Red Flag Rules
Identity Theft Prevention Program
Program Adoption and Board Approval
LIM College developed this Identity Theft Prevention Program (“Program”) in accordance with the Federal Trade Commission’s (“FTC”) Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. This Program was developed with oversight of the College’s Senior Administrators and approval of the LIM College Board of Directors in August 2010.
In 2003, the U.S. Congress passed the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”), which amended the Fair Credit Reporting Act (“FCRA”) by requiring the
FTC and several other federal agencies to issue regulations requiring financial institutions and other “creditors” to adopt policies and procedures to prevent identity theft. In 2007, the FTC, in conjunction with several other federal agencies issued the regulations required under FACT Act, known as the Red Flags Rule. The Red Flags Rule became effective November 1, 2008, however, the FTC has deferred its enforcement of the rule, most recently through December 31, 2010 in order to permit institutions additional time in which to develop and implement the written identity theft prevention program required by the Red Flags Rule regulations.
Colleges and universities are likely subject to administrative enforcement by the FTC if they regularly extend, renew, or continue credit, or regularly arrange for such extensions, renewals, or continuances of credit. The obligation to develop and implement an Identity Theft Prevention Program applies only if the college or university maintains one or more “covered accounts.” A “covered account” maintained by a college or university is essentially a consumer credit account under which multiple payments are made, such as where payments are deferred and made by a borrower periodically over time.
Purpose and Scope
The purpose of this Program is to ensure that LIM College complies with the Red Flags Rule regulations. The Program was designed with the goal of identifying, detecting, preventing and mitigating identity theft upon the College, its faculty, staff, students, constituents and third party service providers with whom the College contracts to perform certain functions on its behalf. As such, this report outlines the required Red Flags Rule Program of LIM College, but it is also a comprehensive document which includes not just financial or credit accounts, but any LIM College account or database for which the College believes there is a reasonably foreseeable risk to the College, its students, faculty, staff, or constituents from identity theft. Any time an employee suspects a fraud involving personal information about an individual or individuals, the employee should assume that this Identity Theft Program applies and follow protocols established by his/her office for investigating, reporting and mitigating identity theft. The College on a broader scale is taking a close look at all databases and software used and developing a plan to be sure all systems are accounted for, protected from security breach and identity theft.
Covered account is an account that a financial institution or creditor maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions. For the purposes of LIM College’s Identity Theft Program, the term covered account is extended to include any College account or database (financial and non-financial based) for which the College believes there is a reasonably foreseeable risk to the College, its students, faculty, staff, constituents or customers from identity theft.
Identity theft means that a fraud was attempted or committed using the identifying information of
another person without his/her authority.
Red Flag is a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
Identification and Detection of Red Flags
The following Red Flags are potential indicators or warning signs of potential or actual identity theft or similar fraud. Any time a Red Flag, or a situation resembling a Red Flag, is apparent, it must be investigated for verification. As an appendix to the Red Flags Rule, the FTC has identified twenty-six Red Flags that the College may consider incorporating into its identity theft program. These Red Flags are subdivided into five sections below:
Alerts, Notifications or Warnings from a Consumer Reporting Agency
- A fraud or active duty alert is included with a consumer report.
- A notice of credit freeze on a consumer report.
- A consumer reporting agency provides a notice of address discrepancy.
- A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of customer.
- Documents provided for identification appear to have been altered or forged.
- The photograph or physical description on the identification is not consistent with the appearance of the customer presenting the identification.
- Other information on the identification is not consistent with information provided by the person opening an account or presenting the identification.
- Other information on the identification is not consistent with readily accessible information that is on file with the College.
- An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
Suspicious Personal Identifying Information
- Personal identifying information provided is inconsistent when compared against external information sources used by the College.
- Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer.
- Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the College.
- Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the College.
- The social security number provided is the same as that submitted by other persons opening an account or other customers.
- The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers.
- The person opening the covered account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
- Personal identifying information provided is not consistent with personal identifying information that is on file with the College.
- If the College uses a challenge question, the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Suspicious Account Activity or Unusual Use of Account
- Shortly following the notice of a change of address for a covered account, the College receives a request for a new, additional, or replacement card, or for the addition of authorized users on the account.
- A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns.
- A covered account is used in a manner that is not consistent with established patterns of activity on the account.
- An account that has been inactive for a reasonably lengthy period of time is used.
- Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the account.
- The College is notified that the customer is not receiving paper account statements.
- The College is notified of unauthorized charges or transactions in connection with a customer’s account.
Alerts from Others
- Notice to the College by a student/customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
College-Wide Response to Detected Red Flags
Once potentially fraudulent activity is detected, an employee must act quickly as a quick appropriate response can protect customers and the College from the effects of identity theft.
The employee must inform his/her Department Head as soon as possible that he/she has detected an actual or potential Red Flag, or had identified a similar area of concern of identity theft. The Department Head will conduct any necessary inquiries to determine the validity of the Red Flag. If it is determined that a situation of identity theft has occurred, the Department Head will ensure that appropriate actions are taken to immediately mitigate the harm done and in doing so, he/she will inform the Senior Administration of the College and the College Attorney for further recommendation on the handling of the matter so it is properly documented as part of the monitoring portion of the College’s Program. Appropriate actions will be dependent on the type of Red Flag identified, type of transaction, relationship with the victim of the fraud, availability of contact information for the victim of the fraud, and numerous other factors.
Examples of appropriate actions may include, but are not limited to:
- Canceling the transaction;
- Notifying and cooperating with appropriate law enforcement;
- Notifying the College Attorney, and Senior Administration of the College; and/or
- Notifying the actual student/customer that fraud has been attempted or that it has occurred;
- Changing any passwords or other security devices that permit access to relevant accounts and/or databases; and/or
- Continuing to monitor the account or database for evidence of identity theft;
- Alternatively, it may be determined that no response is warranted after appropriate evaluation and consideration of the particular circumstances.
In all situations where it is determined that a Red Flag has been positively identified, the Department(s) responsible for the account will document what occurred, describe the matter and any specific actions taken to mitigate the impact of the effects of the actual or potential identity theft discovered. The documentation will also include a description of any additional actions the department believes are systemically necessary (such as updating policies and procedures) in response to identified Red Flag to handle or prevent similar situations in the future.
Consumer "Credit" Report Requests and Verification
In order to detect any of the Red Flags identified above for an employment or volunteer position for which a credit or background report is necessary, LIM College will take the following steps to assist in identifying address discrepancies:
- Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency;
- In the event that notice of an address discrepancy is received, verify that the credit report pertains to the applicant for whom the request was made and repost to the consumer reporting agency an address for the applicant that the College has reasonably confirmed is accurate.
- Review its own records (e.g., job applications, change of address notification forms, other customer account records) to verify the address of the applicant;
- Verify the address through third-party sources with whom the College is currently contracted.
Staff training is required for all employees for whom it is reasonably foreseeable that they may come into contact with accounts or personally identifiable information that may constitute a risk to the College and/or its customers. The Department Head of each office in this Program is responsible for ensuring that appropriate identity theft training and a copy of the Program is provided to all employees and others as appropriate at least annually. The Identity Theft training for all staff members will help them identify Red Flags, and provide guidance on what to do in the event he/she detects a Red Flag or have similar concerns regarding an actual or potential fraud involving personal information.
Third Party Service Providers Agreements
When the College engages a third-party service provider to perform an activity in connection with one or more covered accounts, the College will take the following steps to ensure the service provider performs all activities in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risks of identity theft.
LIM College must require the service provider to do the following:
- Require, by contract, that the service provider(s) have such policies and procedures in place; and
- Require, by contract, that the service provider is aware of and review the College’s Identity Theft Program, and report any Red Flags it identifies as soon as possible to the Senior Administrators of the College or the College employee with primary oversight of the service provider relationship.
Responsibility for the implementation of the Identity Theft Program ultimately rest on each department at LIM College, the employees of each department that maintains accounts or databases covered by this Program, and the College community as a whole. As permitted by the Red Flags Rule regulations, responsibility for overseeing the administration of the Program has been delegated to the Senior Vice President Finance and Operations/Treasurer with annual compliance monitoring responsibility to be performed by the College’s Accounting Manager. The Accounting Manager will ensure that each department is following the identity theft program documented by LIM College.
The College’s Identity Theft Program will be periodically reviewed and updated to reflect changes in risks to students and employees and the soundness of the Program. This review will include the College’s experiences with Identity Theft situations, changes in Identity Theft detection and prevention methods, business arrangements with third-party service providers, an assessment of which accounts and/or databases are covered by the Program and re-evaluate employee training.