Transcript The Red Flag Rule - Minnesota State Colleges and Universities

The Red Flag Rule
Detecting, Preventing,
and Mitigating Identity Theft
The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator.
The Goals of This Training
• To define commonly used terms related to Identity
Theft.
• To explain the federal rules intended to prevent
Identity Theft.
• To assist you in developing unit-specific procedures
that will comply with the Identity Theft Prevention
Program approved by the Board of Trustees.
Frequency of Training
This Red Flag Rule training module is recommended for
all college and university workforce members who have
access to consumer reports and/or financial accounts.
Slide 2
Flag
 Noun: A piece of cloth, usually rectangular,
of distinctive color and design, used as a
symbol, standard, signal, or emblem.
 Verb: To communicate by means of such
devices as lights or signs.
Slide 3
Red Flag
A warning signal. Something that demands
attention or provokes an irritated reaction.
Slide 4
Identity Theft – Red Flag
A pattern, practice, or specific
activity that indicates the possible
existence of identity theft.
Slide 5
The Red Flag Rules
• In November 2007, final rules were issued by the
Federal Trade Commission to implement the
Identity Theft Red Flags Rule (16 CFR Part 681).
• The Rule applies to many businesses and
organizations, but specifically financial
institutions and creditors that offer or maintain
specific types of accounts.
• The Rule requires the implementation of a written
Identity Theft Prevention Program designed to
detect the warning signs – the "red flags" – of
identity theft in daily operations.
Slide 6
How Does this Rule Apply to us?
•
"The Red Flags Rules and Guidelines seek to ensure that financial
institutions and creditors are alert for signs or indicators that an
identity thief is actively misusing another individual’s sensitive data,
typically to obtain products or services from the institution or
creditor." (FTC - Red Flags FAQs)
•
We come under the definition of a financial institution if we "directly
or indirectly hold a transaction account belonging to a consumer."
•
We fall within the definition of a creditor if, "within the ordinary
course of business, we regularly :
– "obtain or use consumer reports in connection with a credit
transaction;
– "furnish information to consumer reporting agencies in
connection with a credit transaction; or
– "advance funds to -- or on behalf of -- someone, except for funds
for expenses incidental to a service provided by the creditor to
that person*.“
Slide 7
Covered Accounts
•
"The Red Flags Rules require financial institutions and creditors that
offer or maintain covered accounts to have policies and procedures
to identify patterns, practices, or activities that indicate the possible
existence of identity theft..." (FTC - Red Flags FAQs)
•
A ‘covered account’ is any account that creditor offers or maintains:
– Primarily for personal, family, or household purposes (not business
purposes), and
– That involves or is designed to permit multiple payments or
transactions.
– A covered account is also one for which there is a reasonably
foreseeable risk, to customers or to the safety and soundness of the
creditor, from identify theft.
• These may include business accounts.
Simply accepting credit cards as a form of payment does not make you a "creditor" under the Red
Flags Rule. But, if you offer a debit or credit card, arrange credit for your customers, or extend
credit by selling customers goods or services now and billing them later, you are a "creditor" under
the law.
Slide 8
Where the Rule Applies
• The Red Flags Rule is actually three
different but related rules- all of which
apply to the following areas at your
school:
– (681.1) Users of Consumer Reports
– (681.2) Holders of ‘Covered Accounts’
– (681.3) Issuers of Debit and Credit Cards
Slide 9
Users of Consumer Reports
• (681.1) Users of consumer reports must
develop reasonable policies and procedures
– To verify the identity of consumers and
– Confirm their addresses, when necessary.
– Applies to any areas of the college or
university that utilize consumer reporting
agencies (Equifax, Experion, TransUnion) for
any reason, i.e. credit or background checks
for loans or collection purposes, or for new
hire applicants.
Slide 10
Account Holders
• (681.2) “(Holders of)…’covered accounts’must
develop and implement written procedures for
both new and existing accounts.”
– This provision applies to any areas of colleges
and universities that issue any type of credit.
For example:
• Perkins Loans
• Housing or Transportation Payment Plans
• Student Deferred Payment Plans
• Faculty Group Practices
Slide 11
Debit and Credit Card Issuers
• (681.3) Debit and credit card issuers must
develop reasonable policies and
procedures to assess the validity of a
request for change of address followed
closely by a request for an additional or
replacement card.
Slide 12
Identifying Red Flags
Now that you know about the Red Flags Rule, how does it
apply to you?
 A Red Flag, or any situation closely resembling
one, should be investigated/
 The following are potential indicators of fraud:
• Alerts, notifications, or other warnings from credit
agencies
• Suspicious documents or personal identifying
information
• Unusual or suspicious account activities
• Notices from customers, victims of identity theft,
law enforcement authorities, or others
Slide 13
Alerts, Notifications, and Warnings
• Watch for these notices from consumer
reporting agencies, service providers, or
fraud detection services:
– An active duty alert or a fraud alert included
with a consumer report;
– A notice of credit freeze in response to a
request for a consumer report; or
– A notice of address discrepancy.
You’ll need to add a procedure for appropriate
responses to notices.
Slide 14
Suspicious Documents
• Identification documents that appear to have
been altered or forged.
• The photograph or physical description on an ID
that doesn’t match the customer presenting it.
• Information on the identification that is
inconsistent with other information provided or
readily accessible, such as a signature card or a
recent check.
• An application or document that appears to have
been destroyed and reassembled.
Slide 15
Suspicious Personal Information
• Personal Identifying Information (PII) provided
is inconsistent with PII that is on file, or when
compared to external sources. For example,
– The address does not match any address in
the consumer report;
– The SSN has not been issued or is listed on
the Social Security Administration’s Death
Master File;
– There is a lack of correlation between the
SSN range and date of birth.
Slide 16
Fradulent Personal Information
• PII provided is associated with known
fraudulent activity, or is of a type commonly
associated with fraudulent activity. For
example,
– The address on a document is the same as the
address provided on a known fraudulent
document;
– The address on a document is fictitious, a mail
drop, or a prison;
– The phone number is invalid or is associated with
a pager or answering service.
Slide 17
Just how suspicious….?
Would you be concerned if..
• ..a SSN provided for an account is the same as one provided
by another person for a different account?
– How would you know?
• …the person opening an account fails to provide all the
required personal identifying information on an application
and then doesn’t respond to notices that the application is
incomplete?
– What do you do next?
• …a person requesting access to “their” account cannot
answer the security questions (mother’s maiden name, pet’s
name, etc.)?
– How do you handle this?
Slide 18
Looking Below the Surface
• Sometimes fraudulent activity is not that obvious.
• Do you know what to do if…
-mail sent to the account-holder is returned
repeatedly as undeliverable although transactions
continue to be conducted in connection account?
-the institution is notified that a customer is not
receiving paper account statements, even though
they are being mailed and not returned?
Slide 19
On the Other Hand…
• Sometimes the problem is obvious, but do
you know the procedure when..
– The institution receives a notice regarding
possible identity theft in connection with
Covered Accounts held by your unit?
– The institution is notified that your department
has opened a fraudulent account for a person
engaged in identity theft?
Slide 20
Responding to Red Flags
Report known and suspected fraudulent
activity immediately
-to protect both customers and the
school from damages and loss:
• Gather all related documentation.
• Complete a incident report.
• Provide a complete description of the
situation.
• Send the report to your supervisor.
Slide 21
Taking Action
• If a transaction is or appears to be
fraudulent, take appropriate action:
– Cancel the transaction.
– Notify supervisor.
• Additional cooperation and assistance
may be required with:
– Notification and cooperation with appropriate
law enforcement.
– Determining the extent of liability of the school.
– Notifying the customer that fraud has been
attempted.
Slide 22
Moving Beyond the Mandate
• The Red Flag Rules address external threats,
but what about internal threats?
• All personnel working with data should
understand the following:
– Is your area “data-rich”?
– Do you know where all your data is?
– Is access to the data strictly controlled?
– Do you have both orientation and termination
procedures related to data?
Be Aware: Identity Theft is the #1 “white
collar” crime in the US!
Slide 23
It’s all about security
• Here’s how to avoid becoming an ID Theft statistic.
– Store restricted information on secure servers, not
on your workstation.
– Password protect your computer and set your
screensaver to come on automatically.
– Avoid providing restricted data over the telephone or
by email.
– Place all restricted data documents in secure bins
for shredding.
– Review Board Policy 5.22 Acceptable Use of
Computers and Information Technology Resources
Slide 24
RESOURCES
• Red Flags Website
– The Federal Trade Commissions’s information
page http://www.ftc.gov/redflagsrule
– Protect Social Security Numbers
Slide 25
Identity Theft Prevention Program
The Minnesota State Colleges and
Universities Board of Trustee approved the
initial program on March 18, 2009.
This document may be viewed at:
http://finance.mnscu.edu/accounting/campustools/d
ocs/redflag_idtheftprevprgrm_2009031.pdf
Slide 26
Thank you for reading the presentation.
The next step will be to take a short quiz.
Once you have completed the quiz, print out
the last page and present it to the Red Flag
Coordinator at your campus.
You may find the quiz at:
http://www.finance.mnscu.edu/accounting/ca
mpustools/redflagtraining.html
This presentation was developed with the permission of the University of
Florida URL: http://privacy.health.ufl.edu/RedFlag/
Slide 27