Red Flags Policy
In November 2007 final rules implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003 were issued by the Federal Trade Commission ("FTC"), the federal bank regulatory agencies, and the National Credit Union Administration ("NCUA"). A joint notice of final rulemaking was published in the Federal Register (72 FR 63718)) finalizing the Identity Theft Red Flags Rule ("the Rule"). The Rule was issued with the underlying goal of detecting, preventing, and mitigating identity theft "in connection with the opening of certain accounts or existing accounts," referred to as "Covered Accounts."
Red Flags are defined by the Rule as those events which should alert an organization that there is a risk of identity theft. The Rule supplements existing legislation aimed at preventing identity theft through tightened data security (e.g., Gramm-Leach-Bliley) by addressing situations where individuals are trying to use another person's identity in order to fraudulently obtain resources or services. Institutions are to identify Red Flags to alert to and intervene against the possibility of such attempts.
Wentworth as a Covered Entity
The Rule applies to financial institutions and creditors that offer or maintain accounts that provide for multiple transactions primarily for personal, family, or household purposes. The Rule defines an "account" as a "continuing relationship established to provide a financial product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under Section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k)."
Wentworth Institute of Technology is a covered entity because we act as a "creditor" by:
- Regularly extending, renewing, or continuing credit; or
- Regularly arranging for the extension, renewal, or continuation of credit; or
- Acting as an assignee of an original creditor who participates in the decision to extend, renew, or continue credit.
The Rule is actually three different but related rules, two of which will definitely apply to Wentworth. The third rule should not apply as noted below:
- (681.1) Users of consumer reports must develop reasonable policies and procedures to apply when they receive notice of an address discrepancy from a consumer reporting agency. – This provision would apply to any areas of Wentworth that utilize consumer reporting agencies for any reason, i.e. credit or background checks for loan issuance or collection purposes, or for new hire applicants, etc.
- (681.2) Financial institutions and creditors holding "covered accounts" must develop and implement a written identity theft prevention program for both new and existing accounts. – This provision applies to any areas of WIT that issue any type of credit, i.e., Perkins Loans, Wentworth Loans, TMS Payment Plans, etc.
- (681.3) Debit and credit card issuers must develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. – This provision does not apply as WIT does not issue debit and/or credit cards. While the Fenway Card has debit functionality, it is a closed loop system and cannot be processed through the regular debit/credit card network.
Summary of the Rule Requirements
Covered entities under the Rule must adopt and implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of a Covered Account, or any existing Covered Account. The Identity Theft Prevention Program may be integrated into the structure of an existing Compliance Program. However, the efforts and resources committed must be appropriate to the size and complexity of the organization and the nature and scope of its activities. Elements required by the Rule include:
- Identification of Red Flags – Policies and procedures to identify which Red Flags, singly or in combination, are relevant to detecting the possible risk of identity theft to customers using a risk evaluation method appropriate to the organization.
- Detection of Red Flags – Policies and procedures designed to prevent and mitigate identity theft in connection with opening an account or any existing account.
- Responding to Red Flags – Policies and procedures to assess whether the Red Flags detected evidence of risk of identity theft. There must also be a reasonable basis for concluding that a Red Flag does not evidence a risk of identity theft.
- Updating the Program – Policies and procedures in place to ensure the program is updated periodically to reflect changes in risks to the customer and institution.
- Administration of the Program – Involvement of senior management in development, implementation and oversight. Ongoing staff training is required. Also included is oversight of service provider arrangements to ensure they are in compliance.
Twenty-Six Red Flags Identified in the Rule
As an Appendix to the Rule, the FTC has identified twenty-six Red Flags that the Institute may consider incorporating into their program. These are subdivided into five sections, as follows:
Alerts, Notifications or Warnings from a Consumer Reporting Agency
- Report of fraud accompanying a credit report.
- Notice or report from a credit agency of a credit freeze on an applicant.
- Notice or report from a credit agency of an active duty alert for an applicant.
- Receipt of a notice of address discrepancy in response to a credit report request.
- Indication from a credit report of activity that is inconsistent with an applicant's usual pattern or activity.
- Identification document or card that appears to be forged, altered or not authentic.
- Identification document or card on which a person's photograph or physical description is not consistent with the person presenting the document.
- Other document with information that is not consistent with existing student information.
- An application that appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
Suspicious Personal Identifying Information
- Identifying information presented that is inconsistent with other information the student provides (example – inconsistent birth dates).
- Identifying information presented that is inconsistent with other sources of information (example – an address not matching an address on a loan application).
- Identifying information presented that is the same as information shown on other applications that were found to be fraudulent.
- Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or a fictitious billing address).
- Social Security Number presented that is the same as one given by another student.
- An address or phone number presented that is the same as that of another person.
- A person fails to provide complete personal identifying information on an application when reminded to do so.
- A person's identifying information is not consistent with the information that is on file for the student.
Unusual Use of, or Suspicious Activity Related to, the Covered Account
- Change of address for an account followed by a request to change the student's name.
- Payments stop on an otherwise consistently up-to-date account.
- Account used in a way that is not consistent with prior use.
- Mail sent to the student is repeatedly returned as undeliverable.
- Notice to the Institute that a student is not receiving mail sent by the Institute.
- Notice to the Institute that an account has unauthorized activity.
- Breach in the Institute's computer system security.
- Unauthorized access to or use of student account information.
Notice from Customer, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts
- Notice to the Institute from a student, a victim of identity theft, law enforcement authorities or other person that the Institute has opened or is maintaining a fraudulent account for a person engaged in identity theft.
Policies and Procedures for Detecting Red Flags
In order to detect any of the Red Flags identified above associated with the enrollment of a student, Institute personnel will take the following steps to obtain and verify the identity of the person opening the account:
- Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
- Verify the student's identity at time of issuance of student identification card (review or driver's license or other government-issued photo identification).
In order to detect any of the Red Flags identified above for an existing Covered Account, Institute personnel will take the following steps to monitor transactions on an account:
- Verify the identification of students if they request information (in person, via telephone, via facsimile, via email);
- Verify the validity of requests to change billing addresses by mail or email and provide the student a reasonable means of promptly reporting incorrect billing address changes; and
- Verify changes in banking information given for billing and payment purposes.
Consumer Credit Report Requests
In order to detect any of the Red Flags identified above for an employee or volunteer position for which a credit or background report is sought, Institute personnel will take the following steps to assist in identifying address discrepancies:
- Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
- In the event that notice of an address discrepancy is received, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the Institute has confirmed is accurate.
Preventing and Mitigating Identity Theft
In the event Institute personnel detect any identified Red Flags, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag:
Prevent and Mitigate
- Continue to monitor a Covered Account for evidence of Identity Theft;
- Contact the student or applicant (for which a credit report was run);
- Change any passwords or other security devices that permit access to Covered Accounts;
- Not open a new Covered Account for an individual suspected of identity theft;
- Provide the student with a new student identification number;
- Notify the Red Flags Policy Committee (defined below) for determination of the appropriate steps to take;
- Notify law enforcement;
- File or assist in filing a Suspicious Activities Report ("SAR"); or
- Determine that no response is warranted under the particular circumstances.
Protect Student Identifying Information
In order to further prevent the likelihood of Identity Theft occurring with respect to Covered Accounts, the Institute will take the following steps with respect to its internal operating procedures to protect student identifying information:
- Ensure that its website is secure or provide clear notice that the website is not secure;
- Ensure complete and secure destruction of paper documents and computer files containing student account information when a decision has been made to no longer maintain such information;
- Ensure that office computers with access to Covered Account information are password protected;
- Avoid use of Social Security Numbers;
- Ensure computer virus protection is up-to-date; and
- Require and keep only the kinds of student information that are necessary for Institute purposes.
Oversight, Training, Third Party Compliance and Update
Due to the sensitive nature of this topic, a Red Flags Policy Committee consisting of the Director of Student Financial Services, the Director of Financial Aid, a representative from the Division of Technology Services, the Controller and others that may be added later will maintain responsibility for the implementation and ongoing support of this policy.
Training for Red Flags will be conducted at least annually along with other compliance training affecting Student Financial Services. This training may be conducted at one or more regular staff meetings that are mandatory for all Student Financial Services and Financial Aid staff.
Third party providers (which may include TMS, Cardsmith, loan servicing providers, collection agencies, etc.) will be contacted at least annually to report compliance.
This policy will be updated at least annually based on new processes and procedures.
Effective May 1, 2009