The Financial Institution Regulators, including the Federal Trade Commission have issued a final rule (the Red Flag Rule) under sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The Red Flag Rule requires the institutions that hold “covered accounts” (accounts for which a person makes repeat payments) to develop and implement an identity theft prevention program for new and existing accounts.
Ramapo College takes the possibility of identity theft seriously and in full compliance with the Red Flag Rule, has developed and implemented an Identity Theft Program Prevention Program. After consideration of the size of the College’s operations and account systems, and the nature and scope of the College’s activities, the Board of Trustees determined that this Program was appropriate for Ramapo College, and therefore approved this Program on February 23, 2009.
Identify theft means fraud committed or attempted using the identifying information of another person without authority.
Covered Account means an account that a creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions. These accounts include all student accounts or loans that are administered by the College.
Red Flag means a pattern, practice or specific activity that indicates the possible existence of identity theft.
Program Administrator is the group or individual designated with the primary responsibility for oversight of the program.
Identifying Information means any name or number that may be used in conjunction with any other information to identify a specific person including: name, address, telephone number, social security number, date of birth, driver’s license or identification number, alien registration number, passport number, employer or taxpayer identification number, student identification number, Internet Protocol address or routing code.
The purpose of this policy is to establish an Identity Theft Prevention Program designed to reasonably detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program. The Program shall include reasonable policies and procedures to:
- Identify relevant Red Flags for new and existing covered accounts it offers or maintains and incorporate those Red Flags into the program;
- Detect red flags that have been incorporated into the Program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program is updated periodically to reflect changes in risks to students and to the safety and soundness of the creditor from identity theft.
The Program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.
Ramapo College has identified two types of accounts, one of which is covered accounts administered by the College and one type of account that is administered by a service provider.
The College covered account is the tuition payment plan which allows students to pay their bills over a series of installments.
The service provider covered account is the Perkins Loan Program administered by Campus Partners; refer to “Oversight of Service Provider Arrangements.”
Identification of Relevant Red Flags
The Program shall include relevant red flags from the following categories as appropriate:
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
- Report of fraud accompanying a credit report.
- Notice or report from a credit agency of a credit freeze on an applicant.
- Notice or report from a credit agency on an active duty alert for an applicant.
- Receipt or notice of address discrepancy in response to a credit report request.
- Indication from a credit report of activity that is inconsistent with an applicant’s usual pattern or activity.
- The presentation of suspicious documents;
- Identification document that appears altered or forged.
- Identification document on which a person’s photograph or physical description is not consistent with the person presenting the document.
- Other document with information that is not consistent with existing student information.
- Application for service that appears to have been altered or forged.
- The presentation of suspicious personal identifying information;
- Identifying information that is inconsistent with other information such as inconsistent birth dates, address not matching address on a loan application or photograph or physical description on the identification is not consistent with the appearance of the student presenting the identification.
- Identifying information presented that is consistent with fraudulent activity such as in invalid phone number or fictitious billing address, social security number presented that is the same as one given by another student, an address or phone number that is the same as that of another person.
- A person fails to provide complete personal identifying information on an application when reminded to do.
- The unusual use of, or other suspicious activity related to, a covered account;
- Change of address for an account followed by a request to change the student’s last name.
- Payment stops on an otherwise consistently up-to-date account.
- Account used in a way that is not consistent with prior use.
- Mail sent to the student is repeatedly returned as undeliverable.
- Notice to the College that the student is not receiving mail sent by the College.
- Notice to the College that an account has unauthorized activity.
- Breach of the College’s computer system security.
- Unauthorized access to or use of student account information.
- A request made from a non-College issued E-mail account;
- A request to mail something to an address not listed on file;
- Notice from a student, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.
Detection of Red Flags
The Program shall address the detection of red flags in connection with the opening of covered accounts and existing covered accounts, such as by:
- Obtaining identifying information such as name, date of birth, home address or other identification, and verifying the identity of a person opening a covered account; and
- Authenticating the identification of students if they request information either in person, via telephone or e-mail. Verifying the validity of change of billing address requests and in banking information for billing and payment purposes in the case of existing covered accounts.
In order to detect any of the Red Fags identified above for an employment position for which a background or credit report is sought, the College will require written verification from any applicant that the address provided by the applicant is accurate and in the event that notice of an address discrepancy is received, verify that the background and/or credit report pertains to the applicant for whom the requested report was made and report to the reporting agency an address for the applicant that the College has reasonably confirmed is accurate.
The Program shall provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The appropriate responses to the relevant red flags are as follows:
- Monitor a covered account for evidence of identity theft;
- Deny access to the covered account until other information is available to eliminate the red flag, or close the existing covered account;
- Contact the student and/or provide student with new student identification number;
- Change any passwords, security codes or other security devices that permit access to a covered account;
- Reopen a covered account with a new account number or not open a new covered account;
- Notify program administrator for determination of the appropriate step(s) to take;
- Notify law enforcement; or
- Determine no response is warranted under the particular circumstances.
Protecting Identifying Information
The College will take the following steps with respect to its internal operating procedures to protect identifying information:
- Ensure the College’s website is secure or provide clear notice that the website is not secure;
- Ensure complete and secure destruction of paper documents and computer files containing identifying information when such documents or files are no longer needed;
- Ensure that office computers with access to covered account information are password protected;
- Avoid use of social security numbers and allow access to social security numbers to very limited number of staff that have been approved by the Red Flag Committee;
- Ensure computer virus protection is up to date;
- Require and keep only the kind of information that is necessary for College purposes.
Oversight of the Program
Responsibility for developing, implementing and updating this program lies with the Red Flag Committee for the College. The Committee is chaired by the Chief Planning Officer and the remainder of the Committee is comprised of the unit directors for those areas that have direct access to identifying information. The Program Administrator in conjunction with the Committee will be responsible for the Program and oversight of the Program shall include:
- Assignment of specific responsibility for implementation of the Program and ensuring appropriate training of College’s staff in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected;
- Reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft;
- Determining which steps of prevention and mitigation should be taken in particular circumstances;
- Review of reports prepared by staff regarding compliance; and
- Approval of material changes to the Program as necessary to address changing risks of identity theft.
- Committee will review all requests by staff requesting access to the Social Security Numbers of either students or staff members and make recommendation to the Program Administrator on access.
Staff Training and Reports
College staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags and the responsive steps to be taken when a Red Flag is detected.
- College staff will be trained as necessary to effectively implement the Program;
- College staff is expected to notify the Program Administrator once they become aware of an incident of identity theft or of the College’s failure to comply with this program.
Reports shall be prepared as follows:
- The Program Administrator will report to the President’s Cabinet at least annually on compliance by the College with the Program.
- The report shall address material matters related to the Program and evaluate issues such as:
- The effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts;
- Service provider agreements;
- Significant incidents involving identity theft and management’s response; and
- Recommendations for material changes to the Program.
Oversight of Service Provider Arrangements
The College shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft whenever the organization engages a service provider to perform an activity in connection with one or more covered accounts.
- Require that service providers have such policies and procedures in place;
- Require that service providers review the College’s Program and report any Red Flag to the College employee with primary oversight of the service provider relationship.
Updating the Program
The Program shall be reviewed and updated periodically by the Committee to reflect changes in risks to students or to the safety and soundness of the College from identity theft based on factors such as:
- The experiences of the organization with identity theft;
- Changes in methods of identity theft;
- Changes in methods to detect, prevent and mitigate identity theft;
- Changes in the types of accounts that the organization offers or maintains;
- Changes in the College’s business arrangements with other entities.