Red Flag Rules - Accounts Receivable

advertisement
Red Flag Rules
WELCOME
Iowa State University
Identity Theft Prevention Program
Red Flag Rules
The Reason Behind the Red Flag Rules
• More than 10 million Americans are victims of
identity theft each year.
• The total financial losses due to identity theft are
estimated to be about $50 billion every year.
Red Flag Rules
Risks to Iowa State University
•
•
•
•
•
Lost productivity
Reputation
Fines
Notification expenses
Loss of ability to accept payment cards for
services rendered (i.e. credit/debit cards, etc.)
Red Flag Rules
Examples of Impacted Departments
•
•
•
•
•
•
•
•
•
•
•
•
Accounts Receivable
ID Card Office
Treasurer’s Office
Student Financial Aid
Student Counseling Services
Office of Admissions
University Extension
Department of Residence
Information Technology Services
Thielen Student Health Center
Payroll
Human Resources
Red Flag Rules
How Information is Obtained
• By stealing purses and wallets
• By stealing checks or credit card information out of the mail
• By completing a “change of address form” to divert mail to another
location.
• By abusing their employer’s authorized access to customer or
employee information
• By getting credit reports from abusing their employer’s authorized
access to it.
• By dumpster diving
• By computer hacking
Red Flag Rules
Iowa State University Identity Theft
Prevention Program
• A Red Flag is a pattern, practice or specific activity that
indicates the possible existence of identity theft or fraud
• The Red Flag Rules – issued by Federal Trade
Commission (FTC), for creditors to develop and
implement written identity theft prevention programs as
part of the Fair and Accurate Credit Transactions Act of
2003 (FACTA)
• Programs must be in place to provide for the
identification, detection, and response to patterns,
practices, or specific activities – known as “red flags” –
that could indicate identity theft by January 1, 2011
Red Flag Rules
The FTC regulations, known as the Red Flag
Rules are organized into three parts including:
1. Duties of users of consumer reports regarding address
discrepancies.
2. Duties of creditors regarding the detection, prevention and mitigation of
identity theft.
3. Duties of card issuers regarding changes of address. (Not applicable to ISU)
Users of consumer reports must develop reasonable policies and
procedures
• to verify the identity of consumers and
• confirm their addresses, when necessary
• Applies to any areas of ISU that utilize consumer reporting
agencies (Equifax, Experian, TransUnion) for any reason, i.e.
credit or background checks for loans or collection purposes, or
for new hire applicants
Red Flag Rules
The FTC regulations, known as the Red Flag
Rules are organized into three parts including:
1. Duties of users of consumer reports regarding address discrepancies.
2. Duties of creditors regarding the detection, prevention and
mitigation of identity theft.
3. Duties of card issuers regarding changes of address. (Not applicable to ISU)
It has been determined by university legal counsel that Iowa State
University is a “creditor” as defined by the Red Flag Rules for the
following reasons:
Regularly extend, renew, or continue credit for student and
employee accounts involving student loans, institutional loans and
payment for services received over time.
Red Flag Rules
Identity Theft Prevention Program
1. Identify relevant red flags for covered accounts ISU
offers or maintains and incorporate those red flags into
the program
2. Detect red flags that have been incorporated into the
program
3. Respond appropriately to any red flags that are detected
to prevent and mitigate identity theft
4. Assure the program is updated periodically to reflect
changes and risks involving possible identity theft and
fraud
Red Flag Rules
Definitions:
Covered Accounts
A covered account is a consumer account used by customers of ISU
primarily for personal, family, or household purposes that is designed to
permit multiple payments or transactions. These are accounts where
payments are deferred and made by the customer (borrower) periodically
over time. At ISU, a covered account includes the following:
1. Participation in the following Federal student loan programs: Perkins Loan,
Health Profession Student Loan and Loans for Disadvantaged Students;
2. Participation in institutional loans to students, faculty or staff
3. Participation in a plan for payment of tuition or fees throughout the
semester, rather than requiring full payment at the beginning of the
semester
4. Participation in a plan for payment for services received over time rather
than requiring full payment upon receipt of services
5. Participation in other services provided by third party service providers that
satisfy the definition of a covered account
Red Flag Rules
Definitions:
Creditor
A creditor is a person or entity that regularly extends, renews, or
continues credit and any person or entity that regularly arranges for
the extension, renewal, or continuation of credit.
Customer
A customer is a person or entity that has a covered account with
ISU. Customer includes students, faculty, staff and persons or
entities doing business with ISU.
Service Provider
A service provider is a third party that is contracted to provide
outsourced operations directly to ISU customers that are related to a
covered account.
Identity Theft
Identity theft is a fraud committed or attempted using the identifying
personal information of another person.
Red Flag Rules
Definitions:
Personal Information
•
•
•
•
•
Specific items of personal information identified in Iowa Code
Section 715C.1(11). This information includes an individual’s name
in combination with any one or more of the following data elements:
Social Security number,
Driver’s license number,
Health insurance information,
Medical information, or
Financial account number (such as a credit card number, debit card
number or bank account number) or an ISU issued university
identification number (UID) when the numbers are in combination
with any required security code, access code, or password that
would permit access to an individual’s financial account or the ISU
AccessPlus account for an individual.
Red Flag Rules
Can you Detect the Identity
Thieves?
Red Flag Rules
DETER
A.
B.
C.
D.
E.
In order to identify relevant Red Flags within its covered accounts,
ISU considers the types of accounts that it offers and maintains,
methods it provides to open its accounts, methods it provides to
access its accounts, and its previous experiences with identity theft.
Any time a Red Flag, or a situation closely resembling a Red Flag, is
detected, it should be evaluated by ISU personnel for verification of
the person or entity involved and implementation of an appropriate
response pursuant to Section 5 of the Identity Theft Prevention
Program.
Alerts received by ISU from a Credit Reporting Agency
Suspicious Documents
Suspicious Personal Identifying Information
Unusual Use or Suspicious Account Activity
Notice from Others Indicating Possible Identity Theft
Red Flag Rules
DETECT
In order to detect any of the Red Flags identified in Section 3 of the Identity
Theft Prevention Program that are associated with the opening of a covered
account for a customer or for monitoring transactions on an existing covered
account, ISU personnel will take one or more of the following steps to obtain
and verify the identity of the person opening a covered account or using an
existing covered account in accordance with the written operational policies
of the unit that manages the covered account:
A. Require certain identifying information such as name; date of birth; residential,
business or in-session university address; or other identification in conjunction
with a signature and/or other communication with the person or entity whose
covered account is involved;
B. Presentation of an ISU Card or government issued photo identification
document and determining that the image matches appearance of the customer
and the document has not been altered, forged or destroyed and reassembled.
C. Verify any changes made electronically to financial information contained in a
covered account by e-mailing customers to alert them to changes made to their
account.
Red Flag Rules
DEFEND
In the event ISU personnel detect any identified Red Flags, such
personnel shall respond depending on the degree of risk posed by
the Red Flag. The appropriate responses to the relevant Red Flags
can include any one or more of the following:
A. Deny access to the covered account until other information is available to
eliminate the Red Flag;
B. Contact the customer to advise that a fraud has been attempted on their
covered account;
C. Change any passwords, security codes or other security devices that permit
access to a covered account;
D. Notify law enforcement; or
E. Determine that no response is warranted under the particular
circumstances.
Red Flag Rules
Responsibility for Compliance
• Under the university's Identity Theft Prevention Program, ISU
employees have a responsibility to obtain and verify the
identity of persons opening or using covered accounts.
• ISU employees are expected to notify the program
administrator (i.e., the director of Accounts Receivable) if they
become aware of an incident of identity theft or of failure to
comply with the program.
• At least annually or as otherwise requested by the program
administrator, ISU staff responsible for development,
implementation, and administration of the program shall report
to the program administrator on compliance with this program.
Red Flag Rules
Program Administration
A. Oversight by an Identity Theft Prevention Committee
−
−
lies with the Vice President for Business and Finance
Program Administrator shall be the Director of Accounts
Receivable Office with the following duties:
−
Training of ISU staff on the program, Reviewing related reports,
Determining steps for detecting and defending against identity theft, and
considering periodic updates to the program
B. Staff Training and Reports
C. Identity Theft Prevention Program Updates
Red Flag Rules
Service Providers
A. ISU remains responsible for compliance with the Red Flag Rules
even if it outsources operations regarding covered accounts to a
third party service provider. In the event ISU engages a service
provider to perform an activity in connection with one or more
covered accounts, ISU will take the following steps to ensure the
service provider performs its activity in accordance with reasonable
policies and procedures designed to detect, prevent and mitigate
the risk of identity theft.
B. A service provider that maintains its own Identity Theft Prevention
Program, consistent with the guidance of the Red Flag Rules and
validated by appropriate due diligence, may be considered to be
meeting these requirements.
Red Flag Rules
Test Your Red Flag Rules Knowledge…
1. The Red Flag Rules apply to anyone who deals
with financing and credit, including car
dealerships, banks, physicians' offices, retail
merchants, mortgage companies, and cell
phone carriers.
o
o
a. True
b. False
The Red Flag Rules apply to any person or entity
which maintains covered accounts, no matter what
business they are in.
Red Flag Rules
Test Your Red Flag Rules Knowledge…
2. Under the Red Flag Rules, all "covered
accounts" must be marked with a small red flag
symbol.
o
o
a. True
b. False
Red Flag Rules
Test Your Red Flag Rules Knowledge…
3. Personal Identification Information (PII)
includes:
o
o
o
o
a. Any name or number
b. Any name or number, used alone or in conjunction
with any other information
c. Any name or number that may be used, alone or
in conjunction with any other information, to
identify a specific individual
d. None of the above
Red Flag Rules
Test Your Red Flag Rules Knowledge…
4. "Suspicious" refers to which of the following:
o
o
o
o
o
a. Inconsistent signatures of file
b. Driver’s license photo doesn’t match person
c. Inability to recall mother’s maiden name
d. Phone number given is answered by prison
switchboard
e. Any and all of the above
Red Flag Rules
Test Your Red Flag Rules Knowledge…
5. Which of the following is NOT a required part of
an Identity Theft Prevention Program?
o
o
o
o
o
a. Reasonable policies and procedures to identify
potential "red flags"
b. dedicated phone line for customers to call in identity
theft reports
c. Specific procedures to detect the "red flags"
identified as potential threats
d. Appropriate actions to take when "red flags" are
detected
e. A plan for regularly re-evaluating the program
Red Flag Rules
Test Your Red Flag Rules Knowledge…
6. Red Flag procedures must be "fully
implemented" by December 31, 2010. That
means:
o a. ...the procedures just have to be written and
accessible to everyone
o b. ...the procedures have to be written and everyone
needs to be trained to use them
Red Flag Rules
Test Your Red Flag Rules Knowledge…
7. After you have identified the red flags of ID Theft
that you’re likely to come across in your
business, what do you do next?
o a. Set up procedures to detect those red flags in your
day-to-day operations
o b. Train all employees who will use the procedures.
o c. Decide what actions to take when a red flag is
detected
o d. Periodically review your list of red flags to be sure they
are still relevant
o e. All of the above
Red Flag Rules
Test Your Red Flag Rules Knowledge…
8. Because the federal Red Flag Rules are so
comprehensive, Iowa's state laws concerning
identity theft prevention no longer apply.
o a. True
o b. False
There is no pre-emption clause included in the Red Flag
Rules, so both sets of laws must be considered.
Red Flag Rules
Test Your Red Flag Rules Knowledge…
9. The one thing you will NOT do when you finish
this test is:
o a. Identify which of your accounts are "covered" and
develop some policies and procedures for how to
identify red flags associated with those accounts
o b. Plan training for your employees who will need to be
able to detect red flags
o c. Ignore this training and go on with your work because
It's the way things have always been done
o d. Report any known or suspected red flags immediately
Red Flag Rules
Test Your Red Flag Rules Knowledge…
10. The purpose of the Red Flag Rules is:
o a. To detect the warning signs – or “red flags” – of
identity theft in day-to-day operations, take steps to
prevent the crime, and mitigate the damage it inflicts
o b. To add one more item of busy-work to already over
loaded staff, since there's no way to really prevent
Identity Theft
Red Flag Rules
QUESTIONS?
Contact:
− Director of Accounts
Receivable
- Duane Reeves
515-294-7388
Red Flag Rules
WEBSITES
Federal Trade Commission – Fair Credit Reporting – Major Links - you can find
the How-To Guide for Red Flag Rules on this website
http://www.ftc.gov/os/statutes/fcrajump.shtm
PCI Security Standards Council website
https://www.pcisecuritystandards.org/
PCI Security Standards Council Quick Reference Guide
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
Treasury Institute for Higher Education
http://www.treasuryinstitute.org/
Listing of breaches for 2009
http://www.identitytheft.info/breaches09.aspx
Download