1. Red Flag Rules:
Identity
Theft Protection

2. Welcome to the Red Flag Rules: Identity Theft Protection Training.
Let’s start by defining Identity Theft:
Identity Theft - refers to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain.
(Department of Justice – 2017)

3. The Facts College Students Face a High Risk of Identity TheftIn
19% of identity theft victims fell between the ages of
(Federal Trade Commission)
There were 15.4 million victims of identity theft in the United States. This represented a 16% increase over 2015.
(Javelin Strategy and Research 2017)
Texas had the fourth highest number of identity theft complaints of any state.

4. The Aftermath
On average, victims lost $1,343 as a result of identity theft.
(Bureau of Justice Statistics, 2014)
13.8% of surveyed identity theft victims stated their ability to get a job had been impacted.
(ITRC Aftermath Study, 2017)
34.2% of surveyed identity theft victims encountered problems qualifying for a new loan.

5. Costs to the University
Identity theft not only costs our students heartache, time, and money-----it impacts the university through:
Stolen Services
Loss of Personnel Time
Loss of Reputation

6. Identifying Risks
SHSU MUST treat any threat of identity theft as an immediate and highly important matter.
Steps should be taken and enforced IMMEDIATELY to mitigate fraud.

7. Objective
The purpose of this training is to help you identify the warning signs or “RED FLAGS” of identity theft in your day-to-day operations as a university employee.
Participants will:
Understand what Red Flags are.
Understand why Red Flags are important on our campus.
Understand how to Detect, Prevent, and Mitigate Identity Theft at SHSU.

8. What are Red Flags?
Red Flags are the potential patterns, practices, or specific activities indicating the possibility of identity theft.
Federal Trade Commission (2013)

9. Rules Governing Red Flags
Red Flag Rules were created in 2008 by the Federal Trade Commission and federal banking agencies to reduce the risk of identity theft.
NACUBO (2008)
These rules are designed to align with the mandate issued by the federal government and based on:
Sections 114 and 315 of The Fair and Accurate Credit Transactions Act of 2003

10. Who Must Comply with Red Flag Rules?
Financial Institutions or Creditors offering a covered account.
Colleges and universities are categorized as Creditors.
Definitions:
Creditor – is an entity which defers payment for services rendered.
Covered Account – is a customer account that involves multiple payments or transactions where the customer has a continuing relationship with the institution.

11. Types of Covered Accounts at SHSU
Student Accounts
Student Loans
Deferment of Tuition Payments
Emergency Loans
University Health Center/Medical Center Patients 
OneCard Office

12. Red Flag Rules
Red Flag Rules require creditors (i.e. SHSU) that offer covered accounts to adopt a written identity theft prevention program and train its employees how to:
Identify relevant Red Flags.
Detect warning signs of identity theft in day-to-day campus operations.
Prevent and Mitigate any damage or liability to the students.
Video 3:45 min.

13. Red Flag Rules
SHSU campus administrators are most likely to detect Red Flags during:
The Admissions Process
Obtaining a Bearkat OneCard
Applying for Financial Aid

14. Identify Relevant Red Flags
Categories of Red Flags on our Campus are:
Suspicious documents
Suspicious personal identifying information
Suspicious account activity
Notice from External/Other Sources
Available through commercial vendors or from your internet service provider. Malware: Resist buying software in response to unexpected pop-up messages or s, especially ads that calim to have scanned your computer and detected malware.

15. 1. How To Recognize Suspicious Documents
Appear to have been altered or forged.
Give the appearance of having been destroyed and reassembled.
Contain inconsistencies
The person presenting the identification does not look like the photograph or match the physical description (i.e. weight, hair color, or age).
Information on the document differs from what the person is telling you.
Identifying Information on the document is not consistent with readily accessible information in the SHSU system (i.e. address or birth date).

16. 2. How to Recognize Suspicious Personal Identifying Information (PII)
Identifying Information is defined as “any name or number that can be used, alone or in conjunction with any other information, to identify a specific person.”
(Business and Commerce Code – Title 11, 2009)
This includes:
Name
Address
Social Security Number
State or Government Issued ID Number
Alien Registration Number
Government Passport Number
Employer or Taxpayer Identification Number
Electronic ID Number (such as bank routing code)

17. 2. How to Recognize Suspicious Personal Identifying Information – cont’d.
PII provided is a type commonly associated with fraudulent activity. (examples include)
Address is fictitious
Phone number is invalid <e.g. (123) >
Phone number is an answering service
Address/Phone number is the same or similar to information submitted by an unusually large number of other persons
The SSN matches another student on file.
The SSN is invalid.
The first three digits are in the 800, 900 range, or is 666 or 000
The fourth and fifth digits are 00
The last four digits are 0000

18. 2. How to Recognize Suspicious Personal Identifying Information (PII) – cont’d.
Student on the covered account does not provide all the required PII during registration.
Student does not respond to registration being incomplete.
PII provided is associated with known fraudulent activity.
Signatures on paperwork are not consistent.
Student cannot provide authenticating information or answer to challenge questions beyond which is general information that could be readily accessible.
From sources such as: Wallet, Consumer report, or Facebook

19. 3. How to Recognize Suspicious Account Activity
Mail sent to student is returned repeatedly as undeliverable.
Even though transactions or correspondence continue to come from that student address.
University is notified of unauthorized transactions in connection with a student’s account.
The student account shows unusual activities, inconsistent with established patterns.
Such as non-payment when there is no history of this before.

20. 4. Notice from External/Other Sources
University receives notice from:
Student disputing a charge by claiming to be the victim of identity theft
Law Enforcement Authorities
Other External Agency (such as a credit bureau)

21. Detection of Red Flags
University administrators should exercise due diligence in the detection of Red Flags by:
Asking for and verifying identification before answering questions or rendering services.
Being alert for Red Flags in day-to-day operations.

22. Detection of Red Flags
If students question the identification procedures, administrators should simply explain that the procedures are for “privacy reasons and to protect student security”.

23. SHSU Program Management
The SHSU Red Flag Program will have ground- level monitoring by Program Coordinators.
ANY noted potential identity theft issues should be reported IMMEDIATELY to one of the Program Coordinators, who will report to the Program Administrator.

24. SHSU Program Management Team
Program Coordinators are:
Office of Admissions
Office of Financial Aid
Bursar’s Office
Registrar’s Office
Bearkat OneCard Office
Information Technology
UPD
Program Administrator is:
The VP for Finance & Operations

25. Prevent and Mitigate Identity Theft Damage to Student(s)
Program Administrator will work in conjunction with Program Coordinators to investigate and identify appropriate responses:
Including:
Verifying student has been informed in the event notification of identity theft is received from an external source.
Determining that no action is needed.
Canceling any transaction(s) in question.
Not opening a new account or closing the account in question.
Notification sent to UPD to conduct a full investigation.
Reporting cases to third party agencies.

26. Prevent and Mitigate Identity Theft Damage to Student(s) – cont’d.
Notifying other campus administrators.
Re-opening covered account with a new account number or student ID.
Changing passwords for covered accounts.
Continued monitoring of covered account for evidence of identity theft.
Placing the covered account “on hold” from any further access, use, or disclosure until the Red Flag event is fully investigated by authorities.
Isolating and correcting inaccuracies in student records resulting from identity theft.

27. Proactive Measures-Program Oversight
Program Administrator will work in conjunction with Program Coordinators to:
Maintain a log of incidents
Ensure availability and compliance to training.
Suggest Red Flag Program updates to reflect changes in risk assessment to students.
Recommend additional training as needed.

28. Proactive Measures-Program Oversight
Another proactive step that can help prevent identity theft is to secure sensitive student information.
The following video contains some recommended practices for how University employees can better protect that information.

30. Conclusion
Sam Houston State University takes student identity theft very seriously.
It is critical that University employees remain vigilant when working with student accounts.
Following the guidelines provided in this training will help to reduce the impact of identity theft on students and our campus.

31. Additional Resources A copy of this training can be found online at:
Then click the link named “Red Flags Training”
For additional information related to university policies and other compliance activities you can also visit:

32. References Business and Commerce Code – Title 11, 2009
Department of Justice
Bureau of Justice Statistics, 2014
Federal Trade Commission
2016_data_book.pdf
Javelin Strategy and Research
Insurance Information Institute, 2016
IRTC Aftermath Study, 2017
NACUBO
Business and Commerce Code – Title 11, 2009