Red Flags Rule (Identity Theft Prevention Program)
This Program was developed pursuant to the Federal Trade Commission's (FTC) Red Flags Rule promulgated pursuant to the Fair and Accurate Credit Transactions Act (FACT Act). The University's program, as set forth herein, is designed to detect, prevent, and mitigate identify theft in connection with the opening of a covered account or any existing covered accounts within the University, and is appropriate to the size and complexity of the University as a creditor and the nature and scope of its activities.
The Red Flags Rule, found at 16 CFR § 681.2, require a creditor to periodically determine, by conducting a risk assessment, whether it offers or maintains covered accounts. Upon identifying any covered account(s), the creditor is required to develop and implement a written Identity Theft Prevention Program designed to:
- Identify relevant red flags for new and existing covered accounts and incorporate those red flags into the program
- Detect red flags that have been incorporated into the program
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft
- Ensure that the program is updated periodically to reflect changes in risks to the account holders or to the safety and soundness of the creditor from identity theft.
The rules require that the creditor's board of directors initially approve the written Identity Theft Prevention Program, whereas continued oversight and administration of the program may be delegated to a board committee or an employee at the level of senior management.
Account – A continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household, or business purposes. Account includes an extension of credit, such as the purchase of property or services involving a deferred payment, and a deposit account.
Card Issuer – Financial institution or creditor that issues a debit or credit card.
Consumer Reporting Agency – Entities that collect and disseminate information about consumers to be used for credit evaluation and certain other purposes.
Consumer Reports – Any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.
Covered Accounts – (1) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and, (2) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identify theft, including financial, operational, compliance, reputation, or litigation risks.
Creditor – Any person, corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative, or association who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.
Customer – A person that has a covered account with a financial institution or creditor.
Debit Card – Any card issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account of the consumer at such financial institution for the purpose of transferring money between accounts or obtaining money.
Identity Theft – A fraud committed or attempted using the identifying information of another person without authority.
Red Flag – A pattern, practice, or specific activity that indicates the possible existence of identity theft.
- Bursar/Student Accounts
- Payment Plan Agreement
- Financial Aid/Institutional Loans
- Campus Store/Credit Limit/Book Rental
- Card Office/USU ID
In identifying below specific red flags unique to these covered accounts, the University considered the following risk factors: the types of covered accounts offered and maintained; the methods provided for opening and accessing each of those accounts; prior experiences with identity theft; and the size, complexity, nature and scope of our institution and its activities. Each of the red flags mentioned below may only be applicable to certain of the covered accounts administered by the University.
- Suspicious Documents
- Documents presented for the purpose of personal identification are incomplete or appear to have been altered, forged, or inauthentic
- The photographic and/or physical description on the personal identification is inconsistent with the appearance of the individual presenting the document
- Other information contained on the personal identification form is inconsistent with information provided by the individual opening a new covered account or when presenting personal identification for verification
- Other information contained on the personal identification is inconsistent with readily accessible information on file with the University
- An application received by the University appears to have been altered, forged, or gives the appearance of having been destroyed and reassembled
- Suspicious Personal Identifying Information
- Personal identifying information provided is inconsistent when compared against external information sources used by the University (e.g., discrepancies in addresses)
- Personal identifying information provided is inconsistent when compared against internal information held by University, such as discrepancies in addresses, phone numbers, and other personal identifying information
- Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the University, such as fictitious and/or duplicated phone numbers, addresses, or SSN
- Personal identifying information provided is fictitious and/or the same or very similar to that submitted by others opening an account or holding existing accounts, such as addresses, telephone numbers, bank accounts, and social security numbers
- The student or individual opening a covered account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete
- Challenge questions, used by University to allow students and individuals to access their covered accounts, are answered incorrectly
- Unusual Use of, or Suspicious Activity Related to, the Covered Account
- Shortly following a change of address to a covered account or a request to change the address, the University receives a request to change the account holder's name or other suspect request
- A covered account that has been inactive for a reasonably lengthy amount of time is used in an unusual manner
- Mail sent to the account holder is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the covered account
- The University is notified that the student or individual is not receiving paper account statements and those statements are not being returned as undeliverable
- The University is notified of unauthorized changes or transactions in connection with a student or individual's covered account
- Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts Held by University
- University is notified by a student or individual account holder, a victim of identity theft, a law enforcement entity, or any other person that it has opened a fraudulent account for a person engaged in identity theft
To detect the red flags identified above, the following actions will be taken, when appropriate given the particular covered account at issue and under the particular circumstances, to confirm the identity of students and individuals when they open and/or access their covered accounts:
- Appropriate personal identifying information (e.g., photo identification, date of birth, academic status, user name and password, address, etc.) shall be obtained from the student or individual account holder, prior to issuing a new or replacement ID card, opening a covered account, or allowing access to a covered account
- When certain changes to a covered account are made online, students and individuals holding covered accounts shall receive notification to confirm the change was valid and be provided instruction in the event the change is invalid
- Suspicious changes made to covered accounts that relate to an account holders identity, administration of the account, and billing and payment information shall be verified
In addition to the efforts noted above to detect identity theft, University personnel involved in the administration of the covered accounts will take the following steps, where appropriate and based upon the particular circumstances to prevent and mitigate occurrences of identity theft when a red flag is detected:
- Monitor a covered account for evidence of identity theft
- Contact student(s) and/or individual account holder(s)
- Request additional documentation from the student and/or individual account holder to verify identity
- Change passwords, security codes, and other security devices permitting access to the covered account
- Decline to open a new covered account
- Close an existing covered account
- Notify law enforcement
- Determine that no response is warranted under the particular circumstances
- Attempt to identify the cause and source of the red flag
- Take appropriate steps to modify the applicable process to prevent similar activity in the future