Red Flag Rule Policy

The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program. 

Policy

The Financial Institution Regulators, including the Federal Trade Commission have issued a final rule (the Red Flag Rule) under sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The Red Flag Rule requires institutions or “creditors” (businesses or organizations that regularly defer payment for goods or services) that hold “covered accounts” (consumer accounts for which a person makes repeat payments or other accounts that present a reasonably foreseeable risk of identity theft) to develop and implement an identity theft prevention program.

Franklin & Marshall College (the College) takes the possibility of identity theft seriously and in full compliance with the Red Flag Rule, has developed and implemented an Identity Theft Program (Program). After consideration of the size of the College’s operations and account systems, and the nature and scope of the College’s activities, the Board of Trustees determined that this Program was appropriate for Franklin & Marshall College, and therefore ratified this Program on May 15, 2009, with an effective date (the “Effective Date”) of May 1, 2009.

Purpose

The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program. The Program shall include reasonable policies and procedures to:

1.  Identify relevant red flags for covered accounts it offers or maintains and incorporate those red flags into the program;

2.  Detect red flags that have been incorporated into the Program;

3.  Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and

4.  Ensure the Program is updated periodically to reflect changes in risks to students and to the safety and soundness of the creditor from identity theft.

The following College operations are either currently identified with potential exposure to identity theft, or engaged in the implementation of this policy, and are therefore participating in this program:

  1. Business Office: Student Accounts
  2. Finance
  3. Human Resources
  4. Auxiliary Services
  5. Information Technology
  6. Advancement Services 

The Program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.

Definitions:

Identify theft means fraud committed or attempted using the identifying information of another person without authority.

Creditor means a business or organization that regularly defers payment for goods or services, or provides goods or services and bills the customer later.

Covered account means an account that a creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions, or other account that presents a reasonably foreseeable risk of identify theft.

Red flag means a pattern, practice or specific activity that indicates the possible existence of identity theft.

Covered Accounts

Franklin & Marshall College has designed this Identity Theft Policy to protect certain types of student and employee accounts maintained by the College. Every new and existing account that meets the following criteria is covered by this policy.

  1. Any account that the College offers to students and employees that involves or is designed to permit multiple payments or transactions; or
  2. Any other student and employee account offered or maintained by the College for which there is a reasonably foreseeable risk to students and employees or to the safety and soundness of the College from identity theft, including financial, operational, compliance, reputation or litigation risks.

Identification of Relevant Red Flags

The Program shall include relevant red flags from the following categories as

appropriate:

1.  Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;

2.  The presentation of suspicious documents, such items that appear to be altered or forged;

3.  The presentation of suspicious personal identifying information, such as a photograph or physical description on the identification that is not consistent with the appearance of the student presenting the identification;

     4.  A request made from a non-College issued E-mail account;

     5.  A request to mail something to an address not listed on file;

     6.  The unusual use of, or other suspicious activity related to, a covered account; and

     7.  Notice from students, employees, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.

Detection of Red Flags

The Program shall address the detection of red flags in connection with the opening of covered accounts and existing covered accounts, such as by:

1.  Obtaining identifying information about, and verifying the identity of, a person opening a covered account; and

 2.  Authenticating students and employees, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts.

Response

The Program shall provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The response shall be commensurate with the degree of risk posed. All activities and responses must address Standard Operating Procedures (SOP). These SOP’s are identified in the Addendum attached to this report. A sample range of responses to detected red flags are as follows:

1.  Monitor a covered account for evidence of identity theft;

2.  Deny access to the covered account until other information is available to eliminate the red flag, or close the existing covered account;

3.  Contact the student or employee;

4.  Change any passwords, security codes or other security devices that permit access to a covered account;

5.  Reopen a covered account with a new account number;

6.  Not opening a new covered account;

7.  Notify law enforcement; or

8.  Determine no response is warranted under the particular circumstances.

Updating the Program

The Program shall be updated annually to reflect changes in risks to students and employees or to the safety and soundness of the College from identity theft based on factors such as:

1.  The experiences of the College with identity theft;

2.  Changes in methods of identity theft;

3.  Changes in methods to detect, prevent and mitigate identity theft;

4.  Changes in the types of accounts that the College offers or maintains; or

5.  Changes in the College’s business arrangements including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

Oversight of the Program

Senior Administration at the College, (Associate Vice President of Finance) will be responsible for the Program. Oversight of the Program shall include:

1.  Assignment of specific responsibility for implementation of the Program and ensuring appropriate training of the College’s staff in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected;

2.  Reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft;

3.  Determining which steps of prevention and mitigation should be taken in particular circumstances;

4.  Review of reports prepared by staff regarding compliance; and

5.  Approval of material changes to the Program as necessary to address changing risks of identity theft.

Reports shall be prepared as follows:

1.  Staff responsible for development, implementation and administration of the Program shall report to Senior Administration at least annually on compliance by the College with the Program.

2.  The report shall address material matters related to the Program and evaluate issues such as:

 A.  The effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts;

B.  Service provider agreements and relevant communications received from these service providers such as internal control and compliance reports;

C.  Significant incidents involving identity theft and management’s response; and

D.  Recommendations for material changes to the Program.

Oversight of Service Provider Arrangements

The College shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft whenever the College engages a service provider to perform an activity in connection with one or more covered accounts.  (e.g. the Perkins Loan Program).

 

ADDENDUM

 STANDARD OPERATING PROCEDURES

I.  DETECTING RED FLAGS

A.     New Accounts

In order to detect any of the Red Flags associated with the opening of a new account, College personnel will take one or more of the following steps to obtain and verify the identity of the person opening the account:

Detect

1.     Require certain identifying information such as name, date of birth,  residential or business address, principal place of business for an entity, driver's license or other identification;

2.     Verify the customer's identity (for instance, review a driver's license or other identification card);

3.      Review documentation showing the existence of a business entity;

4.      Request additional documentation to establish identity; and

5.      Independently contact the customer or business.

B.     Existing Accounts

In order to detect any Red Flags associated with an existing account, College personnel will take the following steps to monitor transactions with an account:

Detect

1.     Verify the identification of customers if they request information (in person, via telephone, via facsimile, via email);

2.     Verify the validity of requests to close accounts or change billing addresses; and

3.     Verify changes in banking information given for billing and payment purposes.

II.  PREVENTING AND MITIGATING IDENTITY THEFT

In the event College personnel detect any Red Flags, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag:

Prevent and Mitigate

1.     Continue to monitor an account for evidence of Identity Theft;

2.     Contact the customer, sometimes through multiple methods;

3.     Change any passwords or other security devices that permit access to       accounts;

4.     Not open a new account;

5.     Close an existing account;

6.     Do not close the account, but monitor or contact authorities;

7.     Reopen an account with a new number;

8.     Notify the Program Administrator for determination of the appropriate step(s) to take;

9.     Notify law enforcement; or

10.  Determine that no response is warranted under the particular circumstances.

Protect customer identifying information

In order to further prevent the likelihood of identity theft occurring with respect to Franklin & Marshall accounts, the College will take the following steps with respect to its internal operating procedures to protect customer identifying information:

1.    Ensure and provide clear notice that its website is secure or provide clear notice that the website is not secure;

2.     Where and when allowed, ensure complete and secure destruction of paper documents and computer files containing customer information;

3.    Ensure that office computers are password protected and that computer screens lock after a set period of time;

4.     Change passwords on office computers on a regular basis;

5.     Ensure all computers are backed up properly and any backup information is secured;

6.     Keep offices clear of papers containing customer information;

7.     Request only the last 4 digits of social security numbers (if any);

8.     Ensure computer virus protection is up to date; and

9.     Require and keep only the kinds of customer information that are necessary for utility purposes.

10.     Ensure customer identifying information in hard-copy format is properly safeguarded and secured. Examples include locking file cabinets that house sensitive information and limiting access of this information to appropriate personnel.

Policy Maintained by:  Finance and Administration

Last update:  September 26, 2017