Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compliance With the Red Flags Rule in Higher Education

Published byShannon Park Modified over 6 years ago

Similar presentations

Presentation on theme: "Compliance With the Red Flags Rule in Higher Education"— Presentation transcript:

1 Compliance With the Red Flags Rule in Higher Education
26 of 1… Compliance With the Red Flags Rule in Higher Education Sarah Morrow, MBA-ISM, CIPP/US, GISP Chief Privacy Officer The Pennsylvania State University Maura Johnston, JD, CIPP/US University Privacy Officer University of Pennsylvania Good afternoon! Thank you for joining us today for this exciting topic. Welcome to 26 of 1…Compliance with the Red Flags rule in Higher Education. Hi my name is Sarah Morrow and I am Chief Privacy Officer at The Pennsylvania State University. Standing with me is Maura Johnston, University Privacy Officer at University of Pennsylvania. One housekeeping item – we’d prefer an interactive session so please ask questions as they come up.

2 Compliance with financial regulations in higher education, especially the Red Flags Rule, is as complex as it gets; it is a regulation with elusive requirements. Join two university privacy officers to hear about how compliance was achieved at their respective institutions. [Maura] We thought it might be useful to revisit briefly what our session is about, and what the objectives are. So - without getting into the nitty-gritty of the Red Flags Rule for the moment – When people talk about the Red Flags Rule, they are typically talking about the requirement that certain kinds of organizations implement an identity theft prevention program. We normally think about banks or credit card companies as having identity theft prevention programs--not so much universities. In a nutshell, this is the creative challenge posed by the Red Flags Rule: where does it apply in universities? And what kinds of compliance programs should be in place? Sarah and I will be talking today about how our respective institutions have dealt with this challenge. Abstract

3 This presentation will provide an overview of the Red Flags Rule;
How IT is an integral part of university compliance in this area; and Answer questions you may have about where, when, and why this law applies to institutions of higher learning. [Maura] So, not surprisingly, our objectives today are to: --provide an overview of the Rule; --discuss how IT is essential to compliance with it (this IS Educause), and --answer your questions about the where, when and why of the Rule in higher ed. This is probably a good point to issue the disclaimer that you’re all expecting – our descriptions and examples reflect our own experiences and conclusions about the Red Flags Rule. Your institution’s legal counsel would need to provide you with the definitive answers about implementation of the Rule for your organization. Objectives

4 Sarah – When thinking Red Flags, you’re going to be seeing these terms bandied about…
[Note to self: The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added new sections to the federal Fair Credit Reporting Act (FCRA), intended primarily to help consumers fight the growing crime of identity theft.]

5 Red Flags Rule Was Adopted by FTC to require:
financial institutions and creditors that maintain certain accounts to have an identity theft prevention program; users of consumer reports to implement procedures for handling notices of address discrepancy from credit bureaus; and credit/debit card issuers to have procedures to assess validity of change of address notices. Who has to comply with the Red Flags Rule? Financial institutions “Creditors” who have “covered accounts” Sarah~ So, I hate when a presenter reads his or her slides but the reality is that sometimes, it’s just appropriate. This is one of those times.

6 The rule was vague and compliance seemed difficult in many ways; the effective/compliance date was postponed several times. November 2008 May 2009 August 2009 November 2009 June 2010 December 2010 Sarah As you can easily see this rule’s effective date was delayed several times. Mostly, this was because the Financial Services community couldn’t figure out a way to comply with this rule. By delaying the effective date for a couple of years, the compliance back-end could be worked-on and worked-out. Effective date(s)

7 Under Red Flags Program Clarification Act of 2010, a “creditor” is an entity that regularly, in the ordinary course of business: Obtains or uses credit reports in connection with a credit transaction; Provides information to credit bureaus, in connection with a credit transaction; or Advances funds that must be repaid in the future. Interpreted by FTC to cover higher education institutions. [Maura] About two weeks after the Federal Trade Commission announced that the Rule would take effect on December 1st, 2010, Congress passed a law called the Red Flags Clarification Act. The law narrows the definition of “creditors” covered by the Rule. This is a simplified version of the definition. [walk through] Paraphrasing an EDUCAUSE blog: While higher education institutions do not normally use credit reports, most do report to credit bureaus and advance funds (through tuition payment plans and federal and institutional loans) to help students cover their bills. “Creditor”

8 “Covered account" is an account offered primarily for personal, family, or household purposes that either: permits multiple payments or transactions; or involves a reasonably foreseeable risk of identity theft. [Maura] Again a “simplified” definition for discussion purposes. Can you think of places around your institution where covered accounts exist? So, if you are a “creditor” with “covered accounts,” what do you have to do under the Red Flags Rule? “Covered Accounts”

9 Identity Theft Prevention Program
Identify Relevant Red Flags Identify the red flags of identity theft you’re likely to come across Detect Red Flags Set up procedures to detect those red flags in your day-to-day operations Prevent and Mitigate Identity Theft If you spot the red flags you’ve identified, respond appropriately to prevent and/or mitigate harm Design program appropriate to organization’s size and complexity, and nature of operations Update program periodically Risks of identity theft can change rapidly, so keep program current and educate staff Sarah – again, I don’t know why I stick myself with slides that are better read. (grin) You have to have a program… 1) Identify Relevant Red Flags - SM Identify the red flags of identity theft you’re likely to come across in your business 2) Detect Red Flags -SM Set up procedures to detect those red flags in your day-to-day operations 3) Prevent and Mitigate Identity Theft - SM If you spot the red flags you’ve identified, respond appropriately to prevent and mitigate the harm done 4) Design program appropriate to organization’s size and complexity, and nature of operations - MJ 5) Update your Program - SM The risks of identity theft can change rapidly, so it’s important to keep your Program current and educate your staff The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations. Identity Theft Prevention Program

10 Some Potential Red Flags
Federal Trade Commission identifies 26, in five categories: alerts, notifications, or warnings from a consumer reporting agency suspicious documents suspicious identifying information, such as a suspicious address unusual use of – or suspicious activity relating to – a covered account notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with “covered accounts” SM So now that you have got your program you have to operationalize that 2nd element and the FTC says that red flags fall into five categories: alerts, notifications, or warnings from a consumer reporting agency suspicious documents suspicious identifying information, such as a suspicious address unusual use of – or suspicious activity relating to – a covered account; notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts Is anyone here from the FTC? For HE this rule is just STUPID – “perhaps misguided” is a more correct assessment Some Potential Red Flags

11 Committee formed to create and vet the required training.
Bursar (leader) Corporate Controller Office Privacy Financial Officers IT and Security Offices CPO had final approval sign off Implemented prior to actual effective date Annual training [Sarah]With all of the changing dates and the clarification one of the things that seemed clear was Higher Education was going to be effected and the requirement to implement an awareness program and designate an administrator was not going to change. By this regulation, there must exist a management level individual who stands as the ultimate responsible party for the administration of the Red Flags rule. At Penn State the designated individual is the Privacy Officer, in this case, me. Penn State has one of, if not the, longest standing office singularly designated specifically to address privacy concerns within all of the higher education realm. In anticipation of a date Penn State formed a committee, naturally, and began to create a training program designed to address the rule and university environment. The committee was combined participants from key stakeholders with the Bursar’s Office taking the lead. The Privacy Office was in transition so when I started my job at Penn State and this committee was in full swing, the training was drafted, virtually complete and at the sign-off stage. Being new, I didn’t want to make too many changes and it was good basic information. Penn State’s Approach

12 Penn State’s Approach At Penn State Financial Officers Student Aid
Bursar Credit Card Transaction locations…. (all around us) Milton S. Hershey Medical Center University Health Services ID+ LionCash Security Operations and Services PCI Where does Red Flags apply at Penn State? We find we may have units within the sphere of the Financial officers that may be subject to the rule. We know some of the folks at Student/Financial Aid and the Bursar are subject; some of the folks at University Health Services including the pharmacy; our Medical Center at Hershey and our ID Card office; with a side note to some of the ancillary services that are, for the most part, automated. Here SOS is indispensable – they are not covered by the rule but they help me uncover potential situations. This is where we see the cross-over with credit fraud… We have all these locations over our environment where payments may be made, both in person or by telephone. Are cashiers looking at identification? Is there a way to verify over the phone? Does the person accepting the payment understand the procedures for protecting against identity theft? Is this the intersection wherein fraud (credit cards as well) becomes a “Red flag”? And, we have automated some systems wherein human interaction is minimized and we may not know except for misappropriated access accounts that we hear about from SOS. SOS also handles operational compliance to PCI-DSS. Penn State’s Approach

13 Penn State’s Approach Security Operation and Services Watches my back
PCI-DSS may find more than simple credit card fraud Teaching moments Technological advances make identity theft more common and easier to achieve Keep APT on the radar Devise more accurate methods to assess risk That’s my segway…What would I do without IT? Case in point. Our automated travel system threw up at a transaction and it was discovered we not only had credit card fraud but also a compromised access ID and potential identity theft. If I had not been alerted by Security, I might never have know. By legislation, I am required to report incidents to the Board of Trustee on an annual basis. And we’ve had a couple of instances where loans have been taken out in a parent’s name – is this fraud or identity theft or both? How about the situation (hypothetical) where the father and mother are about to divorce and he or she knows the other’s information they have multiple students attending. A loan is applied for and granted. Who is responsible if one calls and says I never… With SOS – I’d be unable to fulfill my duties. Beside helping me implement and track our RF program IT-SOS does what it says on this slide. Penn State’s Approach

14 This is a really difficult rule with which to comply because it is so vague
It probably shouldn’t apply to colleges and universities [Sarah] This rule is so vague that it probably applies better to commercial lenders rather than universities. There are enough other regulations with which we must comply that red flags identification of identity theft is unlikely and because of our environment would most probably show up as account fraud. And Medical identity theft… is handled to some extent by HIPAA/HITECH and health care accreditation requirements. That was Penn State’s way but its not the only way. You and your colleagues may have handled it similarly or more like how the University of Pennsylvania did; Maura? It’s just my opinion

15 Penn’s Approach Formed Red Flags Task Force
Representatives from potentially covered areas Narrowed group to areas we concluded were covered Central policy developed Simplified content of Rule Specific to Penn Procedures and training developed by each covered area At Penn we started our compliance efforts by forming a Red Flags Task Force. Our office (Audit, Compliance and Privacy) worked with General Counsel and others to put together a preliminary list of who might be covered by the Red Flags requirements. Basically, we focused on areas where deferred payments were accepted (that is, credit was extended), or credit reports might be involved, or debit cards might be issued. Then, based on discussions with the identified areas, we eliminated a couple of areas from the list as not being covered after all. I’ll show our final list of identified areas on the next slide. From the strategic point of view, it was decided that having a central Red Flags Policy, implementing the Rule uniformly across Penn, would make the most sense. Then, the local areas covered by the Rule would develop their own procedures – and training -- to implement the central policy. This seemed to make sense since each area would have the most detailed knowledge of its own operations. Penn’s Approach

16 Penn’s Approach Covered areas: Student Financial Services
Tuition refunds Collections Student Health Dental Medicine Veterinary Medicine Home Ownership Services PennCard Health System So, here is the list of areas that we concluded are covered by the Red Flags Rule. Each one developed procedures—or documented existing practices--to minimize the risk of identity theft and address their use of credit reports (if any). Some accept deferred payments for services [Student Health; Dental; Vet; Health System] – so their procedures focus on preventing identity theft. One receives credit reports and provides information to credit bureaus [student loan collections] – so their procedure focuses on responding appropriately to any notice of address discrepancy that they may receive from a credit bureau (to confirm the identity of the subject of the information). The tuition refunds area added to its existing policies, to confirm the identity of the person receiving the refund. Another user of credit reports is Home Ownership Services. They assist Penn faculty and staff who want to purchase a home in the vicinity of the University, requesting credit reports in order to provide assistance with obtaining mortgages. Again, their procedure includes ensuring that addresses they have match up with those on credit reports, to verify identity. PennCard is the University’s ID card for students, faculty and staff. Individuals who choose to do so can link the PennCard to a PNC bank account and use it like a debit card. Being conservative, we decided to treat the PennCard issuing office as a “debit card issuer” for purposes of the Red Flags Rule. That office developed a written procedure that basically documented its existing strong authentication procedures for getting a PennCard. The procedure includes the existing requirement that merchants accepting the PennCard for payment must check to ensure that the person presenting the card is the same person who is shown in the photo on the card. Penn’s Approach

17 Penn’s Approach IT’s role in preventing identity theft
Example: Health System - Medical Office Visit If Red Flags present (such as ID that looks altered or forged) Incident Report is created Incident Report is forwarded to team that reviews and, if appropriate, posts Red Flags Alert Alert interfaces with all core registration databases Incident Report is scanned into electronic health record system [walk thru bullets] Penn’s Approach

18 Penn’s Approach Review/update Red Flags program periodically
Experienced incidents of identity theft in the past year? Experienced changes in methods of identity theft in the past year? Amended Red Flags procedures since they were first adopted? Any changes that might present new potential opportunities for identity theft? Staff received training on Red Flags procedures? Suggestions for changes to Red Flags program? By regulation the Red Flags program is to be updated periodically. In order to find out what updates, if any, may be needed, we send a very short questionnaire to the covered areas. It includes such questions as: [walk thru questions] Penn’s Approach

19 Questions? Sarah Morrow Maura Johnston sdm24@psu.edu (814)863-3049
(215) Are there any more questions? Thank you for your participation and attention. If either of us can be of assistance please feel free to contact us either now, or offline. Questions?

Download ppt "Compliance With the Red Flags Rule in Higher Education"

Similar presentations

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.

Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.
UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.

Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.

1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.

Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating.

The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Red Flags Rule & Municipal Utilities

Red Flags Rule & Municipal Utilities
 Federal Trade Commission (FTC)  Final Regulations issued November, 2007 › Effective 1/1/08 › Compliance and Enforcement Date 11/1/08  Enforcement.

 Federal Trade Commission (FTC)  Final Regulations issued November, 2007 › Effective 1/1/08 › Compliance and Enforcement Date 11/1/08  Enforcement.
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

Similar presentations

Ads by Google