PRP 5210 - Red Flag Identity Theft Prevention Program

Issued by: Dr. Richard H. Rugen, Vice President for Administration and Finance
Effective Date: Approve by the Council of Trustees, June 3, 2009

Program Adoption

Bloomsburg University of Pennsylvania developed this identity theft prevention program pursuant to the Federal Trade Commission Red Flag Rule, which implements Section 114 of the Fair and Accurate Credit Transaction Act (FACTA) of 2003.

Purpose

The purpose of this policy is to establish an Identity Theft Prevention Program (“Program”) designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program. The Program shall include reasonable policies and procedures to:

  1. Identify relevant red flags for covered accounts it offers or maintains and incorporate those red flags into the Program;
  2. Detect red flags that have been incorporated into the Program;
  3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  4. Ensure the Program is updated periodically to reflect changes in risks to Students and to the safety and soundness of the creditor from identity theft.

The Program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.

Definitions

Identity Theft

Fraud committed or attempted using the identifying information of another person without authority.

Red Flag

A pattern, practice, or specific activity that indicates the possible existence of identity theft.

Covered Account

All student accounts or loans that are administered by the University and involve multiple payments or transactions.

Scope-Covered Accounts

Bloomsburg University has identified the following types of covered accounts which are administered by the University or by a Third Party Service Provider:

University Covered Accounts

  1. Refund of credit balances involving student loans
  2. Refund of credit balances without student loans
  3. Deferment of tuition payments
  4. Emergency loans

Accounts Covered by a Third Party Service Provider

  1. Perkins Loan
  2. Tuition Payment Plan

Identification of Relevant Red Flags

The Program considers the following risk factors in identifying relevant red flags for covered accounts:

  1. The types of covered accounts as noted above;
  2. The methods provided to open covered accounts-acceptance to the University and enrollment in classes requires all of the following information:
    a. Application with personally identifying information;
    b. High school transcript;
    c. Official ACT or SAT scores;
    d. Medical form
  3. The methods provided to access covered accounts;
    a. Disbursements obtained in person require picture identification (student ID or valid driver’s license)
    b. Disbursements obtained by mail can only be mailed to an address on file (generally address of record)
    c. EFT of credit balance refunds
  4. The University’s previous history of identity theft.

The Program identifies the following red flags:

  1. Documents provided for identification appear to have been altered or forged;
  2. The photograph on the identification is not consistent with the appearance of the student presenting the identification;
  3. A request made from a non-University issued e-mail account;
  4. A request to mail something to an address not listed on file;
  5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with the covered accounts listed above

Detection of Red Flags

The Program will detect red flags relevant to each type of covered account as follows:

  1. Refund of a credit balance involving a PLUS loan - As directed by federal regulation (U.S. Department of Education) these overpayments are required to be refunded in the parent’s name and mailed to their address of record within the time period specified. No request is required. Red Flag – none as this is initiated by the University.
  2. Refund of credit balance, no PLUS loan - Refunds of student loan and grant overpayments are automatically processed, no request is needed. Refund requests of credit balances created due to a schedule change or withdrawal must be made in person, via our website request form (which does not allow for address changes), or in writing from the student’s University issued e-mail account. If the credit balance occurred due to an overpayment using a credit card, the amount is refunded to the original credit card account (no red flag). For credit balances requiring a check to be issued, the check can either be picked up in person at the Business Office by showing a University or governmental issued picture ID or by mailing the check to the permanent address of record. Certain types of refunds are issued by electronic funds transfer (EFT) to a bank account designated by the student. When the refund is transmitted to the student’s bank account, an email is automatically generated to the student’s University email account informing them of the deposit. Requests from students not currently enrolled or graduated from the University must be made in writing and sent to the permanent address of record. Red Flag – Picture ID not appearing to be authentic or not matching the appearance of the student presenting it. Request not coming from a student issued e-mail account. Student informs us that their refund was not received.
  3. Deferment of tuition payment - requests are made via a website form, which does not allow for address changes. Information is verified with the employer.
  4. Emergency loan - requests must be made in person by presenting a University or governmental issued picture ID. When the check is prepared, it can only be picked up in person by showing a University or governmental issued picture ID. Red Flag - Picture ID not appearing to be authentic or not matching the appearance of the student presenting it.
  5. Tuition payment plan - Students must contact an outside service provider and provide personally identifying information to them. Red Flag – none, see Oversight of Service Provider Arrangements.

Response

The Program shall provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The appropriate responses to the relevant red flags are as follows:

  1. Deny access to the covered account until other information is available to eliminate the red flag; Contact the student;
  2. Change any passwords, security codes or other security devices that permit access to a covered account;
  3. Notify law enforcement; or
  4. Determine no response is warranted under the particular circumstances.

Oversight of the Program

Responsibility for developing, implementing and updating this Program lies with the Identity Theft Committee (“Committee”) for the University. The Committee is headed by the Vice President for Administration and Finance. The remainder of the Committee consists of the Director of Admissions, the Registrar, Director of Financial Aid, Director of Finance & Business Services, Director of Human Resources, Director of Administrative Applications, and the Assistant Director of Administration and Technology for Residence Life. The Committee will be responsible for the Program administration, for ensuring appropriate training of University’s staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.

Updating the Program

This Program will be reviewed and updated annually by the Committee to reflect changes in risks to students and the soundness of the University from identity theft. At least once per year in October, the Committee will consider the University's experiences with identity theft, changes in identity theft methods, changes in identity theft detection and prevention methods, changes in types of accounts the University maintains and changes in the University's business arrangements with other entities. After considering these factors, the Committee will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Committee will update the Program.

Staff Training

Committee members shall train their staff in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected.

Oversight of Service Provider Arrangements

The University shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft whenever the organization engages a service provider to perform an activity in connection with one or more covered accounts.

Currently the University uses third party vendors to administer the Tuition Payment Plan and the Perkins Loan Program. Students may contact the third party vendors directly through their website or by telephone and provide personally identifying information to be matched to the records at the University. Students may contact the Bursar’s office for the list of third party vendors.