THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Transcription

1 THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM 1. Prgram Adptin The City University f New Yrk (the "University") develped this Identity Theft Preventin Prgram (the "Prgram") pursuant t the Federal Trade Cmmissin's Red Flags Rule (the "Rule"), which implements Sectins 114 and 315 f the Fair and Accurate Credit Transactins Act f On Nvember 9, 2007, a jint ntice f final rulemaking was published in the Federal Register (72 FR 63718) finalizing the Rule. The Rule requires each creditr that ffers r maintains ne r mre "cvered accunts", as defined belw, t develp and prvide fr the cntinuing administratin f a written prgram t detect, prevent, and mitigate identity theft in cnnectin with the pening f a cvered accunt r with any existing cvered accunt. This Prgram was develped with versight and apprval f the University's Bard f Trustees. After cnsideratin f the size and cmplexity f the University's peratins and accunt systems, and the nature and scpe f the University's activities, the University's Bard f Trustees determined that the Prgram was apprpriate fr the University and therefre apprved the Prgram, t be effective as f Octber 1, Definitins 2.1 "Cvered Accunt" means: (1) An accunt that a Creditr ffers r maintains, primarily fr persnal, family, r husehld purpses, that invlves r is designed t permit multiple payments r transactins; and (2) any ther accunt that the Creditr ffers r maintains fr which there is a reasnably freseeable risk t Custmers r t the safety and sundness f the Creditr frm Identity Theft, including financial, peratinal, cmpliance, reputatin, r litigatin risks. Examples f Cvered Accunts at the University include Perkins lan accunts, tuitin payment plan accunts, and accunts established fr the repayment f lans prvided t students by the University s cllege assciatins, which, fr the purpse f the Prgram, will be cnsidered t be part f the University. 2.2 Creditr means any persn wh regularly extends, renews, r cntinues credit; any persn wh regularly arranges fr the extensin, renewal, r cntinuatin f credit; r any assignee f an riginal creditr wh participates in the decisin t extend, renew, r cntinue credit. 2.3 Custmer means any persn wh has a Cvered Accunt with the University. 2.4 "Identity Theft" means a fraud cmmitted r attempted using the Identifying Infrmatin f anther persn withut authrity. 1

2 2.5 "Identifying Infrmatin'' means any name r number that may be used, alne r in cnjunctin with any ther infrmatin, t identify a specific persn, including but nt limited t any name, scial security number, date f birth, gvernment issued driver's license r identificatin number, alien registratin number, gvernment passprt number, and emplyer r taxpayer identificatin number. 2.6 Prgram Administratr means the individual designated with primary respnsibility fr versight f the Prgram, as described in Sectin 7.1 belw. 2.7 "Red Flag" means a pattern, practice, r specific activity that indicates the pssible existence f Identity Theft. 3. Identificatin f Red Flags In rder t identify relevant Red Flags, the University has cnsidered the types f Cvered Accunts that it ffers and maintains, the methds it prvides t pen and t access these accunts, and its previus experiences with Identity Theft. The University has identified the fllwing Red Flags in each f the five listed categries: 3.1 Suspicius Dcuments Dcuments prvided fr identificatin appear t have been altered r frged. The phtgraph r physical descriptin n the identificatin is nt cnsistent with the appearance f the Custmer presenting the identificatin. Other infrmatin n the identificatin is nt cnsistent with infrmatin prvided by the persn pening a new Cvered Accunt r the Custmer presenting the identificatin. Other infrmatin n the identificatin is nt cnsistent with readily accessible infrmatin that is n file with the University. An applicatin appears t have been altered r frged, r gives the appearance f having been destryed and reassembled. 3.2 Suspicius Persnal Identifying Infrmatin Persnal Identifying Infrmatin prvided is nt cnsistent with persnal Identifying Infrmatin that is n file with the University. Persnal Identifying Infrmatin prvided is nt cnsistent with external infrmatin surces used by the University. 2

3 Persnal Identifying Infrmatin prvided by the Custmer is nt cnsistent with ther persnal Identifying Infrmatin prvided by the Custmer. Persnal Identifying Infrmatin prvided is assciated with knwn fraudulent activity, as indicated by internal r third-party surces used by the University. Persnal Identifying Infrmatin prvided is f a type cmmnly assciated with fraudulent activity, as indicated by internal r thirdparty surces used by the University. The scial security number prvided is the same as that submitted by ther persns pening an accunt r ther Custmers. The address r telephne number prvided is the same as r similar t the accunt number r telephne number submitted by an unusually large number f ther persns pening accunts r ther Custmers. The persn pening the Cvered Accunt r the Custmer fails t prvide all required persnal Identifying Infrmatin n an applicatin r in respnse t ntificatin that the applicatin is incmplete. If the University uses a challenge questin fr the purpse f authenticatin, the persn pening the Cvered Accunt r the Custmer cannt prvide authenticating infrmatin beynd that which generally wuld be available frm a wallet r cnsumer reprt. 3.3 Unusual Use f, r Suspicius Activity Related t, the Cvered Accunt Shrtly fllwing the ntice f a change f address fr a Cvered Accunt, the University receives a request fr a new, additinal, r replacement card r fr the additin f authrized users n the accunt. A new revlving credit accunt is used in a manner cmmnly assciated with knwn patterns f fraud. A Cvered Accunt is used in a manner that is nt cnsistent with established patterns f activity n the accunt. 3

4 A Cvered Accunt that has been inactive fr a reasnably lengthy perid f time is used. Mail sent t the Custmer is returned repeatedly as undeliverable althugh transactins cntinue t be cnducted in cnnectin with the Custmer s Cvered Accunt. The University is ntified that the Custmer is nt receiving paper accunt statements. The University is ntified f unauthrized charges r transactins in cnnectin with a Cvered Accunt. Unauthrized access t r inapprpriate disclsure f Identifying Infrmatin ccurs in cnnectin with a Cvered Accunt. 3.4 Ntice frm Custmers, Victims f Identity Theft, Law Enfrcement Authrities, r Other Persns regarding Pssible Identity Theft in Cnnectin with Cvered Accunts The University is ntified by a Custmer, a victim f Identity Theft, a law enfrcement authrity, r any ther persn that the University has pened a fraudulent accunt fr a persn engaged in Identity Theft. 3.5 Alerts, Ntificatins, r Warnings frm a Cnsumer Reprting Agency A fraud r credit alert is included with a cnsumer reprt. A ntice f credit freeze n a cnsumer reprt is prvided frm a cnsumer reprting agency. A cnsumer reprting agency prvides a ntice f address discrepancy. A cnsumer reprt indicates a pattern f activity incnsistent with the histry and usual pattern f activity f a Custmer. 4. Detecting Red Flags 4.1 Student Enrllment In rder t detect any f the Red Flags identified in Sectin 3 abve assciated with the enrllment f a student, University persnnel will take the fllwing steps t btain and verify the identity f the persn pening the accunt: 4

5 Require certain Identifying Infrmatin such as name, date f birth, academic recrds, hme address, r ther identificatin; and Verify the student's identity at time f issuance f a student identificatin card, including review f a driver's license r ther gvernment-issued pht identificatin. 4.2 Existing Accunts In rder t detect any f the Red Flags identified in Sectin 3 abve fr an existing Cvered Accunt, University persnnel will take the fllwing steps t mnitr transactins n an accunt: Verify the identificatin f a student in persn r via telephne if he r she requests infrmatin related t the Cvered Accunt by asking questins with readily accessible infrmatin that is n file with the University; Verify the validity f a student request by mail r t change an address r banking infrmatin in cnnectin with the Cvered Accunt by asking questins with readily accessible infrmatin that is n file with the University; and Prvide students a reasnable means f prmptly reprting incrrect changes in addresses r banking infrmatin in cnnectin with Cvered Accunts. 4.3 Cnsumer Reprt Requests In rder t detect any f the Red Flags identified in Sectin 3 abve in a case in which the University seeks a cnsumer reprt, University persnnel will take the fllwing steps t assist in identifying address discrepancies: Require written verificatin frm the subject f the cnsumer reprt that the address prvided by him r her is accurate at the time the request fr the cnsumer reprt is made t the cnsumer reprting agency; and In the event that ntice f an address discrepancy is received, verify that the cnsumer reprt pertains t the subject f the requested reprt and reprt t the cnsumer reprting agency an address fr the applicant that the University has reasnably cnfirmed is accurate. 5. Preventing and Mitigating Identity Theft In the event any University persnnel detects any f the Red Flags identified in Sectin 3 abve, he r she will take ne r mre f the fllwing steps, depending n the degree f risk psed by the Red Flag: 5

6 Nt pen a new Cvered Accunt; Change any passwrds r ther security devices that permit access t the Cvered Accunt; Cntact the student r the applicant fr which a cnsumer reprt was run; Ntify the Prgram Administratr r his r her designee t determine the apprpriate step(s) t take; Cntinue t mnitr the Cvered Accunt fr evidence f Identity Theft; Ntify law enfrcement; and/r Determine that n respnse is warranted under the particular circumstances. 6. Prtecting Identifying Infrmatin In rder t further prevent the likelihd f Identity Theft ccurring with respect t Cvered Accunts, the University has established and disseminated Infrmatin Technlgy Security Prcedures t limit access and disclsure f Identifying Infrmatin and require that all individuals permitted access t such infrmatin in University files and systems, whether in cmputerized r printed frm, are cntinually respnsible fr maintaining the integrity, accuracy, and privacy f such infrmatin. These Infrmatin Technlgy Security Prcedures are available nline at 7. Prgram Administratin 7.1 Oversight The develpment, implementatin, and updating f the Prgram are the respnsibility f the University s Identity Theft Preventin Cmmittee (the Cmmittee ) established under the Prgram. The Cmmittee will be headed by the Prgram Administratr, wh will be the University Cntrller r his r her designee. Tw r mre ther individuals wh represent functinal departments within the University that are respnsible fr pening and/r maintaining Cvered Accunts and wh are appinted by the Prgram Administratr will cmprise the remainder f the Cmmittee s membership. The Cmmittee will be respnsible fr ensuring apprpriate training f University persnnel with respect t the Prgram, reviewing any reprts cncerning the detectin f Red Flags and the steps fr preventing and mitigating Identity Theft, determining which steps f preventin and mitigatin shuld be taken in particular circumstances, and cnsidering peridic changes in the Prgram. 6

7 7.2 Staff Training and Reprts University persnnel respnsible fr implementing the Prgram will be trained under the directin f the Cmmittee t detect Red Flags and determine the respnsive steps t be taken when a Red Flag is detected. University persnnel will be trained, as necessary, t carry ut the Prgram effectively. University persnnel are expected t ntify the Cmmittee nce they becme aware f an incident f Identity Theft r the University s failure t cmply with the Prgram. At least annually r as therwise requested by the Cmmittee, University persnnel respnsible fr the develpment, implementatin, and administratin f the Prgram will reprt t the Cmmittee n cmpliance with the Prgram. The reprt will cver such issues as effectiveness f the University s plicies and prcedures in addressing the risk f Identity Theft in cnnectin with the pening and maintenance f Cvered Accunts, the effectiveness f the University s service prvider arrangements in cmplying with the Prgram, significant incidents invlving Identity Theft at the University and the University s respnse, and recmmendatins fr changes in the Prgram. 7.3 Service Prvider Arrangements In the event the University has engaged r engages in the future any service prvider t perfrm an activity in cnnectin with any Cvered Accunts, the University will take the fllwing steps t ensure the service prvider perfrms its activity in accrdance with reasnable plicies and prcedures designed t detect, prevent, and mitigate the risk f Identity Theft: Require, by cntract, that the service prvider have its wn similar plicies and prcedures in place; and Require, by cntract, that the service prvider review the University's Prgram and reprt any Red Flags t the Prgram Administratr r the University emplyee with primary versight f the relatinship with the service prvider. 7.4 Prgram Updates The Cmmittee will peridically review and update the Prgram t reflect changes in risks t Custmers r t the safety and sundness f the University frm Identity Theft. In ding s, the Cmmittee will cnsider the University's experiences with Identity Theft, changes in methds f Identity Theft, changes in methds t detect, prevent, and mitigate Identify Theft, and changes in the University's business arrangements with ther entities. After cnsidering these factrs, the Cmmittee will determine whether changes in the Prgram, including the list f Red Flags, are warranted. If warranted, the Cmmittee will update the Prgram. 7