Red Flag Identity Theft Prevention Program
I. Basis for Policy
Regents Policy 6.6.12, Red Flag Identity Theft Prevention Program
II. Purpose
The University of Nebraska Omaha Red Flag Identity Theft Prevention Program is designed to reduce the risk of identity theft through detection, prevention and mitigation of patterns, practices or activities related to covered accounts (“Red Flags”) that could be indicative of potential identity theft. The Fair and Accurate Credit Transactions Act (FACTA) contains program requirements at 16 CFR 681. The Vice Chancellor for Business and Finance is responsible for implementing the Red Flag Identity Theft Prevention Program and may delegate day-to-day management to the Compliance Officer-Manager, Cashiering/Student Accounts.
III. Definitions
1. Covered Account means (i) an account that the University of Nebraska Omaha offers or maintains primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions and (ii) any other account that the University of Nebraska Omaha offers or maintains for which there is a reasonably foreseeable risk of identity theft to the customer (i.e. students, parents and/or patients).
2. Creditor means any person or organization that extends, renews, or continues credit, including the university who accepts multiple payments over time for services rendered.
3. Identity theft means fraud that involves stealing money or getting other benefits by using the identifying information of another person.
4. Notice of an address discrepancy means a notice that a credit bureau sends to the University of Nebraska Omaha when the university has ordered a credit report about a consumer. Mail returned because of improper address is not a Notice under this policy.
5. Red flag means a pattern, practice or specific activity that could indicate identity theft.
6. Service Provider means a vendor that provides services directly to the University of Nebraska Omaha related to Covered Accounts.
IV. Covered Accounts
Covered accounts maintained by the University of Nebraska Omaha include but are not limited to the following:
1. Student loans (including Perkins Loans and short-term emergency loans)
2. Student accounts (including MavCARDs)
3. Patient accounts with the Student Health Office
4. Child Care accounts
5. Bookstore Scholarship accounts
6. Athletic accounts
7. Student Housing
V. Identifying Red Flags
The University of Nebraska Omaha shall identify and respond to Red Flags which may indicate potential identity theft. Red Flags include but are not limited to the following:
1. Alerts, notifications or warnings from a consumer reporting agency, including notices of credit freezes, notices of address discrepancies, and receipts of consumer reports showing patterns of activities that are inconsistent with the history and usual pattern of activity of the account holder.
2. Address discrepancies that cannot be explained. For example, changing an address more than once a year or changing a direct deposit account for refunds more than once a year would not be considered a red flag action at the university when done through our authenticated site. However, it might constitute suspicious activity at a financial institution whose account holders do not change residences as often as university students.
3. Suspicious documents, including: a) photographs or physical descriptions that is inconsistent with the individual presenting the document; b) incomplete, altered, forged, or inauthentic documents; or c) other personal identifying information that is inconsistent with information on file with the University.
4. Complaints or questions from students, guardians, or customers about charges to a covered account for goods/services they claim were never received.
5. Suspicious activity related to Covered Accounts, including:
a) unusual use of accounts that have been previously inactive for a lengthy period of time,
b) mail being returned as undeliverable although transactions continue to be conducted in connection with the covered account; or
c) unauthorized account changes or transactions.
6. Notice from customers, victims of identity theft, law enforcement authorities or other individuals regarding possible identity theft in connection with University Covered Accounts.
VI. Detecting Red Flags
1. The following actions will be taken as appropriate to confirm the identity of students and other customers when they open and/or access Covered Accounts:
a. Obtain appropriate personal identifying information (e.g. photo identification, date of birth, academic status, user name and password, address, etc.) prior to opening or allowing access to a covered account; or prior to issuing a new or replacement ID card.
b. When certain changes are made to Covered Accounts online, the account holder shall receive notification to confirm the change is valid.
c. Verify the accuracy of changes made to Covered Accounts that appear to be suspicious.
2. Information systems containing Covered Account information shall be monitored by the Information Technology department for the Student Information System (SIS) and Shortterm Loan System (STLS) to detect any unusual user activity that could indicate improper access to and/or use of consumer information.
VII. Responding to Red Flags
Any staff member encountering a Red Flag shall assess the situation to determine if potential identity theft exists. The assessment may determine that no risk of identity theft is present (i.e. a mistake has occurred, or the occurrence is readily explainable). If, after preliminary investigation, the employee suspects identity theft may have occurred, he/she shall notify the Vice Chancellor for Business and Finance and the Compliance Officer-Manager, Cashiering/Student Account. The Compliance Officer-Manager, Cashiering/Student Accounts, shall further investigate the matter, and, if identity theft is confirmed, take the following actions in coordination with the department managing the Covered Account to mitigate harm, as appropriate, based on the individual circumstances:
1. Notify Public Safety
2. Notify the covered account holder if the holder is the identity theft victim
3. Notify the Financial Aid Office and the lending institution(s) for student loans
4. Notify the third party student loan service provider(s) (e.g. Heartland ECSI)
5. Notify Cashiering/Student Accounts Office and collection agencies handling delinquent accounts
6. Notify consumer reporting agency about address discrepancies associated with credit reports received
7. Notify the State Patrol
8. File a report with the local police department
9. Correct any erroneous information associated with the account
10. Establish Red Flag alerts to notify relevant employees of suspected identity theft (e.g. notes in Covered Account information systems or files, etc.)
The university department responsible for the Covered Account will:
1. Notify the student or individual account holder of the evidence of identity theft and monitor the account for additional fraudulent activity
2. Request additional information as required to verify identity
3. Change passwords and security codes as appropriate to further secure access to the account
4. Reopen a covered account with a new account number, close an existing account, and decline to open a new covered account as appropriate
5. Attempt to identify the source of the Red Flag and take appropriate steps to prevent additional identity thefts
VIII. Oversight of Service Providers.
The University of Nebraska Omaha may contract with vendors to provide services related to Covered Accounts. The contracting department shall maintain written certification from the vendor stating it complies with FACTA Red Flag Rule regulations. The department shall investigate any service provider occurrences indicating a potential lack of compliance, and take any necessary actions to mitigate potential risk.
IX. Program Education
All departments managing Covered Accounts shall provide education to current staff members and new hires on this policy and any internal department procedures created to implement it on an annual basis.
X. Program Assessment and Reporting
A Red Flag Identity Theft Prevention Program report shall be forwarded through the Vice Chancellor of Business and Finance to the Chancellor and the University of Nebraska Internal Audit Department not later than May 10th of each year for the previous one year period beginning April 1st through March 31st. The report shall contain:
1) a summary of Red Flag Rule monitoring activities;
2) a description of any identity theft incidents that have occurred and the response to them; and
3) any recommended Red Flag Identity Theft Program changes.
The University of Nebraska Internal Audit Department shall report information from the administrative units to the Audit Committee of the Board of Regents annually as required by the FACTA regulations. The Board of Regents shall approve material changes to the Red Flag Identity Theft Prevention program.