ESTABLISHING A RED FLAGS RULE IDENTITY THEFT PREVENTION PROGRAM FOR WINTHROP UNIVERSITY
WHEREAS, The Fair and Accurate Credit Transactions Act of 2003, an amendment to the
Fair Credit Reporting Act, requires rules regarding identity theft protection to be
promulgated and adopted jointly by the Office of the Comptroller of the Currency,
Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit
Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit
Union Administration; and the Federal Trade Commission; and
WHEREAS, Those rules become effective November 1, 2008, and require certain financial
institutions and creditors to implement an identity theft prevention program; and
WHEREAS, The Federal Trade Commission suspended enforcement of the new "Red Flags
Rule" until May 1, 2009; and
WHEREAS, The Federal Trade Commission delayed enforcement of the new "Red Flags Rule"
until August 1, 2009; and
WHEREAS, The risk to the University, and its students, faculty, staff, and other constituents
from data loss and identity theft is of significant concern to the University and
the Board of Trustees has determined that the University should make reasonable efforts
to detect, prevent, and mitigate identify theft; and
WHEREAS, The Board of Trustees has determined that the proposed Red Flags Rule Identity
Theft Prevention Program is in the best interest of the University and its students,
faculty, staff, and other constituents.
NOW, THEREFORE BE IT RESOLVED by the Board of Trustees for Winthrop University meeting
in Rock Hill, South Carolina on June 5, 2009 that:
- the "Red Flags Rule Identity Theft Prevention Program" attached hereto as Exhibit
A is hereby approved; and
- the Vice President for Finance and Business of the University is hereby delegated
operational responsibility of the Program, including but not limited to oversight,
development, implementation, and administration of the Program; approval of needed
changes to the Program; and implementation of needed changes to the Program.
EXHIBIT A
RED FLAGS RULE
IDENTITY THEFT PREVENTION PROGRAM
Purpose
The purpose of this policy is to establish a Red Flags Rule Identity Theft Prevention
Program designed to detect, prevent and mitigate identity theft in connection with
the opening of a covered account or an existing covered account and to provide for
continued administration of the Program. The Program shall include reasonable policies
and procedures to:
- Identify relevant Red Flags for covered accounts the University offers or maintains
and incorporate those Red Flags into its Program;
- Detect Red Flags that have been incorporated into the Program of the University;
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity
theft;
- Ensure the Program is updated periodically to reflect changes in risks to students
and borrowers and to the safety and soundness of the University from identity theft;
and
- The Program shall, as appropriate, incorporate existing policies and procedures that
control reasonably foreseeable risks.
Existing Policies and Practices
The University has policies to ensure compliance with Gramm-Leach-Bliley Act (GLB),
Family Educational Rights and Privacy Act (FERPA), system and application security,
and internal control procedures which provide an environment where identity theft
opportunities are mitigated. Records are safeguarded to ensure the privacy and confidentiality
of student and borrower records.
In addition, the University adheres to the following practices:
- All paper files are kept in locked filing cabinets while not being used.
- Access to confidential information is limited to only those employees who need access
in order to properly perform the duties for which they were hired.
- Employees with access to confidential information understand that this is confidential
business information and is not to be discussed with anyone who does not "need to
know."
Definitions
-
Identify theft means fraud committed or attempted using the identifying information of another person
without authority.
-
Account means a continuing relationship established by a person with the creditor to obtain
a product or service for personal purposes. Account includes an extension of credit
involving a deferred payment.
-
Covered account means an account that a creditor offers or maintains primarily for personal purposes
that involves or is designed to permit multiple payments or transactions.
-
Red Flag means a pattern, practice or specific activity that indicates the possible existence
of identity theft.
Covered Accounts
- The University participates in the Federal Perkins Loan Program
- The University participates in the South Carolina Teaching Fellows Program
- The University offers and establishes student payment plans
Identifying Relevant Red Flags
- The photograph or physical description on the identification is not consistent with
the appearance of the student or borrower presenting the identification.
- The SSN provided is the same as that submitted by other students or borrowers.
- The address or telephone number provided is the same as or similar to the account
number or telephone number submitted by an unusually large number of other students
or borrowers.
- The person opening the covered account or the student or borrower fails to provide
all required personal identifying information on an application or in response to
notification that the application is complete.
- A covered account is used in a manner that is not consistent with established patterns
of activity on the account — nonpayment when there is no history of late or missed
payments.
- The University is notified of unauthorized charges or transactions in connection with
a student or borrower's covered account.
- The University is notified by a student or borrower, a victim of identity theft, a
law enforcement authority, or any other person that it has opened a fraudulent account
for a person engaged in identity theft.
Detecting Red Flag Activity
Covered accounts are opened as follows:
Federal Perkins Loan Program
- Perkins borrowers sign their promissory notes using an electronic signature, which
requires a PIN number that is unique to each borrower.
- Perkins borrowers can allow a third party to have access to his/her account information
by completing the FERPA form in the electronic exit interview process. If no one
is listed, a third party will not have access to any account information without the
borrower's written permission. The borrower can log onto the exit site at any time
to update this information if he/she decides that it would be beneficial for another
party to have access to account information.
South Carolina
Teaching Fellows Program
- Teaching Fellows borrowers sign their promissory notes manually, which must be notarized.
- The promissory note must be signed by a Surety in addition to the borrower. The Surety
is required to be a parent or guardian if the borrower is under the age of 18. If
the borrower is over the age of 18, the Surety may be any SC resident over the age
of 21.
Student Payment Plans
Students must call, e-mail or come into the Controller's Office to request their account
be placed on a tuition payment plan.
Responding to Red Flags
The Program shall provide for appropriate responses to detected red flags to prevent
and mitigate identity theft. The appropriate responses to the relevant red flags
are as follows:
- Contacting the student or borrower;
- Changing any passwords, security codes, or other security devices that permit access
to a covered account;
- Reopening a covered account with a new account number;
- Closing an existing covered account;
- Not attempting to collect on a covered account;
- Notifying law enforcement; and/or
- Determining that no response is warranted under the particular circumstances.
Updating the Program
The University will update the Program annually in December, to reflect changes in
risks to students or borrowers or to the safety and soundness of the University from
identity theft, based on factors such as:
- The experiences of the University with identity theft;
- Changes in methods of identity theft;
- Changes in methods to detect, prevent, and mitigate identity theft; and
- Changes in the types of accounts that the University offers or maintains.
Oversight of Service Provider Arrangements
The University shall take steps to ensure that the activity of a service provider
is conducted in accordance with reasonable policies and procedures designed to detect,
prevent and mitigate the risk of identity theft whenever the University engages a
service provider to perform an activity in connection with one or more covered accounts.
Currently the University uses UAS to administer the Perkins Loan Program. Students
contact UAS directly through its website or by telephone and provide personal identifying
information to be matched to the records that the University has provided to UAS.