Presentation on theme: "Red Flag Rules WELCOME Iowa State University Identity Theft Prevention Program."— Presentation transcript:
Red Flag Rules WELCOME Iowa State University Identity Theft Prevention Program
Red Flag Rules The Reason Behind the Red Flag Rules More than 10 million Americans are victims of identity theft each year. The total financial losses due to identity theft are estimated to be about $50 billion every year.
Red Flag Rules Risks to Iowa State University Lost productivity Reputation Fines Notification expenses Loss of ability to accept payment cards for services rendered (i.e. credit/debit cards, etc.)
Red Flag Rules Examples of Impacted Departments Accounts Receivable ID Card Office Treasurer’s Office Student Financial Aid Student Counseling Services Office of Admissions University Extension Department of Residence Information Technology Services Thielen Student Health Center Payroll Human Resources
Red Flag Rules How Information is Obtained By stealing purses and wallets By stealing checks or credit card information out of the mail By completing a “change of address form” to divert mail to another location. By abusing their employer’s authorized access to customer or employee information By getting credit reports from abusing their employer’s authorized access to it. By dumpster diving By computer hacking
Red Flag Rules Iowa State University Identity Theft Prevention Program A Red Flag is a pattern, practice or specific activity that indicates the possible existence of identity theft or fraud The Red Flag Rules – issued by Federal Trade Commission (FTC), for creditors to develop and implement written identity theft prevention programs as part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) Programs must be in place to provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft by January 1, 2011
Red Flag Rules The FTC regulations, known as the Red Flag Rules are organized into three parts including: 1. Duties of users of consumer reports regarding address discrepancies. 2. Duties of creditors regarding the detection, prevention and mitigation of identity theft. 3. Duties of card issuers regarding changes of address. (Not applicable to ISU) Users of consumer reports must develop reasonable policies and procedures to verify the identity of consumers and confirm their addresses, when necessary Applies to any areas of ISU that utilize consumer reporting agencies (Equifax, Experian, TransUnion) for any reason, i.e. credit or background checks for loans or collection purposes, or for new hire applicants
Red Flag Rules The FTC regulations, known as the Red Flag Rules are organized into three parts including: 1. Duties of users of consumer reports regarding address discrepancies. 2. Duties of creditors regarding the detection, prevention and mitigation of identity theft. 3. Duties of card issuers regarding changes of address. (Not applicable to ISU) It has been determined by university legal counsel that Iowa State University is a “creditor” as defined by the Red Flag Rules for the following reasons: Regularly extend, renew, or continue credit for student and employee accounts involving student loans, institutional loans and payment for services received over time.
Red Flag Rules Identity Theft Prevention Program 1. Identify relevant red flags for covered accounts ISU offers or maintains and incorporate those red flags into the program 2. Detect red flags that have been incorporated into the program 3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft 4. Assure the program is updated periodically to reflect changes and risks involving possible identity theft and fraud
Red Flag Rules Definitions: Covered Accounts A covered account is a consumer account used by customers of ISU primarily for personal, family, or household purposes that is designed to permit multiple payments or transactions. These are accounts where payments are deferred and made by the customer (borrower) periodically over time. At ISU, a covered account includes the following: 1. Participation in the following Federal student loan programs: Perkins Loan, Health Profession Student Loan and Loans for Disadvantaged Students; 2. Participation in institutional loans to students, faculty or staff 3. Participation in a plan for payment of tuition or fees throughout the semester, rather than requiring full payment at the beginning of the semester 4. Participation in a plan for payment for services received over time rather than requiring full payment upon receipt of services 5. Participation in other services provided by third party service providers that satisfy the definition of a covered account
Red Flag Rules Creditor A creditor is a person or entity that regularly extends, renews, or continues credit and any person or entity that regularly arranges for the extension, renewal, or continuation of credit. Customer A customer is a person or entity that has a covered account with ISU. Customer includes students, faculty, staff and persons or entities doing business with ISU. Service Provider A service provider is a third party that is contracted to provide outsourced operations directly to ISU customers that are related to a covered account. Identity Theft Identity theft is a fraud committed or attempted using the identifying personal information of another person. Definitions:
Red Flag Rules Specific items of personal information identified in Iowa Code Section 715C.1(11). This information includes an individual’s name in combination with any one or more of the following data elements: Social Security number, Driver’s license number, Health insurance information, Medical information, or Financial account number (such as a credit card number, debit card number or bank account number) or an ISU issued university identification number (UID) when the numbers are in combination with any required security code, access code, or password that would permit access to an individual’s financial account or the ISU AccessPlus account for an individual. Definitions: Personal Information
Red Flag Rules Can you Detect the Identity Thieves?
Red Flag Rules DETER In order to identify relevant Red Flags within its covered accounts, ISU considers the types of accounts that it offers and maintains, methods it provides to open its accounts, methods it provides to access its accounts, and its previous experiences with identity theft. Any time a Red Flag, or a situation closely resembling a Red Flag, is detected, it should be evaluated by ISU personnel for verification of the person or entity involved and implementation of an appropriate response pursuant to Section 5 of the Identity Theft Prevention Program.Identity Theft Prevention Program A.Alerts received by ISU from a Credit Reporting Agency B.Suspicious Documents C.Suspicious Personal Identifying Information D.Unusual Use or Suspicious Account Activity E.Notice from Others Indicating Possible Identity Theft
Red Flag Rules DETECT In order to detect any of the Red Flags identified in Section 3 of the Identity Theft Prevention Program that are associated with the opening of a covered account for a customer or for monitoring transactions on an existing covered account, ISU personnel will take one or more of the following steps to obtain and verify the identity of the person opening a covered account or using an existing covered account in accordance with the written operational policies of the unit that manages the covered account:Identity Theft Prevention Program A. Require certain identifying information such as name; date of birth; residential, business or in-session university address; or other identification in conjunction with a signature and/or other communication with the person or entity whose covered account is involved; B.Presentation of an ISU Card or government issued photo identification document and determining that the image matches appearance of the customer and the document has not been altered, forged or destroyed and reassembled. C.Verify any changes made electronically to financial information contained in a covered account by ing customers to alert them to changes made to their account.
Red Flag Rules DEFEND In the event ISU personnel detect any identified Red Flags, such personnel shall respond depending on the degree of risk posed by the Red Flag. The appropriate responses to the relevant Red Flags can include any one or more of the following: A. Deny access to the covered account until other information is available to eliminate the Red Flag; B. Contact the customer to advise that a fraud has been attempted on their covered account; C. Change any passwords, security codes or other security devices that permit access to a covered account; D. Notify law enforcement; or E. Determine that no response is warranted under the particular circumstances.
Red Flag Rules Responsibility for Compliance Under the university's Identity Theft Prevention Program, ISU employees have a responsibility to obtain and verify the identity of persons opening or using covered accounts. ISU employees are expected to notify the program administrator (i.e., the director of Accounts Receivable) if they become aware of an incident of identity theft or of failure to comply with the program. At least annually or as otherwise requested by the program administrator, ISU staff responsible for development, implementation, and administration of the program shall report to the program administrator on compliance with this program.
Red Flag Rules Program Administration A.Oversight by an Identity Theft Prevention Committee −lies with the Vice President for Business and Finance −Program Administrator shall be the Director of Accounts Receivable Office with the following duties: −Training of ISU staff on the program, Reviewing related reports, Determining steps for detecting and defending against identity theft, and considering periodic updates to the program B.Staff Training and Reports C.Identity Theft Prevention Program Updates
Red Flag Rules Service Providers A.ISU remains responsible for compliance with the Red Flag Rules even if it outsources operations regarding covered accounts to a third party service provider. In the event ISU engages a service provider to perform an activity in connection with one or more covered accounts, ISU will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft. B.A service provider that maintains its own Identity Theft Prevention Program, consistent with the guidance of the Red Flag Rules and validated by appropriate due diligence, may be considered to be meeting these requirements.
Red Flag Rules 1.The Red Flag Rules apply to anyone who deals with financing and credit, including car dealerships, banks, physicians' offices, retail merchants, mortgage companies, and cell phone carriers. o a. True o b. False The Red Flag Rules apply to any person or entity which maintains covered accounts, no matter what business they are in. Test Your Red Flag Rules Knowledge…
Red Flag Rules 2.Under the Red Flag Rules, all "covered accounts" must be marked with a small red flag symbol. o a. True o b. False Test Your Red Flag Rules Knowledge…
Red Flag Rules 3.Personal Identification Information (PII) includes: o a. Any name or number o b. Any name or number, used alone or in conjunction with any other information o c. Any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual o d. None of the above Test Your Red Flag Rules Knowledge…
Red Flag Rules 4."Suspicious" refers to which of the following: o a. Inconsistent signatures of file o b. Driver’s license photo doesn’t match person o c. Inability to recall mother’s maiden name o d. Phone number given is answered by prison switchboard o e. Any and all of the above Test Your Red Flag Rules Knowledge…
Red Flag Rules 5.Which of the following is NOT a required part of an Identity Theft Prevention Program? o a. Reasonable policies and procedures to identify potential "red flags" o b. dedicated phone line for customers to call in identity theft reports o c. Specific procedures to detect the "red flags" identified as potential threats o d. Appropriate actions to take when "red flags" are detected o e. A plan for regularly re-evaluating the program Test Your Red Flag Rules Knowledge…
Red Flag Rules 6. Red Flag procedures must be "fully implemented" by December 31, That means: o a....the procedures just have to be written and accessible to everyone o b....the procedures have to be written and everyone needs to be trained to use them Test Your Red Flag Rules Knowledge…
Red Flag Rules 7. After you have identified the red flags of ID Theft that you’re likely to come across in your business, what do you do next? o a. Set up procedures to detect those red flags in your day-to-day operations o b. Train all employees who will use the procedures. o c. Decide what actions to take when a red flag is detected o d. Periodically review your list of red flags to be sure they are still relevant o e. All of the above Test Your Red Flag Rules Knowledge…
Red Flag Rules 8. Because the federal Red Flag Rules are so comprehensive, Iowa's state laws concerning identity theft prevention no longer apply. o a. True o b. False There is no pre-emption clause included in the Red Flag Rules, so both sets of laws must be considered. Test Your Red Flag Rules Knowledge…
Red Flag Rules 9. The one thing you will NOT do when you finish this test is: o a. Identify which of your accounts are "covered" and develop some policies and procedures for how to identify red flags associated with those accounts o b. Plan training for your employees who will need to be able to detect red flags o c. Ignore this training and go on with your work because It's the way things have always been done o d. Report any known or suspected red flags immediately Test Your Red Flag Rules Knowledge…
Red Flag Rules 10. The purpose of the Red Flag Rules is: o a. To detect the warning signs – or “red flags” – of identity theft in day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts o b. To add one more item of busy-work to already over loaded staff, since there's no way to really prevent Identity Theft Test Your Red Flag Rules Knowledge…
Red Flag Rules QUESTIONS? Contact: −Director of Accounts Receivable - Duane Reeves
Red Flag Rules WEBSITES Federal Trade Commission – Fair Credit Reporting – Major Links - you can find the How-To Guide for Red Flag Rules on this website PCI Security Standards Council website https://www.pcisecuritystandards.org/ PCI Security Standards Council Quick Reference Guide https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf Treasury Institute for Higher Education Listing of breaches for 2009