Red Flags Rule Identity Theft

advertisement
Identity Theft
 Nine million Americans have their
identities stolen each year.
9,000,000
 Thieves drain their accounts, damage
their credit and even endanger their
medical treatment.
Red Flags Rule
 Enforced by the Federal Trade
Commission (FTC), the federal bank
regulatory agencies, and the National
Credit Union Administration.
 Requires organizations to implement a
written Identity Theft Prevention
Program
 Designed to detect warning signs – or
“red flags” – of identity theft in their
day-to-day operations
 Take steps to prevent the crime, and
mitigate the damage it inflicts
 Be better equipped to spot suspicious
patterns when they arise and take steps
to prevent a red flag from escalating into
identity theft.
Who Must Comply with
the Red Flags Rule
STC Must Comply – Covered Accounts
 Student Installment Accounts
 Student Emergency Loans
 Student JagCard
All functions connected to our students are
subject to the Red Flags Rule –
 Registration
 Employment
 Payments
 Financial Aid
 Scholarships and Awards
 Etc.
Red Flags Rule
Overview
1. Identify relevant red
flags.
2. Detect red flags.
3. Prevent and mitigate
identity theft and
respond accordingly
4. Update the program.
Program Sections
 Section 1: Program Background and
 Section 2:
 Section 3:
 Section 4:
 Section 5:
 Section 6:
 Section 7:
 Section 8:
 Section 9:
Purpose
Definitions
Scope
Guidelines
Identify Relevant Red Flags
Detect Red Flags
Prevent, Mitigate and
Appropriately Respond to
Identity Theft
Periodic Updates to Plan
Program Administration
Section 1
Program Background and Purpose
1. October 13, 2008 - Board
of Trustees approved Board
Policy # 5470, Identity Theft
Policy, and approved the
initial guidelines.
Section 1
Program Background and Purpose
1.
The initial guidelines have since been
updated to ensure they are closely aligned
to the FTC’s requirements and the College’s
operations.
2. Each department is responsible to
developing procedures within their
operation and ensuring their
implementation and compliance.
3. These guidelines have some best
practice to follow.
Section 1
Program Background and Purpose
 Guidelines:



Define sensitive information
Describe security measures
In compliance with laws
 Risk to:
 Employees
 Students
 Contractors/Vendors
Section 2
Definitions
 Identity Theft:
Fraud committed or attempted using the
identifying information of another person
without authority.
 Red Flag:
A pattern, practice, or specific activity
that indicates the possible existence of
identity theft.
 Identifying Information:
Any name or number that may be used,
alone or in conjunction with other
information, to identify a specific person.
Section 2
Identifying Information








Name
Address
Telephone number
Computer’s internet address
Routing code
Social Security Number
Government Passport number
Employer or Taxpayer
Identification Number
Section 3
Scope
Guidelines and Protection Program
applies to:






Students
Employees
Contractors
Consultants
Temporary workers
Other workers at the college,
including all personnel affiliated
with third parties.
Section 4
Guidelines
Sensitive information should be secured
whether stored in electronic or printer
format:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Faxed information
Hardcopy documents
Files
Desk drawers
Desks/workstations
Un-discarded documents
Computer documents
Whiteboard information
Dry-erase boards
Writing tables information
Emails
USB (Flash) drives
Section 5
Identify Relevant Red Flags
 Risk factors
 Sources of red flags
 Categories of red flags
Section 5
Identify Relevant Red Flags
1) Alerts, notifications or other warnings
received from customer reporting agencies
 Address discrepancy
 Usual pattern of activity
 Number of recently established credit
relationships
 Material change in use of credit
 Accounts closed for cause or abuse of
account privileges
Section 5
Identify Relevant Red Flags
2) Suspicious documents
Altered or forged
 Photograph or physical description on
ID is not consistent with appearance of
individual
 Other information is not consistent

Section 5
Identify Relevant Red Flags
3) Suspicious personal identifying
information
 Information not consistent with external








gathered information
SSN listed on the SS Administration Death
Master File
Lack of correlation between SSN range and date
of birth
Information provided already on fraudulent
application previously submitted
Address is fictitious (a prison)
Phone number is invalid
SSN, address, phone number, provided is the
same as that previously submitted by someone
else
Information is not consistent with that on file
with the College
Unable to answer security questions (beyond
what is found in a person’s wallet)
Section 6
Detect Red Flags
 Each organizational unit will develop and
implement specific methods and protocols
to meet the requirement of this Program.
 Require current government-issued ID








cards, such as driver’s license or passport
Compare data
Ask challenge questions (don’t use
information available in wallet)
Authenticate students
Monitor transactions
Verifying the validity of change of address
requests
Use passwords
Use PIN numbers
Encrypted data
Section 7
Prevent, Mitigate and
Appropriately Respond to Identity
Theft
 Contact the student
 Monitor an account for evidence
 Change passwords
 Not opening a new account until





further information is received
Notifying law enforcement
Write a description of the fraudulent
activity and report it
Cancel the transaction if fraudulent
Determine the extent of liability
Notify the actual customer that the
fraud has been attempted
Section 8
Periodic Updates to Plan
 Re-evaluate program at periodic
intervals
 Assessment of accounts covered in the
program
 Revise red flags for updates, deletions,
replacements
 Revise actions to be taken in the event
that fraudulent activity is discovered
Section 9
Program Administration
 Involvement of management
 Warrants the highest level of attention
 Written program and operation are
responsibility of President or designee
 President or designee must approve
material changes
 Staff is responsible for implementation
and is responsible for at least annually
reporting on compliance by the College
with the Program
Section 9
Program Administration
 Staff training
 Service providers
 Also responsible for maintaining a
identity theft prevention program
Questions?
Sources: Federal Trade Commission – Protecting America’s Consumers
Fighting Fraud with the Red Flags Rule – A How-To Guide for Businesses
Download