Identity Theft Prevention Program
Red Flag Rules
IDENTITY THEFT TRAINING
Mouse over this text to see Keys for Lesson Material
Click "Next Page" to get started
To ensure that the annual training requirement for Red Flag Rules are met and perform the following activities.
- Review accounts covered under FTC Red Flag Rules
- Review and revise the "Red Flags" or risk factors for the institution
- Review and revise the detection procedure for each covered account and identify specific red flags
- Determine if the institution has a service provider that falls into covered accounts as identified by the FTC Red Flag Rules
- Review the Institution's Identity Theft Prevention Plan
- Have the plan approved by the Tennessee Board of Regents
- Implement training and awareness program for key personnel
This course defines Red Flag Rules requirements, who is impacted by the rules and how to address an incident where a Red Flag appears. The training will also provide examples of Red Flags that one may find in your work environment.
A the conclusion of this course you will be able to:
- Understand the purpose of Red Flag Rules
- Understand what constitutes a Red Flag
- Understand you role in identifying Red Flags
- Understand what to do when you find a Red Flag
What is Reg Flag?
All Higher Education institutions are required to develop an identity Theft Prevention Program (policy) pursuant to the Federal Trade Commission's Red Flags Rule ("Rule"), which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003.
The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program.
The Program shall include reasonable policies and procedures to:
- Identify relevant red flags for covered accounts it offers or maintains and incorporate those red flags into the program;
- Detect red flags that have been incorporated into the Program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program is updated periodically to reflect changes in risks to Students and to the safety and soundness of the creditor from identity theft.
The program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.
Does Higher Education have to Participate?
Yes, the following is a summary of the effective date and why Higher Education must participate.
- Effective for Higher Education November 1, 2009
- FTC Red Flag Rules do affect higher education*
- FTC Rules states "any person who defers payment for services rendered, such as an organization that bills at the end of the month for services rendered the previous month";
- and your accounts are "covered". (A covered account is "a consumer account that involves multiple payments or transactions, such as a loan that is billed or payable monthly.)"
- Activities for higher education that cause colleges and universities to be considered creditors include:
- Perkins Loans
- Participation in the Federal Family Education Loan Program
- Institutional loans to students, faculty or staff
- Payment Plan for tuition
- Program Administrator - must be designated for each institution.
What is Required?
Your role is to help detect and prevent potential identity theft by looking for Red Flags which may indicate identity theft may be occurring.
The following cycle is required to comply with this requirement.
- Identify - Identify relevant red flags, including but not limited to,
- Address discrepancies
- Name discrepancies on identifications and other documents
- Presentation of suspicious documents
- Personal information inconsistent with what is already on file
- Unusual or suspicious activity related to an existing account
- Notice from customer, law enforcement or other sources of unusual activity on an account
- Detect - Detecting the red flags once identified
- Response - Responding to the red flags
- Report to your supervisor as soon as possible
- Administer - Administering the ongoing program
- Tennessee Board of Regents must approve policy or plan
- Senior employee to administer
- Have plan to train staff
- Have a plan to supervise service providers (outside agencies)
- Have a plan to update your program
- Ensure compliance
Test your skills... click the activity below...
Detailed Definitions for Red Flag
Fraud committed or attempted using the identifying information of another person without authority.
Any account that involves or is designated to permit multiple payments or transactions; or
Any other account maintained by the Institution for which there is a reasonably foreseeable risk of identity theft to students, faculty, staff or other applicable constituents, or for which there is a reasonably foreseeable risk to the safety or soundness of the Institution from identity theft, including financial, operational, compliance, reputation or litigation risks.
A pattern, practice or specific activity that indicates the possible existence of identity theft
Personally Identifying Information (Mouse over definitions to see examples of each)
Credit Card or other accounts information
Tax identification numbers
Government issued identification numbers
Information that the College is under legal or contractual obligation to protect.
Need to Know
Authorization given to a user for whom access to the information is necessary for the conduct of one's official duties and job functions as approved by the employee's supervisor.
A record or data item that any entity, either internal or external to the College, can access.
Identify Covered Accounts
Each institution is responsible for identifying covered accounts.
There are five major types of accounts, four of which are covered accounts administered by the institution and one type of account that is administered by a service provider. Although the institution has identified five major types of covered accounts all areas of the institution should be sensitive to identify theft prevention.
- College covered accounts:
- Billing/Financial Accounts
- Financial Aid Records
- Student Admission and Records
- Service provider covered account:
- Any Service Provider the Institution engages to perform an activity in connection with one or more covered accounts.
Identify Red Flags
Indicators that may raise "Red Flags" with examples:
- Suspicious documents
- any document that appears to be altered, forged, photo not the same, inconsistent with what is on file
- Suspicious personal identifying information
- ID inconsistent with other sources
- Use of security challenge questions
- Unusual use of or suspicious activity related to account
- Requests to add a new person to account shortly after opening
- Request for access to inactive account
- Alerts, notifications or warnings from a credit or consumer reporting agency
- Fraud alert, credit freeze
- Activity inconsistent with previous activity
Test your skills... click below...
Detecting Red Flags
The following are examples of where identity theft might be detected and ways to detect and prevent compromise.
- Action - Verify the identity of the individual opening the account by…
- Requiring certain identifying information such as name, date of birth, academic records, home address or other identification; and,
- Verifying the student's identity at the time of issuance of the student identification card through review of driver's license or other government-issued photo identification.
- Action - Monitor accounts by…
- Verify the identification of students if they request Information;
- Verify the validity of requests to change billing addresses by mail or email, and provide the student a reasonable means of promptly reporting incorrect billing address changes; and,
- Verify changes in banking information given for billing and payment purposes.
Consumer/Credit Report Requests.
- Action - Institution will take the following steps to assist in identifying address discrepancies:
- Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
- In the event that notice of an address discrepancy is received, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the Institution has reasonably confirmed is accurate.
Oversight of Service Providers
Each institution must provide oversight by:
- Ensuring service provider has reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
- If the Institution engages a service provider to perform an activity in connection with one or more covered accounts, the Institution will:
- Require, by contract, that service providers have such policies and procedures in place; or,
- Require, by contract, that service providers review the Institution's program and report any red flags to the Program Administrator.
See the institutional Identity Theft Prevention Plan for contractual statements and forms.
Once detected the institutions must:
- Assess the risk
- Gather all related documents, write a summary of what happened and notify the Program Administrator
- Program Administrator will investigate to determine if attempt was fraudulent or authentic
- The Institution will take the following steps as is deemed appropriate:
- Continue to monitor the covered account for evidence of identity theft;
- Contact the student or applicant;
- Change any passwords or other security devices that permit access to covered accounts;
- Close and reopen the account;
- Determine not to open a new covered account;
- Provide the student with a new student identification number;
- Notify law enforcement;
- Determine that no response is warranted under the particular circumstances;
- Cancel the transaction.
Protecting Personally Identifiable Information (PII)
Click highlighted text to view this FTC video to see why protecting Personally Identifiable Information is important: Deter-Detect-Defend
Suggestions for protecting Personally Identifiable Information or PII:
- When possible lock file cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with covered account information when not in use.
- Lock storage rooms containing documents with covered account information and record retention areas at the end of each workday or when unsupervised.
- Clear desks, workstations, work areas, printers and fax machines, and common shared work areas of all documents containing covered account information when not in use.
- Documents or computer files containing covered account information will be destroyed in a secure manner. Institution records may only be destroyed in accordance with the Tennessee Board of Regent's records retention guideline, TBR Guideline G-070 Disposal of Records.
- Ensure that office computers with access to covered account information are password protected.
- Ensure that computer virus protection is up to date.
- Avoid the use of social security numbers unless required by external agencies.
- Utilize encryption devices when transmitting covered account information.
- Adhere to the Institution's other policies regarding protecting personally identifiable information.
For further information on the importance of protecting personal information, see the FTC Interactive Guide link in the sidebar to the right.
You have now completed the training review. In order to complete your certification you must take the quiz by clicking "Quiz Group" below. After answering the question clieck the "NEXT" button to see the next question. After completing the test you may review answers. You must answer a minimum of 5 correctly to pass. Once you have reviewed your answers click "NEXT PAGE" at the bottom to print and send your certificate. DO NOT CLICK RETRY IF YOU PASS.
NOTE: To print the certificate after successfully passing the test you must be on a computer that has access to a printer. The use of iPads or other devices that do not support Adobe Flash will not allow the viewing or printing of the certificate.
Type your name in the space below and click "EMail Score" to record your completion of this training module. Click "Print Certificate" to print a certificate of completion. When the certificate window opens, right click on the cerfificate and select Print. You must select Preference and set your printer to landscape before clicking Print. You may also print a copy of your score by clicking "Print Score Summary".
If you have not successfully completed the test then you will not be able to e-mail and print a certificate.