Wheaton College Audit Committee Red Flag Identity Theft Prevention Program Meeting of February 20, 2009

Transcription

1 Wheaton College Audit Committee Red Flag Identity Theft Prevention Program Meeting of February 20, 2009 Late last year, the Federal Trade Commission (FTC) and Federal banking agencies issued a regulation known as the Red Flags Rule intended to reduce the risk of identity theft. Parts of the rule cover Wheaton College and therefore the college must develop and implement a written identify theft prevention program by May 1, The board of directors (or appropriate board committee) must approve the initial written program. Board approval may be necessary only for the first written program if the board delegates to appropriate senior management further responsibility. The college has attached a written policy of for an identity theft prevention program for your approval. Once approved operational responsibility of the program will be delegated to appropriate senior management for further responsibility.

2 Wheaton College s Red Flag Identity Theft Prevention Program The Federal Trade Commission (FTC) issued a regulation known as the Red Flag Rule (Sections 114 and 315 of the Fair and Accurate Credit Transactions Act), to be implemented no later than May 1, 2009 that is intended to reduce the risk of identity theft. This policy is intended to detect, prevent, and mitigate opportunities for identity theft at Wheaton College. The Red Flag Rule applies to Wheaton due to our participation in the Perkins Loan program, our small institutional loan program, our extension of credit for student accounts, and the fact that we request credit reports for some potential employees. Our analysis of the type and scope of activity covered in the regulation, and our risk assessment of potential identity theft opportunities has resulted in a determination that there is a low level risk of possible identity theft at Wheaton College. Scope of Covered Activities Participation in Federal Perkins Loan Program Wheaton - small Institutional student loan program Payment plans and promissory notes for covered student accounts Credit reports in employee hiring process Existing Policies and Practices Many offices at Wheaton College maintain files, both electronic and paper, of student biographical, academic, health, financial, and admission records. These records may also include student billing information, Perkins Loan records, and personal correspondence with students and parents. Policies to insure compliance with Gramm-Leach-Bliley Act (GLB), Family Educational Rights and Privacy Act (FERPA), and Payment Card Industry security standards (PCI), system and application security, and internal control procedures provide an environment where identify theft opportunities are mitigated. Records are safeguarded to ensure the privacy and confidentially of student, parents, alumni and employees. The Office of Human Resources performs credit and criminal background checks on some potential employees prior to their date of hire. This population includes any staff member who has unsupervised access to residence halls, and employees whose positions require them to have regular access to cash, and/or who have computer access to payroll data. Access to this information is very limited and procedures to safeguard the data are in place. Parents may obtain non-directory information (e.g. grades, academic standing, etc.) at the discretion of the institution and after it is determined that the student is legally dependent of either parent. Staff who have access to HR and Payroll data have been versed on the policy of the college that non-directory information regarding employees is not be provided unless approved in writing by the employee. Draft for Audit Committee Approval - February 20, 2009

3 Students are required to give written authorization to the Office of the Registrar if their information is permitted to be shared with another party. An Annual Notification to Students of their rights under FERPA is sent out to students each year. Students are given the opportunity to update their billing addresses for third party billing (parents, companies, scholarship foundations, etc). Occasionally, the college will extend short term credit to a student for payment of their tuition bill which thus creates a covered account. The student signs a short term promissory note, which is stored in a secured area. Students must make a change of address in person at the Office of the Registrar, or during sign-in through the secure self-service application in Banner. Access to non-directory student data in Wheaton s Banner system is restricted to those employees of the college with a need to properly perform their duties. These employees are trained to know FERPA and Red Flag regulations. Social Security numbers are not used as identification numbers and these data are classified as non-directory student data. All paper files are required to be maintained in locked filing cabinets when not in use. All offices, when not occupied, are to be locked. Access to non-directory employee data in Wheaton s Human Resources and Payroll systems is restricted to only those employees of the college who need this access to properly perform their duties. These employees are also trained to know FERPA and Red Flag regulations. Staff is requested to report all changes in name, address, telephone or marital status to the Human Resources Office as soon as possible; they also must periodically verify those persons listed as contacts in case of an emergency, and those persons designated as beneficiaries to life and/or retirement policies. The college is sensitive to the personal data (unlisted phone numbers, dates of birth, etc.) that it maintains in its personnel files and databases. We will not disclose personal information, except by written request or signed permission of the employee (for example, the Campus Directory), or unless there is a legitimate business "need-to-know", or if compelled by law. Every effort is made to limit the access to private information to those employees on campus with a legitimate "need-to-know." Staff who have approved access to the administrative information databases understand that they are restricted in using the information obtained only in the conduct of their official duties. The inappropriate use of such access and/or use of administrative data may result in disciplinary action up to, and including, dismissal from the College. The college's official personnel files for all employees are retained in the Human Resources Office. Employees have the right to review the materials contained in their personnel file. Draft for Audit Committee Approval - February 20, 2009

4 Detecting Red Flag Activity Address discrepancies Presentation of suspicious documents Photograph or physical description on the identification is not consistent with the appearance of the person presenting the identification Personal identifying information provided is not consistent with other personal identifying information on file with the college Documents provided for identification that appear to have been altered or forged Unusual or suspicious activity related to covered accounts Notification from students, borrowers, law enforcement, or service providers of unusual activity related to a covered account Notification from a credit bureau of fraudulent activity Responding to Red Flags Should an employee identify a red flag (patterns, practices and specific activities that signal possible identify theft), they are instructed to bring it to the attention of their department head immediately. The administrator will investigate the threat of identity theft to determine if there has been a breach and will respond appropriately to prevent future identity theft breaches. Additional actions may include notifying and cooperating with appropriate law enforcement and notifying the student or employee of the attempted fraud. Oversight of Service Providers Wheaton College employs Campus Partners, a Perkins Loan servicer, for the purpose of billing and collection of Perkins and Wheaton institutional loan payments. The only information that is shared with Campus Partners is information required to properly bill and collect loan payment as established by the Department of Education. This includes student name, address, telephone number, social security number, and date of birth. Wheaton College will collect and maintain on file documents from Campus Partners confirming their compliance with Red Flag Rules. Wheaton College uses external collection agencies for the purpose of collecting overdue student receivables and defaulted Perkins Loans. The only information that is shared with the collection agencies is that information required to perform credit checks, to perform address searches, and to properly bill and collect payment. This includes student name, address, telephone number, social security number, and date of birth. Wheaton College will collect and maintain on file documents from all collection agencies regarding their compliance with Red Flag Rules. Wheaton College employs Tuition Management Services (TMS), a tuition billing service, for monthly tuition payment plans. The only data that is shared with the TMS is information relating to the tuition payment plan established by the student or parent. Wheaton College will collect and maintain on file documents from TMS confirming their compliance with Red Flag Rules. Draft for Audit Committee Approval - February 20, 2009

5 Periodic Update of Plan This policy will be re-evaluated on or about the first day of each calendar year to determine whether all aspects of the program are up to date and applicable in the current business environments, and revised as necessary. Operational responsibility of the program is delegated to the the Asst. VP for Finance and the Asst. VP for Enrollment and SFS. Draft for Audit Committee Approval - February 20, 2009

6 FTC's Red Flag Rule Likely to Affect Colleges Print September 23, 2008 Identity Theft "Red Flags Rule" -- November 1 Compliance Date Nears By Elizabeth B. Meers and Daniel S. Meade Late last year, the Federal Trade Commission (FTC) and Federal banking agencies issued a regulation known as the Red Flags Rule intended to reduce the risk of identify theft. Mandatory compliance with the Red Flags Rule for "creditors" or "financial institutions" that provide "covered accounts" begins on November 1, Parts of the rule likely cover many colleges and universities, and as discussed below, the FTC has stated that nonprofit and government entities can be subject to parts of the rule. Institutions should consult with their legal counsel on applicability of the rule and should consider establishing a security program consistent with it. Background on Red Flags Rule The FTC issued the Red Flags Rule under sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACT Act), which amended the Fair Credit Reporting Act (FCRA). The rule requires "financial institutions" and "creditors" that hold "covered accounts" to develop and implement an identity theft prevention program" for new and existing accounts. The Red Flags Rule is actually three different but related rules, one or two of which apply to many colleges and universities: (1) Debit and credit card issuers must develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. (This provision is likely not applicable to colleges and universities, because, as discussed in the preamble to the Red Flags Rule, the definition of "debit card" specifically does not include stored value cards. However, this provision could implicate student ID s that also can be used as part of a national debit card network, such as Visa or MasterCard.) (2) Users of consumer reports must develop reasonable policies and procedures to apply when they receive notice of an address discrepancy from a consumer reporting agency. (This provision applies to colleges and universities when they use consumer reports to conduct credit or background checks on prospective employees or applicants for credit.) (3) Financial institutions and creditors holding "covered accounts" must develop and implement a written identity theft prevention program for both new and existing accounts. (This provision likely applies to many colleges and universities). Application of Red Flags Rule to Colleges and Universities as Creditors The Red Flags Rule defines the terms "creditor" and "covered accounts" broadly. A "creditor" under the Red Flags Rule includes any person who defers payment for services rendered, such as an organization that bills at the end of the month for services rendered the previous month. Although the FTC, in many contexts, does not have jurisdiction over not-for-profit entities, it has taken the position that not-for-profits are subject to FTC jurisdiction when they engage in activities in which a for-profit entity would also engage. In its July 2008 guidance, the FTC stated

7 "[w]here non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors." Activities that could cause colleges and universities to be considered "creditors" under the Red Flags Rule may include, for instance: participating in the Federal Perkins Loan program, participating as a school lender in the Federal Family Education Loan Program, offering institutional loans to students, faculty, or staff, or offering a plan for payment of tuition throughout the semester rather than requiring full payment at the beginning of the semester. Under the rule, if an institution is a creditor, the institution must determine if any of its extensions of credit are "covered accounts." Basically, a covered account is a consumer account that involves multiple payments or transactions, such as a loan that is billed or payable monthly. The Red Flags Rule and the FTC s guidance on it indicate that covered accounts include certain types of arrangements in which an individual establishes a "continuing relationship" with the enterprise, including billing for previous services rendered. Certain payment arrangements, such as payment of tuition in full at the beginning of each semester either by the student s family or through a third-party student loan provider, likely does not meet the "continuing relationship" standard in the "covered account" definition. Any type of account or payment plan that involves multiple transactions or multiple payments in arrears, however, likely is a "covered account." Steps to be Taken by Colleges and Universities Covered by the Red Flags Rule Under the rule, creditors that hold covered accounts must develop an identity theft prevention program that includes reasonable policies and procedures to detect or mitigate identity theft and enable a creditor to: identify relevant "red flags" (patterns, practices, and specific activities that signal possible identity theft) and incorporate them into the program; detect the red flags that the program incorporates; respond appropriately to detected red flags to prevent and mitigate identity theft; and ensure that the Program is updated periodically to reflect changes in risks. The board of directors (or appropriate board committee) must approve the initial written program. Board approval may be necessary only for the first written program if the board delegates to appropriate senior management further responsibility. If an institution has not yet done so, it should promptly develop an identity theft prevention program for board (or board committee) approval, as the Red Flags Rule goes into effect November 1, Content of Identity Theft Prevention Program The Red Flags Rule allows for flexibility in the scope of the Identity Theft Prevention Program, depending on the creditors activities and level of identity theft risk associated with the relevant

8 covered accounts. In developing Identity Theft Prevention Programs, institutions should assess whether they have "covered accounts." This analysis and an initial risk assessment will enable the financial institution or creditor to identify accounts the Program must address and identify the risks the institution faces, based in large part on the institution s previous experiences with identity theft. The FTC has stated this risk-based approach will enable organizations to tailor their Programs appropriately. An appropriate identity theft prevention program may not need to be detailed or complex, but should be written, duly approved, and implemented. Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation, published as an appendix to the Red Flags Rule, provides an outline for developing a Program. In a supplement to the guidance, the FTC and federal banking regulators identified 26 "red flags" that may be useful to incorporate into an identity theft prevention program. Examples include: address discrepancy name discrepancy on identification and insurance information presentation of suspicious documents personal information inconsistent with information already on file unusual use or suspicious activity related to a covered account, and/or notice from customers, law enforcement or others of unusual activity related to that covered account. In addition to addressing relevant "red flags," an institution covered by the Red Flags Rule must "train staff, as necessary" to implement the identity theft prevention program effectively. According to the preamble to the rule, institutions need train only "relevant staff" and only insofar as necessary to supplement other training programs. The institution must also exercise "appropriate and effective oversight" of service provider arrangements. According to the preamble to the rule, this provision is intended to remind creditors and financial institutions that they remain responsible for compliance with the rule even if they outsource operations to a third party. The provision is also intended, however, to provide "maximum flexibility" to creditors and financial institutions in managing their service provider arrangements. Thus, a service provider that provides services to multiple creditors and financial institutions may do so in accordance with its own identity theft prevention program, as long as that program complies with the rule. Among other steps, a creditor or financial institution could require a service provider by contract to have policies and procedures to comply with the rule. Application of Red Flags Rule to "Financial Institutions" The Red Flags Rule also applies to "financial institutions," generally defined as banks, thrifts, credit unions, and other institutions that offer transaction accounts. 1 Colleges and universities that offer students the option of having their student ID also operate as a Visa or MasterCard debit card should coordinate with the bank through which such services are offered to ensure that the bank has an adequate identity theft prevention program in place. FTC Enforcement Under the FCRA, the FTC may impose civil money penalties (up to $2,500 per violation) for

9 knowing violations of the rule that constitute a pattern or practice. If the FTC finds violations of the rule to be unfair and deceptive, the FTC may also use its adjudicatory authority to issue cease and desist orders and other enforcement actions. Although there is no private right of action for noncompliance with the Red Flags Rule under the FCRA, victims of identity theft may be able to bring claims under other theories of liability such as private torts. Conclusion Many colleges and universities currently have procedures in place to flag some address discrepancies or other "red flags." The Red Flags Rule requires covered institutions to systematize these procedures, and develop a written plan, approved by the board of directors or equivalent, by November 1, *** Elizabeth Meers is a partner and Daniel Meade is an associate at Hogan & Hartson, LLP, and practice in its Education and Financial Institutions groups, respectively. NACUBO Contact: Anne C. Gross, vice president, regulatory affairs, Resources FTC Rules under 16 CFR Part 68. NACUBO has pulled out the relevant pages from the Federal Register notices and reformatted for easier reading. FTC Business Alert 1 A transaction account is a deposit or other account from which the account holder may make payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts. See 12 U.S.C. 461(b)(1)(C). Return