reputation • Fines• Notification expenses• Loss of ability to accept payment cards for
services rendered (i.e. credit/debit cards, etc.)
Red Flag Rules
Examples of Impacted Departments• Accounts Receivable• ID Card Office• Treasurer’s Office• Student Financial Aid• Student Counseling Services• Office of Admissions• University Extension• Department of Residence• Information Technology Services• Thielen Student Health Center• Payroll• Human Resources
Red Flag Rules
How Information is Obtained• By stealing purses and wallets• By stealing checks or credit card information out of the mail• By completing a “change of address form” to divert mail to another
location.• By abusing their employer’s authorized access to customer or
employee information• By getting credit reports from abusing their employer’s authorized
access to it.• By dumpster diving• By computer hacking
Red Flag Rules
Iowa State University Identity Theft Prevention Program
• A Red Flag is a pattern, practice or specific activity that indicates the possible existence of identity theft or fraud
• The Red Flag Rules – issued by Federal Trade Commission (FTC), for creditors to develop and implement written identity theft prevention programs as part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA)
• Programs must be in place to provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft by January 1, 2011
Red Flag Rules
The FTC regulations, known as the Red Flag Rules are organized into three parts including:
1. Duties of users of consumer reports regarding address discrepancies.
2. Duties of creditors regarding the detection, prevention and mitigation of identity theft.
3. Duties of card issuers regarding changes of address. (Not applicable to ISU)
Users of consumer reports must develop reasonable policies and procedures • to verify the identity of consumers and • confirm their addresses, when necessary• Applies to any areas of ISU that utilize consumer reporting
agencies (Equifax, Experian, TransUnion) for any reason, i.e. credit or background checks for loans or collection purposes, or for new hire applicants
Red Flag Rules
The FTC regulations, known as the Red Flag Rules are organized into three parts including:
1. Duties of users of consumer reports regarding address discrepancies.
2. Duties of creditors regarding the detection, prevention and mitigation of identity theft.
3. Duties of card issuers regarding changes of address. (Not applicable to ISU)
It has been determined by university legal counsel that Iowa State University is a “creditor” as defined by the Red Flag Rules for the following reasons:
Regularly extend, renew, or continue credit for student and employee accounts involving student loans, institutional loans and payment for services received over time.
Red Flag Rules
Identity Theft Prevention Program1. Identify relevant red flags for covered accounts ISU
offers or maintains and incorporate those red flags into the program
2. Detect red flags that have been incorporated into the program
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft
4. Assure the program is updated periodically to reflect changes and risks involving possible identity theft and fraud
Red Flag Rules Definitions:Covered Accounts
A covered account is a consumer account used by customers of ISU primarily for personal, family, or household purposes that is designed to permit multiple payments or transactions. These are accounts where payments are deferred and made by the customer (borrower) periodically over time. At ISU, a covered account includes the following:
1. Participation in the following Federal student loan programs: Perkins Loan, Health Profession Student Loan and Loans for Disadvantaged Students;
2. Participation in institutional loans to students, faculty or staff
3. Participation in a plan for payment of tuition or fees throughout the semester, rather than requiring full payment at the beginning of the semester
4. Participation in a plan for payment for services received over time rather than requiring full payment upon receipt of services
5. Participation in other services provided by third party service providers that satisfy the definition of a covered account
Red Flag Rules
Creditor
A creditor is a person or entity that regularly extends, renews, or continues credit and any person or entity that regularly arranges for the extension, renewal, or continuation of credit.
Customer
A customer is a person or entity that has a covered account with ISU. Customer includes students, faculty, staff and persons or entities doing business with ISU.
Service Provider
A service provider is a third party that is contracted to provide outsourced operations directly to ISU customers that are related to a covered account.
Identity Theft
Identity theft is a fraud committed or attempted using the identifying personal information of another person.
Definitions:
Red Flag Rules
Specific items of personal information identified in Iowa Code Section 715C.1(11). This information includes an individual’s name in combination with any one or more of the following data elements:
• Social Security number, • Driver’s license number, • Health insurance information, • Medical information, or • Financial account number (such as a credit card number, debit card
number or bank account number) or an ISU issued university identification number (UID) when the numbers are in combination with any required security code, access code, or password that would permit access to an individual’s financial account or the ISU AccessPlus account for an individual.
Definitions:Personal Information
Red Flag Rules
Can you Detect the Identity Thieves?
Red Flag Rules
DETERIn order to identify relevant Red Flags within its covered accounts, ISU considers the types of accounts that it offers and maintains, methods it provides to open its accounts, methods it provides to access its accounts, and its previous experiences with identity theft. Any time a Red Flag, or a situation closely resembling a Red Flag, is detected, it should be evaluated by ISU personnel for verification of the person or entity involved and implementation of an appropriate response pursuant to Section 5 of the Identity Theft Prevention Program.
A. Alerts received by ISU from a Credit Reporting Agency
B. Suspicious Documents
C. Suspicious Personal Identifying Information
D. Unusual Use or Suspicious Account Activity
E. Notice from Others Indicating Possible Identity Theft
Red Flag Rules
DETECTIn order to detect any of the Red Flags identified in Section 3 of the Identity Theft Prevention Program that are associated with the opening of a covered account for a customer or for monitoring transactions on an existing covered account, ISU personnel will take one or more of the following steps to obtain and verify the identity of the person opening a covered account or using an existing covered account in accordance with the written operational policies of the unit that manages the covered account:
A. Require certain identifying information such as name; date of birth; residential, business or in-session university address; or other identification in conjunction with a signature and/or other communication with the person or entity whose covered account is involved;
B. Presentation of an ISU Card or government issued photo identification document and determining that the image matches appearance of the customer and the document has not been altered, forged or destroyed and reassembled.
C. Verify any changes made electronically to financial information contained in a covered account by e-mailing customers to alert them to changes made to their account.
Red Flag Rules
DEFENDIn the event ISU personnel detect any identified Red Flags, such personnel shall respond depending on the degree of risk posed by the Red Flag. The appropriate responses to the relevant Red Flags can include any one or more of the following:
A. Deny access to the covered account until other information is available to eliminate the Red Flag;
B. Contact the customer to advise that a fraud has been attempted on their covered account;
C. Change any passwords, security codes or other security devices that permit access to a covered account;
D. Notify law enforcement; or
E. Determine that no response is warranted under the particular circumstances.
Red Flag Rules
Responsibility for Compliance • Under the university's Identity Theft Prevention Program, ISU
employees have a responsibility to obtain and verify the identity of persons opening or using covered accounts.
• ISU employees are expected to notify the program administrator (i.e., the director of Accounts Receivable) if they become aware of an incident of identity theft or of failure to comply with the program.
• At least annually or as otherwise requested by the program administrator, ISU staff responsible for development, implementation, and administration of the program shall report to the program administrator on compliance with this program.
Red Flag Rules
Program Administration
A. Oversight by an Identity Theft Prevention Committee− lies with the Vice President for Business and Finance − Program Administrator shall be the Director of Accounts
Receivable Office with the following duties:− Training of ISU staff on the program, Reviewing related reports,
Determining steps for detecting and defending against identity theft, and considering periodic updates to the program
B. Staff Training and Reports
C. Identity Theft Prevention Program Updates
Red Flag Rules
Service Providers
A. ISU remains responsible for compliance with the Red Flag Rules even if it outsources operations regarding covered accounts to a third party service provider. In the event ISU engages a service provider to perform an activity in connection with one or more covered accounts, ISU will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
B. A service provider that maintains its own Identity Theft Prevention Program, consistent with the guidance of the Red Flag Rules and validated by appropriate due diligence, may be considered to be meeting these requirements.
Red Flag Rules
1. The Red Flag Rules apply to anyone who deals with financing and credit, including car dealerships, banks, physicians' offices, retail merchants, mortgage companies, and cell phone carriers.
o a. True o b. False
The Red Flag Rules apply to any person or entity which maintains covered accounts, no matter what business they are in.
Test Your Red Flag Rules Knowledge…
Red Flag Rules
2. Under the Red Flag Rules, all "covered accounts" must be marked with a small red flag symbol.
o a. Trueo b. False
Test Your Red Flag Rules Knowledge…
Red Flag Rules
3. Personal Identification Information (PII) includes:
o a. Any name or numbero b. Any name or number, used alone or in conjunction
with any other informationo c. Any name or number that may be used, alone or in
conjunction with any other information, to identify a specific individual
o d. None of the above
Test Your Red Flag Rules Knowledge…
Red Flag Rules
4. "Suspicious" refers to which of the following:
o a. Inconsistent signatures of fileo b. Driver’s license photo doesn’t match persono c. Inability to recall mother’s maiden nameo d. Phone number given is answered by prison
switchboardo e. Any and all of the above
Test Your Red Flag Rules Knowledge…
Red Flag Rules
5. Which of the following is NOT a required part of an Identity Theft Prevention Program?
o a. Reasonable policies and procedures to identify potential "red flags"
o b. dedicated phone line for customers to call in identity theft reports
o c. Specific procedures to detect the "red flags" identified as potential threats
o d. Appropriate actions to take when "red flags" are detectedo e. A plan for regularly re-evaluating the program
Test Your Red Flag Rules Knowledge…
Red Flag Rules
6. Red Flag procedures must be "fully implemented" by December 31, 2010. That means:
o a. ...the procedures just have to be written and accessible to everyone
o b. ...the procedures have to be written and everyone needs to be trained to use them
Test Your Red Flag Rules Knowledge…
Red Flag Rules
7. After you have identified the red flags of ID Theft that you’re likely to come across in your business, what do you do next?
o a. Set up procedures to detect those red flags in your day-to-day operations
o b. Train all employees who will use the procedures. o c. Decide what actions to take when a red flag is detectedo d. Periodically review your list of red flags to be sure they
are still relevanto e. All of the above
Test Your Red Flag Rules Knowledge…
Red Flag Rules
8. Because the federal Red Flag Rules are so comprehensive, Iowa's state laws concerning identity theft prevention no longer apply.
o a. True o b. False
There is no pre-emption clause included in the Red Flag Rules, so both sets of laws must be considered.
Test Your Red Flag Rules Knowledge…
Red Flag Rules
9. The one thing you will NOT do when you finish this test is:
o a. Identify which of your accounts are "covered" and develop some policies and procedures for how to identify red flags associated with those accounts
o b. Plan training for your employees who will need to be able to detect red flags
o c. Ignore this training and go on with your work because It's the way things have always been done
o d. Report any known or suspected red flags immediately
Test Your Red Flag Rules Knowledge…
Red Flag Rules
10. The purpose of the Red Flag Rules is:
o a. To detect the warning signs – or “red flags” – of identity theft in day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts
o b. To add one more item of busy-work to already over loaded staff, since there's no way to really prevent Identity Theft
Test Your Red Flag Rules Knowledge…
Red Flag Rules
QUESTIONS?
Contact: − Director of Accounts
Receivable- Duane Reeves
515-294-7388
Red Flag Rules
WEBSITESWEBSITESFederal Trade Commission – Fair Credit Reporting – Major Links - you can find
the How-To Guide for Red Flag Rules on this websitehttp://www.ftc.gov/os/statutes/fcrajump.shtm
PCI Security Standards Council websitehttps://www.pcisecuritystandards.org/
PCI Security Standards Council Quick Reference Guidehttps://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
Treasury Institute for Higher Education
http://www.treasuryinstitute.org/
Listing of breaches for 2009
http://www.identitytheft.info/breaches09.aspx