390 likes | 901 Views
The Red Flag Rule. Detecting, Preventing, and Mitigating Identity Theft. The Goals of This Training. To define commonly used terms related to Identity Theft. To explain the federal rules intended to prevent Identity Theft.
E N D
The Red Flag Rule Detecting, Preventing, and Mitigating Identity Theft
The Goals of This Training • To define commonly used terms related to Identity Theft. • To explain the federal rules intended to prevent Identity Theft. • To assist you in developing unit-specific procedures that will comply with the Identity Theft Prevention Program approved by the Board of Trustees. Frequency of Training This Red Flag Rule training module is recommended for completion prior to the December 31, 2010 mandatory implementation deadline.
Flag • Noun: A piece of cloth, usually rectangular, of distinctive color and design, used as a symbol, standard, signal, or emblem. • Verb: To communicate by means of such devices as lights or signs.
Red Flag A warning signal. Something that demands attention or provokes an irritated reaction.
Identity Theft – Red Flag A pattern, practice, or specific activity that indicates the possible existence of identity theft.
The Red Flag Rules • In November 2007, final rules were issued to implement the Identity Theft Red Flags Rule. • The Rule applies to financial institutions and creditors that offer or maintain Accounts. • The Rule requires the implementation of a written Identity Theft Prevention Program.
Yes, schools are really a Creditor…. Minnesota State Colleges & Universities fall within the scope of the Red Flag Rules because we act as a “creditor” by: • Regularly extending, renewing, or continuing credit; • Regularly arranging for such credit; • Acting as an assignee of an original creditor. Simply accepting credit cards as a form of payment does not make you a “creditor” under the Red Flags Rule. But if you offer a debit or credit card, arrange credit for your customers, or extend credit by selling customers goods or services now and billing them later, you are a “creditor under the law.
Covered Accounts • The Rule’s goal is to detect, prevent, and mitigate identity theft in certain ‘covered accounts.’ • A ‘covered account’ is any account that a College or University offers or maintains: • Primarily for personal, family, or household purposes, or • That permits multiple payments or transactions, or • For which there is a reasonably foreseeable risk of identity theft.
The Rule…. • … is actually three different but related rules- all will definitely apply to the following areas at your school: • (681.1) Users of Consumer Reports • (681.2) Creditors holding ‘Covered Accounts’ • (681.3) Issuers of Debit and Credit Cards
Users of Consumer Reports • (681.1) Users of consumer reports must develop reasonable policies and procedures • To verify the identity of consumers and • Confirm their addresses, when necessary. • Applies to any areas of the college or university that utilize consumer reporting agencies (Equifax, Experion, TransUnion) for any reason, i.e. credit or background checks for loans or collection purposes, or for new hire applicants.
Creditors • (681.2) “…creditors holding ‘covered accounts’ must develop and implement written procedures for both new and existing accounts.” • This provision applies to any areas of colleges and universities that issue any type of credit. For example: • Perkins Loans • Housing or Transportation Payment Plans • Student Deferred Payment Plans • Faculty Group Practices
Debit and Credit Card Issuers • (681.3) Debit and credit card issuers must develop reasonable policies and procedures to assess the validity of a request for change of address followed closely by a request for an additional or replacement card.
Identifying Red Flags • A Red Flag, or any situation closely resembling one, should be investigated for verification. • The following are potential indicators of fraud: • Alerts, notifications, or other warnings from credit agencies • Suspicious documents or personal identifying information • Unusual or suspicious account activities • Notices from customers, victims of identity theft, law enforcement authorities, or others
Alerts, Notifications, and Warnings • Watch for these notices from consumer reporting agencies, service providers, or fraud detection services: • An active duty alertor a fraud alert included with a consumer report; • A notice of credit freeze in response to a request for a consumer report; or • A notice of address discrepancy. You’ll need to add a procedure for appropriate responses to notices.
Suspicious Documents • Identification documents that appear to have been altered or forged. • The photograph or physical description on an ID that doesn’t match the customer presenting it. • Information on the identification that is inconsistent with other information provided or readily accessible, such as a signature card or a recent check. • An application or document that appears to have been destroyed and reassembled.
Suspicious Personal Information • Personal Identifying Information (PII) provided is inconsistent with PII that is on file, or when compared to external sources. For example, • The address does not match any address in the consumer report; • The SSN has not been issued or is listed on the Social Security Administration’s Death Master File; • There is a lack of correlation between the SSN range and date of birth.
Fradulent Personal Information • PII provided is associated with known fraudulent activity, or is of a type commonly associated with fraudulent activity. For example, • The address on a document is the same as the address provided on a known fraudulent document; • The address on a document is fictitious, a mail drop, or a prison; • The phone number is invalid or is associated with a pager or answering service.
Just how suspicious….? • ..a SSN provided for an account is the same as one provided by another person for a different account? • How would you know? • …the person opening a Covered Account fails to provide all the required personal identifying information on an application and then doesn’t respond to notices that the application is incomplete? • What do you do next? • …a person requesting access to a Covered Account cannot answer the security questions (mother’s maiden name, pet’s name, etc.)? • How do you handle this?
Looking Below the Surface • Sometimes fraudulent activity is not that obvious. • Do you know what to do if… -mail sent to the account-holder is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the Covered Account? -the institution is notified that a customer is not receiving paper account statements, even though they are being mailed and not returned?
On the Other Hand… • Sometimes the problem is obvious, but do you know the procedure when.. • The institution receives a notice regarding possible identity theft in connection with Covered Accounts held by your unit? • The institution is notified that your department has opened a fraudulent account for a person engaged in identity theft? Remember, all procedures must be fully implemented by December 2010!
Responding to Red Flags Report known and suspected fraudulent activity immediately -to protect both customers and the school from damages and loss: • Gather all related documentation. • Complete a incident report. • Provide a complete description of the situation. • Send the report to your supervisor.
Taking Action • If a transaction is or appears to be fraudulent, take appropriate action: • Cancel the transaction. • Notify supervisor. • Additional cooperation and assistance may be required with: • Notification and cooperation with appropriate law enforcement. • Determining the extent of liability of the school. • Notifying the customer that fraud has been attempted.
Moving Beyond the Mandate • The Red Flag Rules address external threats, but what about internal threats? • All personnel working with data should understand the following: • Is your area “data-rich”? • Do you know where all your data is? • Is access to the data strictly controlled? • Do you have both orientation and termination procedures related to data? Be Aware: Identity Theft is the #1 “white collar” crime in the US!
It’s all about security • Here’s how to avoid becoming an ID Theft statistic. • Store restricted information on secure servers, not on your workstation. • Password protect your computer and set your screensaver to come on automatically. • Do not provide restricted data over the telephone or by email. • Place all restricted data documents in secure bins for shredding. • Review Board Policy 5.22 Acceptable Use of Computers and Information Technology Resources
RESOURCES • Red Flags Website • The Federal Trade Commissions’s information page http://www.ftc.gov/redflagsrule • Links to SSN Death Indexes • Resources, some of which are free and some fee-based http://www.deathindexes.com/ssdi.html
Identity Theft Prevention Program The Minnesota State Colleges and Universities Board of Trustee approved the initial program on March 18, 2009. This document may be viewed at: http://www.finance.mnscu.edu/accounting/campus tools/index.htmlx
Thank you for reading the presentation. The next step will be to take a short quiz. Once you have completed the quiz, print out the last page and present it to the Red Flag Coordinator at your campus. You may find the quiz at: http://surveys.mnscu.edu/index.php?sid=99978&lang=en This presentation was developed with the permission of the University of Florida URL: http://privacy.health.ufl.edu/RedFlag/