CPO-3 Identity Theft Policy in Compliance with the FTC Red Flag Rule
POLICY NUMBER: CPO-3
Effective Date: July 1, 2014
Responsible Officer: Chief Compliance Officer
The purpose of this Policy is to establish an Identity Theft Program (the "Program") designed to detect, prevent and mitigate identity theft in connection with the opening of a Covered Account or an existing Covered Account and to provide for continued administration of the Program in compliance with the Red Flag rules of the Federal Trade Commission ("FTC") implementing the Fair and Accurate Credit Transactions Act of 2003 ("FACTA").
The University's Identity Theft Program will:
A. Identify relevant Red Flags for new and existing Covered Accounts and incorporate those Red Flags into the Program;
B. Detect Red Flags that have been incorporated into the Program;
C. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft;
D. Ensure that the Program is updated periodically, to reflect changes in risks to students, employees or patients or to the safety and soundness of the University from Identity Theft; and
E. Comply with all applicable laws and regulations.
This Policy applies to all University Covered Accounts, as defined in the FTC's Red Flag rules.
This Policy applies to the following members of the University Community:
All faculty, professional staff members, students, consultants, vendors, service providers, or any other agent of the University who engages in University activities, business, or transactions ("Applicable Members").
For purposes of this Policy, the following definitions apply:
A notice sent to a user by a consumer reporting agency that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address in the agency's file for the consumer.
(i) an account that the University offers or maintains that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the University offers or maintains for which there is a reasonably foreseeable risk to students, employees or patients or to the safety and soundness of the University from identity theft, including financial, operational, compliance, reputation or litigation risks. This term is further defined in Section B, below.
The right granted by the University to a student, employee or patient to defer payment of debt or to incur debt and defer its payment or to purchase property or services and defer payment therefore.
The University when it extends, renews, or continues credit; or arranges for the extension, renewal, or continuation of credit; or any assignees of an original credit or who participates in the decision to extend, renew, or continue credit.
Existing Policies and Practices
Existing University policies and practices to insure compliance with Gramm-Leach-Bliley Act ("GLB"), Family Educational Rights and Privacy Act ("FERPA"), Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and Payment Card Industry Security Standards ("PCI"), as well as system and application security, and internal control policies and procedures.
Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, Social Security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer's Internet Protocol address, or routing code. As used herein, "identifying information" does include "directory information" that may have been authorized for disclosure in accordance with the FERPA.
Any fraud committed or attempted using the identifying information of another person without authority.
A pattern, practice, or specific activity, transaction or event that indicates the possible existence of Identity Theft.
The individual designated with primary responsibility for oversight of the Program is the Chief Compliance Officer.
Drexel University including its Colleges, Schools, Institutes, Centers, divisions, subsidiaries and affiliates.
B. Application to the University
The University is a Creditor for the purpose of FACTA because in certain circumstances the University defers payment for services. As a Creditor, the University has determined that it maintains the following Covered Accounts:
- The Perkins Loan Program;
- Institutional Loan Accounts;
- Student Receivables;
- Employee Receivables; and
- Patient Receivables.
C. Coordination with Existing Policies and Practices
Many offices at the University maintain files, both electronic and paper, of (1) student biographical, academic, health, financial and admission records; (2) employee biographical, academic, health and financial records; and (3) patient health, insurance and other medical information. These records may also include student billing information, Perkins loan records, and personal correspondence with students, parents, employees and patients. Existing Policies and Practices provide an environment where Identity Theft opportunities are mitigated. The Program is designed to complement and coordinate with such Existing Policies and Practices
D. Identification of Red Flags
In order to identify relevant Red Flags, the University has considered the types of Covered Accounts that it offers and maintains, the methods it provides to open such Covered Accounts, the methods it provides to access its Covered Accounts, and its previous experience with Identity Theft. The University has identified the following Red Flags, in each of the listed categories:
1 Notifications and Warnings from Credit Reporting Agencies
- Report of fraud or active duty alert accompanying a credit report;
- Notice or report from a credit agency of a credit freeze in response to a request for a consumer report;
- A consumer reporting agency provides a notice of address discrepancy;
- Indication from a credit report of activity that is inconsistent with a student or applicant's usual pattern or activity, such as:
- a recent significant increase in the number of inquiries;
- an unusual number of recently established credit relationships;
- a material change in the use of credit, especially with respect to recently established credit relationships;
- an account that was closed for cause or identified for abuse of account privileges by a financial institution or Creditor.
2 Suspicious Documents
- Identification document or card that appears forged, altered or inauthentic;
- Identification document or card on which a person's photograph or physical description is not consistent with the person presenting the document;
- Other information on the identification that is not consistent with information provided by the person opening a new Covered Account or person presenting the identification;
- Other information on the identification that is not consistent with readily accessible information that is on file with the University;
- An application that appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
3 Suspicious Personal Identifying Information
- Identifying information presented that is inconsistent with other information the student or applicant provides (example: inconsistent birth dates);
- Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a credit report);
- Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
- Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
- Social security number presented that is the same as one given by another person;
- An address or phone number presented that is the same as that of another person;
- A person fails to provide complete personal identifying information on an application when reminded to do so; and
- A person's identifying information is not consistent with the information that is on file for the student or applicant.
4 Suspicious Account Activity or Unusual Use of Account
- Change of address for a Covered Account followed by a request to change the account holder's name;
- Payments stop on an otherwise consistently up-to-date account;
- Account used in a way that is not consistent with prior use (example: nonpayment when there is no history of late or missed payments);
- Mail sent to the account holder is repeatedly returned as undeliverable;
- Notice to the University that a student is not receiving mail sent by the University;
- Notice to the University that an account has unauthorized activity.
5 Alerts from Others
- Notice to the University from a student, employee, patient, Identity Theft victim, law enforcement or other person that the University has opened or is maintaining a fraudulent account for a person engaged in Identity Theft.
E. Detecting Red Flags
1 New Accounts
In order to detect any of the Red Flags identified above associated with the opening of a new Covered Account, Applicable Members will take the following steps to obtain and verify the identity of the individual opening the Covered Account:
- Require certain identifying information such as name, date of birth, home address, driver's license, Social Security number, or other identification;
- Verify the individual's identity (for instance, review a driver's license or other identification card); and
- Independently contact the affected individual if appropriate.
2 Existing Accounts
In order to detect any of the Red Flags identified above for an existing CoveredAccount, Applicable Members will take the following steps to monitor transactions with a Covered Account:
- Verify the identification of the individual if they request information (in person, via telephone, via facsimile, via email);
- Verify the validity of requests to change billing addresses; and
- Verify changes in banking information given for billing and payment purposes.
F. Preventing and Mitigating Identity Theft
In the event Applicable Members detect any identified Red Flags, they shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag:
1 Prevent and Mitigate
- Continue to monitor an account for evidence of Identity Theft;
- Contact the affected individual of suspected Identity Theft;
- Change any passwords or other security devices that permit access to accounts;
- Not open a new account;
- Close an existing account;
- Reopen an account with a new number;
- Notify the Responsible Officer for determination of the appropriate step(s) to take;
- Notify law enforcement; or
- Determine that no response is warranted under the particular circumstances.
2 Protect Identifying Information
In order to further prevent the likelihood of Identity Theft occurring with respect to University Covered Accounts, the University will continue to comply with its Existing Policies and Practices, specifically internal operating procedures designed to protect identifying information:
- Ensure that its website is secure or provide clear notice that the website is not secure;
- Ensure complete and secure destruction of paper documents and computer files containing Covered Account information, in a manner consistent with applicable law and University record retention policy;
- Ensure that office computers are password protected and that computer screens lock after a set period of time;
- Keep offices that are responsible for handling Covered Account information clear of papers;
- Ensure computer virus protection is up to date; and
- Require and keep only the identifying information that is necessary for the University's purposes.
3 Response to Identity Theft
The University will notify the affected individual(s) of any Identity Theft, suspected or actual, of which it becomes aware. The following information will be included in the notice:
- The type if identifying information involved;
- The telephone number that the person can call for further information and assistance, including:
- Local law enforcement
- Federal Trade Commission: (Toll free) 877.438.4338
- Credit Reporting Agencies, including Equifax, Experian and Trans Union.
G. Address Discrepancy Rules
Upon receipt of a notice of Address Discrepancy, Applicable Members shall take steps to confirm that the consumer report relates to the person about whom it has requested the report. These steps shall include:
- Comparing the information in the consumer report to the information that the University:
- has obtained to verify the person's identity;
- maintains in its own records, such as applications or change of address notifications;
- obtains from third party sources; or
- Verifying the information in the consumer report with the person to whom the report relates.
H. Program Updates
The Responsible Officer will periodically review and update this Program to reflect changes in risks to Covered Accounts. In doing so, the Responsible Officer will consider the University's experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the University's business arrangements with other entities. After considering these factors, the Responsible Officer will determine whether changes to the Program, including additional Red Flags, are warranted. If warranted, the Responsible Officer will update the Program or present the Audit Committee of the University Board of Trustees with his or her recommended changes and the Trustees will make a determination of whether to accept, modify or reject those changes to the Program.
I. Program Administration
The University's Audit Committee of the Board of Trustees of Drexel University approved this Program on February 25, 2009. The Responsible Officer shall report to the Audit Committee as requested, but no less than annually, on all material aspects of the Program's operation. The Responsible Officer will be responsible for the Program's administration, for ensuring appropriate training of Applicable Members on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft in connection with the Covered Accounts, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program. The Responsible Officer will also coordinate as necessary with the Applicable Members responsible for administration of Existing Policies and Practices to ensure overall coordination of the University's efforts to safeguard the identifying information in Covered Accounts.
2 Applicable Member Training and Reports
Applicable Members responsible for implementing the Program shall be trained either by or under the direction of the Responsible Officer in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected.
3 Service Provider Arrangements
In the event the University engages a service provider to perform an activity in connection with one or more Covered Accounts, the University will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft.
- Require, by contract, that service providers have such policies and procedures in place; and
- Require, by contract, that service providers review the University's Program and report any Red Flags to the Responsible Officer.
Additional Information: Inquiries regarding this policy should be referred to the Chief Compliance Officer at 267.359.5598, Edward.Longazel@drexel.edu.