Presentation on theme: "The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating."— Presentation transcript:
The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating Identity Theft
Slide 2 The Goals of This Training To define commonly used terms related to Identity Theft. To explain the federal rules intended to prevent Identity Theft. To assist you in developing unit-specific procedures that will comply with the Identity Theft Prevention Program approved by the Board of Trustees. Frequency of Training This Red Flag Rule training module is recommended for all college and university workforce members who have access to consumer reports and/or financial accounts.
Slide 3 Flag Noun: A piece of cloth, usually rectangular, of distinctive color and design, used as a symbol, standard, signal, or emblem. Verb: To communicate by means of such devices as lights or signs.
Slide 4 Red Flag A warning signal. Something that demands attention or provokes an irritated reaction.
Slide 5 Identity Theft – Red Flag A pattern, practice, or specific activity that indicates the possible existence of identity theft.
Slide 6 The Red Flag Rules In November 2007, final rules were issued by the Federal Trade Commission to implement the Identity Theft Red Flags Rule (16 CFR Part 681). The Rule applies to many businesses and organizations, but specifically financial institutions and creditors that offer or maintain specific types of accounts. The Rule requires the implementation of a written Identity Theft Prevention Program designed to detect the warning signs – the "red flags" – of identity theft in daily operations.
Slide 7 How Does this Rule Apply to us? "The Red Flags Rules and Guidelines seek to ensure that financial institutions and creditors are alert for signs or indicators that an identity thief is actively misusing another individual’s sensitive data, typically to obtain products or services from the institution or creditor." (FTC - Red Flags FAQs) We come under the definition of a financial institution if we "directly or indirectly hold a transaction account belonging to a consumer." We fall within the definition of a creditor if, "within the ordinary course of business, we regularly : –"obtain or use consumer reports in connection with a credit transaction; –"furnish information to consumer reporting agencies in connection with a credit transaction; or –"advance funds to -- or on behalf of -- someone, except for funds for expenses incidental to a service provided by the creditor to that person*.“
Slide 8 Covered Accounts "The Red Flags Rules require financial institutions and creditors that offer or maintain covered accounts to have policies and procedures to identify patterns, practices, or activities that indicate the possible existence of identity theft..." (FTC - Red Flags FAQs) A ‘covered account’ is any account that creditor offers or maintains: –Primarily for personal, family, or household purposes (not business purposes), and –That involves or is designed to permit multiple payments or transactions. –A covered account is also one for which there is a reasonably foreseeable risk, to customers or to the safety and soundness of the creditor, from identify theft. These may include business accounts. Simply accepting credit cards as a form of payment does not make you a "creditor" under the Red Flags Rule. But, if you offer a debit or credit card, arrange credit for your customers, or extend credit by selling customers goods or services now and billing them later, you are a "creditor" under the law.
Slide 9 Where the Rule Applies The Red Flags Rule is actually three different but related rules- all of which apply to the following areas at your school: –(681.1) Users of Consumer Reports –(681.2) Holders of ‘Covered Accounts’ –(681.3) Issuers of Debit and Credit Cards
Slide 10 Users of Consumer Reports (681.1) Users of consumer reports must develop reasonable policies and procedure s –To verify the identity of consumers and –Confirm their addresses, when necessary. –Applies to any areas of the college or university that utilize consumer reporting agencies (Equifax, Experion, TransUnion) for any reason, i.e. credit or background checks for loans or collection purposes, or for new hire applicants.
Slide 11 Account Holders (681.2) “(Holders of)…’covered accounts’must develop and implement written procedures for both new and existing accounts.” –This provision applies to any areas of colleges and universities that issue any type of credit. For example: Perkins Loans Housing or Transportation Payment Plans Student Deferred Payment Plans Faculty Group Practices
Slide 12 Debit and Credit Card Issuers (681.3) Debit and credit card issuers must develop reasonable policies and procedures to assess the validity of a request for change of address followed closely by a request for an additional or replacement card.
Slide 13 Identifying Red Flags Now that you know about the Red Flags Rule, how does it apply to you? A Red Flag, or any situation closely resembling one, should be investigated/ The following are potential indicators of fraud: Alerts, notifications, or other warnings from credit agencies Suspicious documents or personal identifying information Unusual or suspicious account activities Notices from customers, victims of identity theft, law enforcement authorities, or others
Slide 14 Alerts, Notifications, and Warnings Watch for these notices from consumer reporting agencies, service providers, or fraud detection services: –An active duty alert or a fraud alert included with a consumer report; –A notice of credit freeze in response to a request for a consumer report; or –A notice of address discrepancy. You’ll need to add a procedure for appropriate responses to notices.
Slide 15 Suspicious Documents Identification documents that appear to have been altered or forged. The photograph or physical description on an ID that doesn’t match the customer presenting it. Information on the identification that is inconsistent with other information provided or readily accessible, such as a signature card or a recent check. An application or document that appears to have been destroyed and reassembled.
Slide 16 Suspicious Personal Information Personal Identifying Information (PII) provided is inconsistent with PII that is on file, or when compared to external sources. For example, –The address does not match any address in the consumer report; –The SSN has not been issued or is listed on the Social Security Administration’s Death Master File; –There is a lack of correlation between the SSN range and date of birth.
Slide 17 Fradulent Personal Information PII provided is associated with known fraudulent activity, or is of a type commonly associated with fraudulent activity. For example, –The address on a document is the same as the address provided on a known fraudulent document; –The address on a document is fictitious, a mail drop, or a prison; –The phone number is invalid or is associated with a pager or answering service.
Slide 18 Just how suspicious….? Would you be concerned if....a SSN provided for an account is the same as one provided by another person for a different account? –How would you know? …the person opening an account fails to provide all the required personal identifying information on an application and then doesn’t respond to notices that the application is incomplete? –What do you do next? …a person requesting access to “their” account cannot answer the security questions (mother’s maiden name, pet’s name, etc.)? –How do you handle this?
Slide 19 Looking Below the Surface Sometimes fraudulent activity is not that obvious. Do you know what to do if… -mail sent to the account-holder is returned repeatedly as undeliverable although transactions continue to be conducted in connection account? -the institution is notified that a customer is not receiving paper account statements, even though they are being mailed and not returned?
Slide 20 On the Other Hand… Sometimes the problem is obvious, but do you know the procedure when.. –The institution receives a notice regarding possible identity theft in connection with Covered Accounts held by your unit? –The institution is notified that your department has opened a fraudulent account for a person engaged in identity theft?
Slide 21 Responding to Red Flags Report known and suspected fraudulent activity immediately -to protect both customers and the school from damages and loss: Gather all related documentation. Complete a incident report. Provide a complete description of the situation. Send the report to your supervisor.
Slide 22 Taking Action If a transaction is or appears to be fraudulent, take appropriate action: –Cancel the transaction. –Notify supervisor. Additional cooperation and assistance may be required with: –Notification and cooperation with appropriate law enforcement. –Determining the extent of liability of the school. –Notifying the customer that fraud has been attempted.
Slide 23 Moving Beyond the Mandate The Red Flag Rules address external threats, but what about internal threats? All personnel working with data should understand the following: –Is your area “data-rich”? –Do you know where all your data is? –Is access to the data strictly controlled? –Do you have both orientation and termination procedures related to data? Be Aware: Identity Theft is the #1 “white collar” crime in the US!
Slide 24 It’s all about security Here’s how to avoid becoming an ID Theft statistic. –Store restricted information on secure servers, not on your workstation. –Password protect your computer and set your screensaver to come on automatically. –Avoid providing restricted data over the telephone or by email. –Place all restricted data documents in secure bins for shredding. – Review Board Policy 5.22 Acceptable Use of Computers and Information Technology ResourcesReview Board Policy 5.22 Acceptable Use of Computers and Information Technology Resources
Slide 25 RESOURCES Red Flags Website –The Federal Trade Commissions’s information page http://www.ftc.gov/redflagsrulehttp://www.ftc.gov/redflagsrule –Protect Social Security Numbers
Slide 26 Identity Theft Prevention Program The Minnesota State Colleges and Universities Board of Trustee approved the initial program on March 18, 2009. This document may be viewed at: http://finance.mnscu.edu/accounting/campustools/d ocs/redflag_idtheftprevprgrm_2009031.pdf
Slide 27 Thank you for reading the presentation. The next step will be to take a short quiz. Once you have completed the quiz, print out the last page and present it to the Red Flag Coordinator at your campus. You may find the quiz at: http://www.finance.mnscu.edu/accounting/ca mpustools/redflagtraining.html This presentation was developed with the permission of the University of Florida URL: http://privacy.health.ufl.edu/RedFlag/http://privacy.health.ufl.edu/RedFlag/