Transcription
Office of Risk Management and ComplianceTHE UNIVERSITY OF ALABAMA IN HUNTSVILLEIDENTITY THEFT PREVENTION (RED FLAGS RULE) POLICYINTERIMNumber06.09.03DivisionFinance and Administration – Office of Risk Management and ComplianceDateMay 2022PurposeThe University of Alabama in Huntsville (UAH), also referred to herein as "University,” or“UAH,” recognizes some of its activities are subject to the Federal Trade Commission's(“FTC”) Red Flags Rule regulation (16 CFR § 681.1), which implements Section 114 of the Fairand Accurate Credit Transactions (FACT) Act of 2003 and final rules implementing section 315of the FACT Act.Under these regulations, the University is considered a Creditor and must periodicallydetermine whether it offers or maintains “covered accounts.” Upon identifying any coveredaccount(s), the University is required to develop and implement a written Identity TheftPrevention Program (“Program”) to detect, prevent, and mitigate identity theft in connectionwith the opening of certain new accounts and the maintenance of certain existing accountsthat is appropriate to the size and complexity of the University and the nature and scope ofits activities. Changes in federal regulations may require immediate changes to this policy.This Policy and accompanying procedures Policydefine commonly used terms related to Identity Theft;explain federal rules intended to detect, prevent, and mitigate Identity Theft;help identify units that must comply with sections of the Red Flags Rule;assists in the creation of unit-specific procedures that will comply with the Program;and provides guidance for reporting a known or suspected security incident.The University’s Program must contain reasonable, written policies and procedures to:1. Identify relevant red flags for new and existing covered accounts;2. Detect red flags in connection with opening or managing a covered account andincorporate internal controls that reduce the risk of Identity Theft;3. Prevent and mitigate identity theft by responding appropriately to any red flags thatare detected;4. Monitor and update the Program by performing periodic risk analysis to reflectchanges in risks to the customer and the University from identity theft.
Office of Risk Management and ComplianceSCOPEManaging and protecting data are responsibilities shared by all members of the Universitycommunity. This policy complements existing University policies related to data security,data protection, and information disclosure.Each University department with covered accounts that maintains, disseminates, or disposesof Personally Identifiable Information (PII) are subject to this policy. All account-holder PII iscovered under this policy including, but not limited to:a.b.c.d.data contained in centralized institutional systems;data contained in department/unit systems,systems created or operated by third-party vendors under the direction of UAH;data stored or maintained in any other capacity or medium where there is areasonably foreseeable risk of identity theft.For further guidance regarding applicability, see page nine (9) of this document.DEFINITIONSAccount: A continuing relationship established by a person with a financial institution orCreditor to obtain a product or service for personal, family, household or business purposes.Account includes: (i) An extension of credit, such as the purchase of property or servicesinvolving a deferred payment; and (ii) A deposit account.Covered Account: (i) Any account the University offers or maintains primarily for personal,family or household purposes, that allows multiple payments or transactions, including oneor more deferred payments; and (ii) any other account the University identifies as having areasonably foreseeable risk to customers or the safety and soundness of the University fromidentity theft. Covered accounts and financial activities would include: Student loans (any type, including all federal student loan types, private studentloans, etc.)Student payment plans (any payment plan where tuition/room/board/etc. is notcollected in full prior to the start of the semester)Background checks where credit history is a componentReporting to credit monitoring agencies (e.g., reporting delinquent student accountsto credit bureaus)Declining balance debit / credit cards (if such cards are used in any capacity)Accounts tied to Charger Cards (declining balance accounts - flex, dining dollars, etc.)Loans to employeesPayroll deductionsAccounts in collection (any)Student recordsEmployment records
Office of Risk Management and Compliance Patient accounts (clinics)Any other unit that administers financial accounts (open new accounts, closeaccounts, post account transactions, perform billing or invoicing, maintain accounts,etc.)Creditor: Organizations that regularly and in the course of business advance funds to or onbehalf of a person, based on an obligation of the person to repay the funds (e.g. offering aplan for payment of tuition throughout the semester rather than requiring full payment atthe beginning of the semester)Identity Theft: A fraud committed or attempted using the identifying information of anotherperson without authority.“Identity Theft Prevention Officer”: someone designated by a department with coveredaccounts to serve as a liaison to the Program Administrator and is responsible for ensuringthat the requirements of the Identity Theft Prevention Policy are incorporated indepartmental procedures. This person also may be responsible for ensuring theimplementation of other University policies that safeguard and protect data fromunauthorized access, use, and disclosure.Personal Identifying Information (PII): Any name or number that may be used, alone or inconjunction with any other information, to identify a specific person. Below are examples ofdata fields that are considered PII: Taxpayer Identification Number (SSN, ITIN, or EIN) System Generated Identification Number (Campus IDs) Name Date of Birth Address Telephone Number(s) Personal Identification Number (PIN) E-mail Address Password Government Passport Number Government Issued Driver’s License or other Identification Number Alien Registration NumberComputer Internet Protocol (IP) Address Bank or other Financial Account Routing CodeProgram Administrator (PA): The individual designated with primary oversight of theProgram. The PA is responsible for Program-related training and for monitoring andreporting on the Program compliance of covered units / departments.Red Flag: A pattern, practice, or specific activity that indicates the possible existence ofidentity theft.
Office of Risk Management and CompliancePROGRAM ADMINISTRATIONOversightThe University shall designate a Program Administrator (PA) with primary responsibility foroversight of the Program. The PA shall work with units to develop, implement, and monitorthe effectiveness of this Program, and to communicate Program updates for units thatmaintain, disseminate, or dispose of PII data.The PA shall periodically review this policy and the Program for consistency with changes inrelevant statutes and regulations, and with emergent and ongoing risks to account-holdersfrom identity theft. In doing so, the PA will consider the University's experiences withidentity theft incidents, changes in identity theft methods related to the prevention,detection and mitigation of identity theft, and changes in the University's businessarrangements with other entities. After considering these factors and others as deemednecessary, the PA will be responsible for recommending policy changes to the appropriateUniversity administrators.Staff TrainingThe Rule requires training of relevant staff on an as-needed basis. The PA or designee willprovide basic training on this policy and on the requirements of the Red Flags Rule. Unitsupervisors are responsible for contacting the PA to schedule the staff training necessary todetect, prevent, and mitigate identity theft in their areas.Compliance ReportsThe PA shall submit an annual report to University administration on compliance with thisProgram. The report should include:the overall effectiveness of the University’s Program;service provider arrangements and/or contracts;significant known incidents involving identity theft and UAH’s response; andrecommendations for material program and policy changeIDENTIFICATION OF RED FLAGSTo enable the identification of relevant red flags, University units should consider thebusiness practices associated with all the types of accounts their department offers ormaintains. Each unit should review current policies and procedures to address the detectionof red flags for each type of covered account, focusing on authenticating identities,monitoring transactions, and verifying the validity of change of address requests.
Office of Risk Management and ComplianceRisk FactorsEach University unit should consider the following factors in identifying relevant Red Flags forcovered accounts, as appropriate:The types of covered accounts it offers or maintains;The methods it provides to open its covered accounts;The methods it provides to access its covered accounts; andIts previous experiences with identity theft.DETECTING RED FLAGSTo detect red flags, University personnel should review unit procedures associated with:1. Alerts, Notifications, or Warnings from a Consumer Reporting AgencyIncludes but is not limited to a notice of address discrepancy; an active duty alert; afraud alert included with a consumer report; a notice of credit freeze in response to arequest for a consumer report; and any activity that is inconsistent with anapplicant’s usual pattern of activity.2. Suspicious DocumentsIncludes but is not limited to documents or identification cards that appear to beforged, altered, or inauthentic; photographs or physical descriptions are notconsistent with the person presenting the document; and information provided onthe identification that is inconsistent with other information provided or readilyaccessible (e.g. inconsistent date of birth, SSN, address, or telephone numbers)3. Suspicious Personal Identifying Information (PII)Includes but is not limited to provided PII that is inconsistent when compared againstinternal records and external information sources; provided PPI that is obviouslyconsistent with fraudulent activity; such as an obviously fictitious address or phonenumber associated with a large number of other customers; and failure to provideauthenticating information beyond that which generally would be readily accessible.4.Suspicious Covered Account Activity or Unusual Use of AccountIncludes but is not limited to an account-holder’s failure to make the first payment;makes an initial payment but no subsequent payments; payments stop on anotherwise consistently up-to-date account; notice is received by the University thatan account has unauthorized activity, access or use of PPI is detected (e.g. failure toanswer security questions, mail is repeatedly returned as undeliverable, or a SSNprovided for an account is the same as one provided by another person for adifferent account.)
Office of Risk Management and Compliance5. Alerts from OthersIncludes but is not limited to notice to the University received from an identity theftvictim, law enforcement, or other individual that the University has opened or ismaintaining a fraudulent account for a person engaged in identity theft (e.g.notification that an account-holder is not receiving paper account statements, eventhough they are being mailed and not returned.)PREVENTING AND MITIGATING IDENTITY THEFTUnits shall take steps to prevent and/or mitigate any possible concerns, protect coveredaccount information, and monitor the activities of service providers. An employee whoknows or suspects that a security incident has occurred shall immediately gather all relateddocumentation and notify the appropriate supervisor. Supervisors receiving suchnotifications shall immediately notify the PA. In situations where an employee prefers toplace an anonymous report in confidence, incidents may also be reported through the UAHEthics Hotline by calling 866.362.9476 or by reporting online gui/55675/index.html.The PA and unit supervisors should understand that in certain situations, they should notifyappropriate law enforcement, determine the extent of liability, and/or notify the accountholder. The PA shall assist the units in determining the appropriate step(s) to take.In order to further prevent the likelihood of identity theft occurring with respect to coveredaccount PII, the unit must establish reasonable, written policies and procedures to verify the person’s identity at the time of issuance or reissuance of an identificationcard; verify the identification of a person who is requesting information in person or bytelephone, facsimile, email, or other media; delay opening accounts until the person is properly identified; monitor covered accounts for evidence of identity theft; place suspect accounts on hold to prevent unauthorized access or use; change any passwords that permit access to covered accounts; provide the person with a new identification number; close an existing covered account until the issue is resolved; secure all websites containing the ability to access covered account PII; ensure that office computers with access to covered account PII are protected usingstrong passwords; ensure computer virus protection is up to date; require and retain only information that is necessary for University purposes; properly store and secure all covered account PII in locked cabinets that areaccessible only to employees with legitimate authorized need; ensure that sensitive papers are not left on employees’ desks when they are awayfrom their workstations; avoid using public computing devices to work with private information; use secure file servers to store private data; and
Office of Risk Management and Compliance ensure complete and secure destruction of paper documents, computer files, andother data storage mechanisms containing covered account PII according toUniversity and State of Alabama retention guidelinesFor further guidance, reference the chart beginning on page ten (10) of this document.Social Security NumbersIn all cases, special care should be taken to avoid asking for a Social Security Number unlessits collection has been explicitly authorized by administration and is required for an approvedUniversity purpose.Address DiscrepancyIf any area conducting background screenings receives a “Notice of Address Discrepancy”from the Vendor, the following measures should be taken:a. Human Resources (HR) should undertake reasonable measures to ensure that theconsumer report relates to the candidate. These measures will includecomparing the information in the consumer report with1. the online application completed by the candidate;2. other information known to the University about the candidate, such asexisting personnel records or records of prior employment;3. information received from reliable third-party sources; and4. other information specifically requested from the candidate regardingsuch address discrepancy to verify the information in the consumerreport.b. HR should furnish the candidate’s correct address to the reporting agency, uponreasonable confirmation of accuracy, when HR1. can form a reasonable belief that the consumer report relates to thecandidate;2. the University establishes a continuing relationship with the candidate;and3. the University regularly and in the ordinary course of business providessuch information to the vendor or consumer reporting agency.Special CasesA data security incident that results in unauthorized access to an account-holder’saccount record or notice that an account-holder has provided information related toa covered account to someone fraudulently claiming to represent the University or
Office of Risk Management and Complianceto a fraudulent website may heighten the risk of identity theft and should beconsidered red flags.Responding to Consumer Credit Report Requestsa. At the time a request for a credit report is made to the consumer reportingagency, employees should require written verification from the person thatthe address provided by the person is accurate;b. In the event that notice of an address discrepancy is received, verify that thecredit report pertains to the person for whom the requested report wasmade;c. Report to the consumer reporting agency an address for the person that theUniversity has reasonably confirmed is accurate.Service provider Arrangements/Contractual AgreementsIn the event the University engages a service provider in connection with one or morecovered accounts, the University, through its contract review process, shall require theservice provider to have identity theft policies and procedures in place and require theservice provide to report any red flags or identity theft incidents associated with Universityaccounts/records to the University employee with the primary oversight of the serviceprovider relationship.Non-Disclosure of Specific PracticesFor the effectiveness of the Program, knowledge about specific red flag identification,detection, mitigation, and prevention practices should be limited to the PA and unitemployees responsible for the implementation of this policy.Any documents that may be reviewed or produced to develop or implement this Programthat lists or describe specific security practices and the information those documents containare considered confidential and should not be posted online, shared with other non-involvedemployees, or the public.All documents reviewed or produced as a result of identity theft, or in the investigation ofpotential identity theft, are considered confidential.Reviewwill review this policy every five (5) years or when circumstances require.
Office of Risk Management and ComplianceRED FLAG RULES: APPLICABILITY CHECKBroadly speaking, the following units are affected: Office of Financial AidBursar's OfficeCharger Card OfficeControllerAccounts PayableAccounts ReceivableOIT (systems and database administrators, CISO, CIO)All areas that accept credit card payments, including Advancement and AthleticsPayrollHuman ResourcesAny other unit that pulls and/or reviews credit reports for employees and/or studentsStudent Health CenterFaculty and Staff ClinicParking ServicesDining ServicesHousing and Residence LifeDoes your area have “covered accounts”?a. Do the accounts involve a continuing relationship with an account holder or allow multiple paymentsor transactions? Examples include federal financial aid, student loans, and certain types of tuitionpayment plans.b. Does any unit in your area issue a credit or stored value cards? Examples include payroll deductioninformation and Charger ID Cards, as they are considered debit cards in this legislation. Gift cards arenot included.c. Does your area offer or maintain any other accounts for which there is a reasonably foreseeable riskto customers or the University from identity theft?If you answered “yes” to one or more of the above questions, your area must comply with 16 CFR Part 681.1and 681.2 of the Red Flags Rule. For additional information and frequently asked questions, see the FederalTrade Commission’s website at uide-business.DETECTION OF RED FLAGSRed FlagDetecting the Red FlagAlerts, Notifications or Warnings from a Consumer Credit Reporting AgencyIf fraud is reasonably suspected, report to the PA and UAHPD
Office of Risk Management and ComplianceNotice/report of fraud or active duty alert Verify activity reported with applicantNotice/report of a credit freeze on an applicant If verified, review the notice, freeze,or degree of inconsistency with priorhistory, and proceed with theevaluation of applicant based on aconsumer report received. If unable to verify, do not use thisreport in evaluating applicant – nofurther action required. Compare reported address (or otherinformation) with that provided by theapplicant and, if necessary, contactthe applicant to verify. If address (or other information) hasbeen verified, report to credit reportagency. If unable to determine therelationship between the applicantand the notice, do not use the reportto evaluate the applicant and notifythe applicant. No further actionrequired. Also, see the FTC’s AddressDiscrepancy Rule (16 CFR part 641.1).Indication of activity that is inconsistent withan applicant’s usual pattern or activity historyExamples: a large increase in the volume ofinquiries or use of credit, especially on newaccounts; an unusual number of recentlyestablished credit relationships; or an accountclosed because of an abuse of account privilegesNotice of address or another discrepancyCategory: Suspicious DocumentsIf fraud is reasonably suspected, report to the PA and UAHPDIdentification presented looks altered, forged, orinauthentic.The person presenting identification does notlook like the identification’s photograph orphysical description.The person presenting identification conveysinformation that differs from what is indicated onthe identificationInformation on the identification does notmatch other information on file for the accountholder (e.g., employee/student information inBanner).A request for information, application, oranother document looks like it has been altered, Retain and scrutinize identification oranother document presented to ensure:it is not altered, forged, or torn up andreassembled; that the photograph andthe physical description on theidentification match the personpresenting it; that the identification andthe statements of the person presentingit are consistent; and/or that theidentification presented and otherinformation we have on file is consistent. Notify management for assistance if
Office of Risk Management and Complianceforged, or torn up and reassemblednecessary. Do not provide services untilidentity is proven.Suspicious Personal Identifying Information (PPI)If fraud is reasonably suspected, report to the PA and UAHPDIdentifying information is inconsistent with otherexternal information sources. Inspect information and compare withother external information sources.Examples: an address that does not match theaddress printed on an FAFSA form, a SocialSecurity Number (SSN) that has not been issuedor is listed on the Social Security Administration’sMaster Death File.Identifying information is inconsistent withother information provided by the accountholderExamples: inconsistent dates of birth, SSNs, oraddresses on two forms received. Retain information and notifymanagement for assistance if necessary.Do not provide services until identity isproven. Inspect information and ask the accountholder to validate which information isaccurate. Retain information and notifymanagement for assistance if necessary.Do not provide services until correctidentifying information is proven.Identifying information is associated withknown fraudulent activity. Inspect information and compare withdocumentation indicating fraudulentactivity. Retain information and notifymanagement for assistance if necessary.Do not provide services until identity isproven. Inspect information and determine itsvalidity. Retain information and notifymanagement for assistance if necessary. Do not provide services until identity isproven Inspect information and request to seethe student’s Social Security card, ordriver’s license. Retain information and notifymanagement for assistance if necessary.Do not provide services until identity isExample: an address or phone number beingused is also known to be associated with afraudulent application.Identifying information suggests fraud or is of thetype commonly associated with fraudulentactivity.Examples: an address that is obviously fictitious,an address that is a mail drop or a prison, aphone number is invalid.The SSN number or driver’s license is the same asthat used by several people opening accounts
Office of Risk Management and Complianceproven.Address or phone number is the same as thatpresented by an unusually large number of otheraccount-holders.Address or phone number is the same as thatpresented by an unusually large number of otheraccount-holders.An account-holder omits required personalidentifying information on an application or otherform or does not provide it in response tonotification that the application/form isincomplete.Identifying information is inconsistent withinternal information sources on fileA person seeking access to systems or sensitiveinformation cannot provide authenticatinginformation beyond what would be found in awallet or consumer credit report, or cannotanswer a challenge question. Place hold on the original account-holderwho provided the duplicate ID number ifidentity is proven. Direct account-holderto the FTC Identity Theft website ifnecessary to learn what steps to take torecover from identity theft. Request and inspect information todetermine its validity. Retain information and notifymanagement for assistance if necessary. Do not provide services untilidentity is proven.Request and inspect information todetermine its validity. Retain information and notifymanagement for assistance if necessary.Do not provide services until identity isproven. Do not provide services or award aid untilapplication/form is complete. Inspect information and compare withinformation in Banner or other officialUniversity systems of record or data files. Retain information and notifymanagement for assistance if necessary.Do not provide services until identity isproven Do not provide services, reset passwords,or otherwise provide access until identityis proven. Follow any protocols established torecover access to the system in question(e.g., by notifying the systemadministrator to send a password resetlink to the person’s email).
Office of Risk Management and ComplianceSuspicious Account ActivityIf fraud is reasonably suspected, report to the PA and UAHPDChange of address request followed shortlyby request for a name change.An account is used in a manner inconsistent withestablished patterns of activity on that account.For example, payments are no longer made on anotherwise consistently up-to-date account.Mail sent to an account-holder is repeatedlyreturned as undeliverable even though theaccount remains active.Account-holder notifies UAH (via phone, email, orin-person) that the account-holder is notreceiving mail.Account-holder notifies UAH (via phone, email, orin person) that an account with the University hasunauthorized activity Request official documentation reflectingname change (court order, marriagecertificate, etc.) and compare with photoidentification. Verify change of address previouslysubmitted. If the account-holder did not initiate theaction(s) and identity theft of theaccount-holder’s information issuspected, direct account-holder to theFTC Identity Theft website to learn whatsteps to take to recover from identitytheftBanner automatically places a financial hold onoverdue accounts and restricts certain servicesfrom being provided until Student AccountServices has removed the hold.Attempt to contact the account-holder via thecontact information on file Verify address information with accountholder and ensure listed addresses areactive. If the address on file was not entered bythe account-holder, notify managementfor assistance. If identity theft of theaccount-holder’s information issuspected, direct account-holder to theFTC Identity Theft website to learn whatsteps to take to recover from identitytheft. Verify if the notification is legitimate andinvolves a UA account. Notifymanagement for assistance to investigatethe activity. If account-holder’s account does haveunauthorized activity and identity theft ofthe account-holder’s information is
Office of Risk Management and Compliancesuspected, direct account-holder to theFTC Identity Theft website to learn whatsteps to take to recover from identitytheftAccount-holder notifies UA (via phone, email, orin-person) that unauthorized access to aUniversity account that uses myUAHauthentication has occurred Verify if the notification is legitimate andinvolves a UA account. Notifymanagement for assistance to investigatethe activity.Example: Account-holder is automatically loggedoff during an online session due to multiple loginattempts from an external site Instruct the account-holder to reset theaccount password immediately. If unauthorized access did occur andidentity theft of the account-holder’sinformation is suspected, direct accountholder to the FTC Identity Theft websiteto learn what steps to take to recoverfrom identity theft.An account-holder, an identity theft victim, or alaw enforcement agent notifies UA (via phone,email, or in-person) that an account has beenopened or used fraudulently. Verify if the notification is legitimate andinvolves a UA account. Notifymanagement for assistance to investigatethe activity and determine if any actionsare needed (e.g., inactivating directdeposit, placing a financial hold on theaccount). Direct account-holder to the FTC IdentityTheft website to learn what steps to taketo recover from identity theft Verify if the notification is legitimate andinvolves a UA account. Notifymanagement for assistance to investigatethe activity and determine if any actionsare needed (e.g., inactivating directdeposit, placing a financial hold on theaccount). If identity theft of account-holder’sinformation is suspected, direct accountholder to the FTC Identity Theft websiteto learn what steps to take to recoverfrom identity theft.We learn that unauthorized access to theaccount-holder’s personal information took placeor became likely due to data loss (e.g., loss ofwal
incorporate internal controls that reduce the risk of Identity Theft; 3. Prevent and mitigate identity theft by responding appropriately to any red flags that are detected; 4. Monitor and update the Program by performing periodic risk analysis to reflect changes in risks to the customer and the University from identity theft.
