Transcript In case you are interested in the regulatory history…

Red Flags Rule
University of St. Thomas
July 20, 2015
In case you are interested in the
regulatory history…
 Issued by the Federal Trade Commission (FTC) on November
9, 2007
 Implements Sections 114 and 315 of the Fair and Accurate
Credit Transactions Act (FACT Act) of 2003
 Higher Education required to be compliant with the
regulations by November 1, 2009
What does the FTC have to do with
UST?
 The Red Flags Rule applies to all financial institutions and
CREDITORS that have “covered accounts.”
 UST is a CREDITOR that indeed has covered accounts!
So what is a “covered account?”
 A consumer account that involves multiple payments or
transactions, such as a loan or account that is billed or payable in
installments
 Also included are any other accounts for which there is a
reasonably foreseeable risk of identity theft
 UST covered accounts include:
 Participation in the Federal Perkins Loan Program
 Refund of credit balances, with/without PLUS loans
 Payment plans for student accounts
 Deferment of tuition payments
 Emergency loan funds
 Use of credit reports
I’m convinced we have to comply…what
exactly is this Red Flags Rule?
 Purpose – to detect and stop identity thieves from using
someone else’s identifying information at UST to commit
fraud
 Requirements for UST:
Implement a written Identity Theft Prevention Program to
assist members of the UST community in detecting, preventing,
and mitigating identity fraud by recognizing and responding to
applicable “red flags”
The program must cover both new and existing accounts and be
appropriate to the size and complexity of UST
The program must be updated periodically to address changing
risks
How is this any different from all the
other regulations we have to comply
with?
 Most other current legislation governing UST at this time
(FERPA, PCI DSS, GLB) focuses on data security in order to
avoid theft of personal, confidential information
 The Red Flags Rule is supposed to pick-up where the others
leave off – requiring businesses to be proactive in trying to
stop identity thieves from actually being able to use the
information they have already stolen for their nefarious
endeavors
Just to make sure we are on the same
page - tell me what a “red flag” is when
it comes to this rule.
 Red flag – a pattern, practice, or specific activity that
indicates the possible existence of identity theft
 Common categories of red flags (included, but not limited
to):
o Alerts, notifications, and warnings from a credit reporting
company
o Suspicious documents
o Suspicious personal identifying information
o Suspicious account activity
o Notice from other sources
Why is it so important that I learn
about this rule?
 As a faculty, staff, or student employee of St. Thomas, it is
your responsibility to help prevent identity fraud from
occurring through business conducted in your department
 You will need to be able to identify common potential red
flags for the activities in your department
 You will need to be able to detect when suspicious activity
takes place (i.e., spot “red flags”)
 You will need to understand the correct action to take if you
spot any red flags (responding and/or reporting)
I’m no McGruff®. How am I supposed
to help take a bite out of crime?
 Because each department
operates differently, only
some of the more basic red
flags will be covered here.
However, there is a more
extensive (though not
exhaustive) list of red flags
included in the written
Identity Theft Prevention
Program available on the UST
website at
www.stthomas.edu/business
office/redflags
How about some specific examples?
 Suspicious Documents:
 Identification documents appear to have been altered or forged
 ID photo/description doesn’t appear to match the person
presenting it
 Information on the ID differs from what the person is telling
you or what is currently on file
 An application that looks like it has been altered, forged, or
torn up and reassembled
More examples!
 Suspicious Personal Identifying Information
 Personal information provided (address, SSN, birth date, etc…)
inconsistent with records already on file or with other verification
resources
 SSN that is inconsistent with data provided by the SSA
 An address or phone number used by several others or is known
to be invalid
 The applicant/customer fails to provide all required personal
identifying information as requested, even after being reminded
Even more examples!
 Suspicious Account Activity
 Change of address request shortly followed by a name change
request
 Mail sent is repeatedly returned as undeliverable to address
 Account used in a way inconsistent with prior usage
 Notice is given by account holder that they are not receiving
mail sent by UST
 Notice is given that there has been unauthorized account
activity
Still more examples!
 Alerts, notifications and warnings from a credit reporting
company:




A fraud or active duty alert on a credit report
A notice of credit freeze in response to a request for a credit
report
A notice of address discrepancy provided by a credit
reporting agency
A credit report indicating a pattern of activity inconsistent
with the personal history of the customer (for example – a
sudden increase in establishing new credit relationships)
And the examples continue!
 Notice From Other Sources – UST may be given notice
about identity theft from various sources
 The identity theft victim
 Another student/applicant/customer
 Law enforcement authority
 Miscellaneous others
Now I know some of the red flags.
What am I supposed to do about
them?
 Obtain and verify the identity of applicants/customers




before conducting business
Review the authenticity of any identifying documentation
provided
Review account activity for consistency
Examine your department procedures for any security gaps
and update as needed
Keep in mind that a red flag is only an indicator of suspicious
activity, not confirmation that fraud actually exists
So what if something does seem
fishy…what do I do next?
 Use your best judgment and discretion to determine the
appropriate course of action, which may include some of the
following:
o Monitor the account in question for evidence of identity theft
o Contact the account owner
o Change passwords, security settings, and any other access
o Close the existing account
o Open a new account with a new number
o Keep account closed
o Notify Public Safety
o More tips available in the written Program online
Is that it?
 A few more items worth noting:
If UST engages a third party service provider to act on a
covered account, then UST should obtain a written agreement
to ensure that the activity is conducted in accordance with the
Red Flags Rule. Responsibility and liability for each party
should be explicit in the contract.
The written Identity Theft Protection Program at UST was
approved by the Board of Trustees on July 7, 2009. The
program is administered by a committee reporting to the VP of
Business Affairs & Chief Financial Officer
The written program is available online at
www.stthomas.edu/businessoffice/redflags
Good! Done and Done!
Not so fast…
Surprise – pop quiz!
1. A true fact about Red Flags Rule is:
A. It doesn’t apply to UST because it is an FTC regulation
It’s called Red Flags because Black Flag was already taken
C. It only applies to employees in the Business Office
D. Covered accounts include both new and existing accounts
B.
2. A red flag is defined as:
A. The symbol of a small island nation
An insecticide
C. An indication of a penalty at a sporting event
D. A pattern, practice, or specific activity that indicates the
possible existence of identity theft
B.
3. Where is the written Identity Theft
Prevention Program found at UST?
A. The back left corner of the third level of the library
www.stthomas.edu/businessoffice/redflags
C. In a 3-ring-dust-collecting binder in the Controller’s Office
D. It varies between the Minneapolis and St. Paul campus
depending on the day of the week
B.
4. Which of the following is not an
example of a red flag?
A. A student requesting a name change after getting married
An address that is to a mail drop or prison
C. Inconsistent birthdates when comparing an ID to an
application
D. A student ID that has a picture of the student from last
year’s spring break trip to Cancun
B.
5. Which of the following would not be
an appropriate response when a red
flag is detected?
A. Notify Public Safety
Start screaming “Gotchya!” at the applicant
C. Monitor activity on the account
D. Verify account information with other resources
B.
End of quiz
Answers to follow
Answers
1. D
2. D
3. B
4. A
5. B