Red Flag Rules
Several federal agencies including the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Federal Trade Commission were charged with jointly issuing guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. This group was also responsible for requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines. As a result, the federal agencies published the Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 (‘Red Flags Rule”). While these federal agencies generally do not have jurisdiction over non-profit entities, in guidance published in July 2008, the Federal Trade Commission stated that ‘where non-profits and government entities defer payment for goods or services, they, too, are to be considered ‘creditors’.
Scope
All financial and administrative policies involving community members across campus, including volunteers are within the scope of this policy. If there is a variance between departmental expectations and the common approach described through college policy, the college will look to the campus community, including volunteers to support the spirit and the objectives of college policy. Unless specifically mentioned in a college policy, the college’s Board of Trustees are governed by their Bylaws.
Policy
The objective of this policy is to establish an Identity Theft Prevention Program (“Program”) designed to mitigate the risk of comprised personal, identifying information of the members of the Colorado College community. The program will be designed to prevent, detect and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for the continued administration of the Program.
As appropriate, the Program shall incorporate existing policies and procedures that mitigate the compromise of personal, identifying information.
The Program applies to employees, contractors, consultants, temporary employees, service providers, and all others who are authorized to access personal, identifying information obtained by, used by, and housed by Colorado College in the course of its operations.
Administration of the Program
The College has formally designed the Controller as having specific responsibility for the development, implementation, and administration of the Program.
Service Providers: The Controller, in consultation with the college’s AVP of Institutional Planning and Effectiveness, will ensure that service providers have reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
Training: The Controller will ensure that initial training takes place for relevant staff and also ensures that any additional training warranted as a result of changes in the Program or changes in personnel also takes place.
Board Approval and Reporting Requirements
- The Audit Committee of the Board of Trustees shall review and approve this policy
- Periodic review and approval of the policy shall take place in accordance with the policy administration guidelines of Colorado College
- On an least an annual basis, the Controller, who is responsible for the development, implementation, and administration of the Program shall report on compliance with the Red Flags Rule to the Vice President for Finance and Administration.
- The report should include:
- Assessment of the effectiveness of the policies and procedures in addressing the risk of identity theft in connection with new and existing covered accounts;
- Disclosure of service provider arrangements
- Disclosure of significant incidences involving identity theft and management’s response;
Any recommendations for material changes to the Program
Procedures
~ Program Elements
Program Element I: Identification of Red Flags
The Program Sponsor shall work with campus to determine and document which of the twenty-six red flags identified in the Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 apply to the College’s operations.
Program Element II: Detection of Red Flags
The Program Sponsor shall document identifying information obtained by groups across campus in the course of their respective operations.
Program Element III: Response to Red Flags
The Program Sponsor shall work with campus to design responses to red flags that are commensurate with the level of risk posed by the red flag. To the extent possible, these responses should be consistent across campus and also consistent with ITS security policies and practices.
Program Element IV: Updating the Program
Partnering with ITS where appropriate, the Program Sponsor shall design and implement processes to:
- Monitor and respond to experiences with identity theft;
- Remain current on methods of identity theft
- Remain current on methods to detect, prevent, and mitigate identity theft;
- Monitor the types of accounts offered by the College
- Monitor changes in business arrangements (for example, with alliances or service providers)
Definitions
Address Discrepancy: A notice sent to a user of a consumer report that informs the user of a substantial difference between the address for the consumer provided by the user in requesting the consumer report and the address or addresses the Consumer Reporting Agency has in the consumer’s file.
Covered Account: This is a two part definition (1) an account that a financial institution or creditor offers or maintains primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions (2) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks
Identity Theft: A fraud committed or attempted using the identifying information of another person without authority
Red Flag: A pattern, practice, or specific activity that indicates the possible existence of identity theft
Service Provider: a person that provides service directly to the financial institution or the creditor. This definition is based on the Information Security Standards definition that a service provider is any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through the provision of services directly to the financial institution.