Red Flags Identity Theft Training Program. Fall 2015

Transcription

1 Red Flags Identity Theft Training Program Fall 2015

2 Background In 2003, U.S. Congress enacted the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA requires creditors to adopt policies and procedures to prevent identity theft. These requirements are described in Section 114 and are known as the Red Flags Rule. The Red Flags Rule requires financial institutions and creditors holding covered accounts to develop and implement a written identity theft prevention program designed to identify, detect, and respond to Red Flags. UALR is considered a creditor under FACTA and is required to have an Identity Theft Prevention Program.

3 Purpose of Training The purpose of the Identity Theft Prevention Program is to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or the management of an existing covered account. Since you work in a department that is involved in the creation, modification, or administration of covered accounts, you are required to complete this training annually as part of the UALR Identity Theft Prevention Program.

4 Training All staff in each department included in this program must complete training annually. Training will ensure that staff: Are knowledgeable and able to take steps to detect, prevent, and mitigate theft of personally identifiable financial information of UALR s customers. Are able to successfully resolve any security risks identified. Are aware of information security.

5 Instructions 1. Review the training presentation. 2. Complete the assessment with a score of at least 80%. a. You may repeat the assessment until you score 80%. b. You may also refer back to the training presentation, as needed. 3. It may be helpful to refer to the UALR Identity Theft Prevention Program, UALR Fraud Policy, or the Information Technology (IT) Acceptable Use Policy, which are provided under the Contents link. 4. Complete the course evaluation.

6 Question Is Identity Theft and Red Flags the same thing? No! Identity Theft is the actual fraud or theft committed or attempted using the personal identifying information of another person without that person s authority. Red Flags are the clues you can use to spot possible Identity Theft. This training will help you identify those clues.

7 Account Definitions A continuing relationship with the university established by a person to obtain a product or service for personal, family, household, or business purposes. Accounts include: Extension of credit, such as the purchase of property or services involving a deferred payment. Deposit account.

8 Covered Account Definitions A consumer account designed to permit multiple payments or transactions. These are accounts where payments are deferred and made by a borrower periodically over time, such as a tuition or fee installment payment plan. Covered Accounts include, but may not be limited to: Student loans. Installment payments and short-term loans. Accounts that are created for ongoing services and allow the student to reimburse the university when billed over a period of time. Any type of collection account.

9 Creditor Definitions A person or entity that regularly extends, renews, or continues credit and any person or entity that regularly arranges for the extension, renewal, or continuation of credit. Examples of activities that indicate a college or university is a creditor are: Offering institutional loans to students, faculty, or staff. Offering an installment payment plan for payments of tuition or fees throughout the semester. Participation as a school lender in the William D. Ford Federal Direct Loan Program. UALR is considered a creditor.

10 Identifying Information Definitions Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person. Examples include: Name Address Telephone number Social Security Number Date of birth Driver s license number Government issued ID Student identification number Computer IP address or routing code

11 Definitions Red Flag A pattern, practice, or specific activity that indicates the possible existence of identity theft or attempted identity theft. Service Provider A person that provides a service directly to the university.

12 Recognizing Identity Theft You should consider the following when recognizing and identifying Red Flags: The types of covered accounts offered or maintained. The methods provided to open and/or access covered accounts. Previous experiences with identity theft.

13 Categories of Red Flags Alerts, Notifications, or Warnings from a Consumer Reporting Agency Suspicious Documents Suspicious Personal Identifying Information Unusual Use or Suspicious Account Activity Notice from Others Indicating Possible Identity Theft

14 Identification of Red Flags Alerts, Notifications, or Warnings from a Consumer Reporting Agency Examples of common Red Flags: When a fraud or active duty alert is included with a consumer report. When a consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. When a consumer reporting agency provides a notice of address discrepancy.

15 Identification of Red Flags Alerts, Notifications, or Warnings from a Consumer Reporting Agency Examples of common Red Flags: A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity, such as: A recent and significant increase in the volume of inquires. An unusual number of recently established credit relationships. A material change in the use of credit, especially with respect to recently established credit relationships. An account that was closed for cause or identified for abuse of account privileges by a campus.

16 Identification of Red Flags Suspicious Documents Examples of common Red Flags: Documents provided for identification appear to have been altered, forged, or inauthentic. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

17 Identification of Red Flags Suspicious Personal Identifying Information Examples of common Red Flags: Personal identifying information is not consistent with the information on file for the student, such as: The address does not match any address in the consumer report. The SSN has not been issued or is listed on the Social Security Administration s Death Master File. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer (e.g., lack of correlation between the SSN range and date of birth).

18 Identification of Red Flags Suspicious Personal Identifying Information Examples of common Red Flags: When the personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the campus (e.g., the address or phone number on an application is the same as the address provided on a fraudulent application). When the personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the campus. The address on an application is fictitious, a mail drop, or a prison. When the phone number is invalid or is associated with a pager or answering service.

19 Identification of Red Flags Suspicious Personal Identifying Information Examples of common Red Flags: The SSN provided is the same as that submitted by other customers or persons opening an account. The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other customers or persons opening accounts. The customer fails to provide all required personal identifying information on an application. Personal identifying information provided is not consistent with personal identifying information that is on file with the campus.

20 Identification of Red Flags Unusual Use or Suspicious Account Activity Examples of common Red Flags: Shortly following the notice of a change of address for a covered account, the campus receives a request for a new additional or replacement card or for the addition of authorized users on the account. A new revolving credit account is used in a manner commonly associated with known patterns of fraudulent activity, for example: The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry). The customer fails to make the first payment or makes an initial payment but no subsequent payments.

21 Identification of Red Flags Unusual Use or Suspicious Account Activity Examples of common Red Flags: A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example, nonpayment when there is no history of late or missed payments. A material increase in the use of available credit. A material change in purchasing or spending patterns. A material change in electronic fund transfer patterns in connection with a deposit account. A material change in telephone call patterns in connection with a cellular phone account.

22 Identification of Red Flags Notice from Others Indicating Possible Identity Theft Examples of common Red Flags: The campus is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

23 Detection of Red Flags Detection of Red Flags in connection with the opening of covered accounts, as well as existing covered accounts, can be made through such methods as: Obtaining and verifying identity. Authenticating customers. Monitoring transactions. Verifying the validity of change of address requests in the case of existing covered accounts. Verifying changes in banking information given for billing and payment purposes.

24 Detection of Red Flags Associated with Consumer (Credit) Report Requests Detection of Red Flags in connection with Consumer (Credit) Report Requests can be made through such methods as: Prior to requesting a background or credit check, obtain written verification from the applicant ensuring that the address and information provided is correct at the time the check is being requested. If an address discrepancy is found in the completed background or credit check, verify the address with the applicant to ensure the report actually pertains to the applicant for which the report was requested. Any unresolved address discrepancies should be reported to the consumer reporting agency.

25 Response to Red Flags If you detect a potential Red Flag, you should: Notify your immediate supervisor. The immediate supervisor then notifies the department head or director to determine any additional steps. The department head or director of the department must notify the Associate Vice Chancellor for Finance. Continue to monitor activity on the covered account. Do not contact the account holder unless approved by the department head, director, or Associate Vice Chancellor for Finance. All instances of possible identity theft must be kept strictly confidential.

26 Service Providers The university remains responsible for compliance with the Red Flags Rule even if it outsources operations to a third party service provider. The written agreement between the university and the third party service provider shall require the third party to have reasonable policies and procedures designed to detect relevant Red Flags that may arise in the performance of their service provider s activities. Require, by contract, that service providers review UALR s program and report any Red Flags to the Associate Vice Chancellor for Finance.

27 Preventing Identity Theft UALR incorporates the following internal operating procedures to protect student identifying information: Any university website used to access student accounts is secure or provides clear notice to all users that the website is not secure. Paper documents which contain personal identifying information are maintained in a secure environment and are shredded when no longer needed Computer files containing personal identifying information are secure and the only individuals who have access to such files are those with a need to access them in order to perform their job duties. All office computers which store or access student account information are password protected and follow all other computer security best practices as established by UALR s Information Security Program.

28 Preventing Identity Theft Any university website that is used to access student accounts is secure or provide clear notice to all users that the website is not secure. For example: Departmentally controlled IT resources (network, servers, applications, individual workstations, etc.) are maintained in strict compliance with the Information Security Program best practices.

29 Preventing Identity Theft Paper documents which contain personal identifying information are maintained in a secure environment and are shredded when no longer needed. For example: Employees keep sensitive documents and working materials out of the public view while working. Sensitive documents and working materials are secured during breaks and non-working hours. File cabinets that contain sensitive or confidential documents are located in a secure area. Employees are trained or otherwise required to use shredders for sensitive or confidential documents.

30 Preventing Identity Theft Computer files containing personal identifying information are secure and the only individuals who have access to such files are those with a need to access the files in order to perform their job duties. For example: Computer files containing sensitive or confidential information are stored in a secure manner. There are adequate procedures in place to ensure that only necessary access to information system resources are made available to employees to perform their job (principle of least privilege).

31 Preventing Identity Theft All office computers which store or access student account information are password protected and follow all other computer security best practices as established by UALR s information security program. For example: Employees are required to use a strong password for access to their computer and other systems. If employees are allowed to work remotely (e.g., from home or while traveling), secure methods are used to access IT resources and transmit files (e.g., the use of VPN, security of laptops, encryption, etc.). Employees are required to lock their computers and/or use password protected screen savers when they leave their work area.

32 Audit Requirements Each department should perform periodic audits to ensure that individuals who should not have access to such files are not accessing them.

33 Oversight The Identity Theft Committee is responsible for developing, implementing, and updating this program. Committee members include representatives from all tested departments. The committee is chaired by the Associate Vice Chancellor for Finance. The Associate Vice Chancellor for Finance is responsible for ensuring appropriate Red Flags training of UALR s staff, including the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and consider periodic changes to the program.

34 Assessment To complete the Red Flag Training Program, you must pass the assessment with a score of 80% or higher. Click on the Content link in the menu on the left, then click on the Red Flag Training Assessment 2015 link. The assessment may be repeated as many times as necessary until you have scored 80%. (Step-by-step instructions to view your score are in the following slides and in the Content menu.) You may refer back to the training presentation and other materials, as needed. The Red Flags Rule Training Program must be repeated on an annual basis.

35 View Assessment Score 1. After completing the assessment, click Save and Submit. 2. Click OK in the pop up screen Test Submission Confirmation.

36 View Assessment Score 3. Click OK in the bottom right of the screen to review your results. 4. Attempt Score will be in the header.

37 View Assessment Score 5. A review of each question with feedback on correct and incorrect responses will display below the header. 6. Re-take the assessment if your score was below 80%. 7. Exit by clicking OK in the bottom right corner.

38 Program Evaluation You have now completed the Red Flags Identity Theft Training Program! Once you successfully pass the assessment, please evaluate the program. The evaluation can be accessed by clicking the Content link in the main menu and then the Red Flags Training Program Evaluation 2015 link. Responses are strictly anonymous and will assist us to refine and improve future training programs.