DRAFT
Module Coordination Request
Title: Red Flag Program
Tracking Number: 37
Point of Origin: Monte Kramer, System Vice-President for Administration
Date of referral to Accounts Receivable Module: April 28, 2009
Date of referral to Financial Aid Module: April 21, 2009
Date of referral to MOCC: April 23, 2009
Date of final approval from MOCC: ______
Date of referral to HR Directors: April 13, 2009
Date of referral to Security and Networking Committee: April 23, 2009
Date of referral to Monte Kramer/BAC: ______
Date of final approval from Monte Kramer: ______
Effective date of implementation: May 1, 2009
Recommendation from MOCC Chairman, Trudy Zalud:
Approve the Red Flags Program developed by Larry Youngren (AR/SDSU), Julie Pier (FA/USD), Pam Thomas (AR/BHSU), Andy Conley (RIS), and Trudy Zalud (MOCC).
Background Information:
In conjunction with the Fair and Accurate Credit Transactions Act of 2003, the Federal Trade Commission (FTC), National Credit Union Administration, and federal bank regulatory agencies issued the Red Flags Rules. Aimed at detecting identity theft and mitigating the results of such theft, these regulations apply to all financial institutions and creditors who maintain covered accounts (see attached document: FTC Business Alert). The rules compel creation and implementation of corresponding programs on or before May 1, 2009. Monte Kramer, System Vice-President for Administration, appointed a task force to address this directive.
Application of Red Flags Rules to the South Dakota Regental System:
The regental system - a non-profit, governmental entity – allows students to defer payment for goods and services. Consequently, it fits within the established definition of creditor. Moreover, the regental system maintains covered accounts – those which are used primarily for personal purposes and encompass multiple transactions. Because of these two factors in combination, the South Dakota regental system is obliged to demonstrate compliance with the Red Flags Rules.
Scope of Covered Activities:
The Red Flags Rule is comprised of three related regulations; collectively, these drive the scope of covered activities.
q (681.1) Users of consumer reports must develop reasonable policies and procedures to apply when they receive notice of an address discrepancy from a consumer reporting agency.
Several regental universities pursue credit checks for selected groups of potential employees; these schools engage the services of consumer reporting agencies.
q (681.2) Financial institutions and creditors holding covered accounts must develop and implement a written identity theft prevention program for both new and existing accounts.
Within the regental system, relevant accounts include:
r Institutional student loan programs (such as Perkins Loans, Health and Human Services Loans, National Science Foundation Grants-Loans, and emergency loans)
r Student accounts that specifically involve payment programs and deferments.
q (681.3) Debit and credit card issuers must develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card.
The regental system does not issue debit and /or credit cards. Although several schools do offer stored value cards (these include Coyote Cash at USD; Hobo Dough at SDSU; Trojan Gold at DSU; and Buzz Card at BHSU), these involve a closed-loop system; the debit functionality is not processed through regular debit/credit card networks. As a result, this provision does not apply.
Note: Should the regental system ever pursue operation of a fully functional debit /credit card issuer program, then this provision will apply.
Supporting Framework:
The Red Flags Rules center on the detection of and response to identity theft in context of covered accounts. A related – and very significant – effort pertains to prevention of identity theft. The regental system has embraced a variety of strategies geared toward thwarting this crime.
Existing Practices:
q SDBOR Acceptable Use Policy (http://www.sdbor.edu/policy/7_Technology/documents/7-1.pdf
q SDBOR Security Program (http://www.sdbor.edu/administration/information_technology/policies/documents/bor_policy_security_program_6_6_03.pdf)
q SDBOR Privacy Policy (http://www.sdbor.edu/administration/information_technology/policies/documents/privacy_policy_and_confidentiality_agreements.pdf)
q Confidentiality of Student Records
http://www.sdbor.edu/policy/3-Student_Affairs/documents/3-5.pdf
The Family Educational Rights and Privacy Act, or FERPA (see bullet #4), influentially shaped regental operating procedures. Conscientious adherence to this law – which was designed to protect the privacy of student education records - has given rise to an organizational culture distinguished by confidentiality and caution. This type of culture provides a particularly serviceable foundation on which to build a Red Flags Program.
Red Flags Program:
Red flags equate to warning signs that signal identity theft. The crux of this program entails discerning and reacting to five types of red flags; regental strategies aligned with these processes are delineated below:
Detection of red flags:
q Alerts, notifications, and warnings provided by consumer reporting agencies in response to requests for credit reports of potential employees:
r Report of fraud
r Notice/report of a credit freeze
r Notice/report of an active duty alert
r Notice of address discrepancy
q Suspicious documents:
r Identification document or card that appears to be forged, altered, or inauthentic
r Identification card on which the student’s photograph or physical description is inconsistent with person presenting card
r Other document information that is incongruent with existing student data
q Suspicious personally identifying information:
r Presentation of identifying information that is inconsistent with other information provided by the student (example: birth dates do not match)
r Presentation of identifying information that conflicts with that on file or available through other sources (example: address provided through Registration Confirmation contradicts that housed in Colleague)
r Submission of information that points to fraudulent activity (examples: invalid phone numbers and fictitious addresses)
r Provision of social security number that is identical to that already provided by another student
r Failure to provide complete personal identifying information despite reminders to do so
q Suspicious activity related to covered accounts:
r Payments stop on a typically up-to-date loan account
r Mail sent to the student is repeatedly returned as undeliverable
r Communication from a student that he/she is not receiving mail sent by the university
r Breach in the university’s computer system security
r Unauthorized access to student account information
q Notices from students and law enforcement authorities regarding possible identity theft connected to covered accounts
r Notification from a student that his/her identity has been stolen
r Warning shared by a victim or law enforcement personnel that the university is conducting business (specifically, maintaining a covered account) with an identity thief
Response to red flags:
Following detection, university staff will assess degree of risk imposed by the particular red flag and provide appropriate follow-up action as merited:
r Continue monitoring covered account for additional evidence of identity theft.
r Contact applicant for whom credit check was conducted.
r Change any passwords or other security devices that permit access to covered accounts.
r Attach a privacy hold to impacted student’s account.
r Following consultation with System Integration Specialist, provide student with new identification number.
r Inform immediate supervisor and Program Administrator.
r Notify law enforcement personnel.
Note: Not all red flags will trigger follow-up action; in certain scenarios, staff members may apply prior knowledge and determine that no further action is warranted.
Additional Information:
Program Administrator: A senior member of the Board of Regents staff, Monte Kramer will maintain oversight of the Red Flags Program.
Service Provider Arrangements: All regental universities are empowered to either self-administer repayment of Perkins Loan monies or engage the services of a third party to orchestrate the process. Those who pursue this second option are responsible to insure that the service provider of choice performs its activities in accordance with the Red Flags Rules.
Reports: Program outcomes will be reported to the Board of Regents on an annual basis.
Periodic Review: The Red Flags Program will undergo annual scrutiny; based on current business realities and new developments, it will be revised as appropriate.