2.1 IDENTITY THEFT PREVENTION PROGRAM
The Federal Trade Commission (FTC), under the authority granted by the Fair and Accurate Credit Transaction Act of 2003 (FACTA), has issued a Red Flags Rule (16 CFR 681.2) requiring that financial institutions and creditors develop Identity Theft Prevention Programs aimed at recognizing and preventing activity related to identity theft. This Identity Theft Prevention Program ("Program") was developed pursuant to a resolution adopted by the Monroe Community College Board of Trustees on June 8, 2009 in order to comply with the Federal Trade Commission's Red Flags Rule (16 CFR 681.2).
The purpose of this Program is to prevent frauds committed by the misuse of identifying information (i.e. identity theft). The Program aims to accomplish this goal by identifying accounts maintained by MCC which may be susceptible to fraud (hereinafter "Covered Accounts"), identifying possible indications of identity theft activity associated with those accounts (hereinafter "Red Flags"), devising methods to detect such activity, and responding appropriately when such activity is detected. This Program will include reasonable steps to prevent frauds perpetrated by the misuse of identifying information including policies and procedures for:
Identifying "covered accounts"
Identifying relevant patterns, practices, and forms of activity within those accounts that are “red flags” signaling possible identity theft
Detecting red flags
Responding appropriately to any red flags that are detected in order to prevent and mitigate identity theft
Administering the program in a manner that ensures proper staff training, implementation, oversight, and updating.
Account: A relationship established with an institution by a student, employee, or other person to obtain educational or financial services.
Covered Account: An account that permits multiple transactions or poses a reasonably foreseeable risk of being used to promote an identity theft.
Responsible Staff: Personnel who regularly work with Covered Accounts and are responsible for performing the day-to-day application of the Program to a specific Covered Account by detecting and responding to Red Flags.
Category: Administration Date Established: June 8, 2009
Responsible Office: Public Safety Date Last Revised:
Red Flag: A pattern, practice, or specific activity that indicates the possible existence of identity theft.
Response: Action taken by Responsible Staff member(s) upon the detection of any Red Flag to prevent and mitigate identity theft.
Service Provider: A contractor to the campus engaged to perform an activity in connection with a Covered Account.
Identity Theft: A fraud committed or attempted using the identifying information of another person without authority.
Program Administrator - The President has designated the Controller as Program Administrator
to oversee administration of this Program. The Program Administrator may designate additional staff of the College to undertake responsibility for training personnel, monitoring service
providers, and updating the Program, all under the supervision of the Program Administrator.
Service Providers - The Program Administrator or designees shall review service provider
agreements and monitor service providers, where applicable, to ensure that such providers have adequate identity theft prevention programs in place. When the Program Administrator
determines that a service provider is not adequately guarding against threats of identity theft, he/she shall have the authority to take necessary corrective action, including termination of the service provider's relationship with the College.
Training - The Program Administrator or designees shall identify and train responsible staff, as
necessary, to effectively implement and apply the Program. All College personnel are expected to assist the Program Administrator in implementing and maintaining the Program. Employees who work with Covered Accounts must be trained in the requirements of the Program. At least one employee shall be directly responsible for detecting and responding to any Red Flags that may arise in association with each Covered Account.
Evaluation - The Program Administrator shall annually evaluate the Program to determine
whether it is functioning adequately. This evaluation shall include: a case-by-case assessment of incidents of identity theft or attempted identity theft that occurred during the previous academic year; interviews with Responsible Staff; and a survey of all accounts maintained by the College to identify any additional Covered Accounts. In response to this evaluation, the Program Administrator shall recommend amendments to this Program for approval by the President.
Updating – Program will periodically be updated to respond to changing or emerging threats,
taking previous experiences with identity theft into consideration. MCC will periodically review all accounts to determine if additional Covered Accounts exist
Audits - From time to time, the College Controller, or other designated internal control officer,
may perform audits to determine if various segments of the College are in compliance with the Program.
Recordkeeping - The Program Administrator shall maintain records relevant to the Program,
identity theft and attempted identity theft; contracts with service providers that perform activities related to Covered Accounts; and updates to the Written Program.
Two types of accounts must be monitored:
1. Accounts that are designed to permit multiple payments or transactions (i.e. periodic crediting and debiting activity), such as Student Accounts, accounts associated with student lending activity (Perkins, FFELP, PLUS), etc.
2. Accounts for which there is a reasonably foreseeable risk from identity theft such as email accounts or Banner accounts.
Identify Red Flags - the following categories, while not all-inclusive, are considered Red Flags: Alerts, notifications, or other warnings received from consumer reporting agencies or
service providers, such as a notice of credit freeze, fraud alert, or address discrepancy;
Presentation of suspicious documents or personal identifying information, such as inconsistent address or name spelling, alterations, or a photo that does not appear to match the student;
Unusual use of, or other suspicious activity related to, a Covered Account, such as a suspicious address change request or the use of an account that is inconsistent with the account history or the known attributes of the account holder;
Notice from students, faculty, staff, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft or information security breach in
connection with Covered Accounts held by the campus. Such notice must be reported to Public Safety
Detect Red Flags - the following categories, while not all-inclusive, are considered in the
detection of Red Flags:
Verifying identifying information upon opening accounts or authorizing access to accounts;
Authenticating changes to identifying information (e.g. name and address changes); and
Monitoring account activity
Respond to Red Flags - the following categories, while not all-inclusive, may be considered
appropriate responses to identified Red Flags:
Close monitoring of the account;
Contacting the student;
Changing access information such as passwords or security codes;
Freezing an account; or
IDENTIFICATION OF Covered Accounts; Responsible Staff; Red Flags; Responses Covered Account: Student Records
Responsible Staff: Staff in: Admissions, Bursar’s, Records & Registration, Financial Aid, Human Resources, Controller’s, Counseling & Advising, PSTF, Public Safety
Red Flag 1: Suspicious ID presented by a student who is trying to access or alter account. Response: Deny access to account until the student's identity has been established through acceptable means.
Red Flag 2: A change of address (home or email) request occurs under suspicious circumstances. Example – a student requests change of address then requests a refund distribution.
Response: Ask student to come in and personally verify address and any suspicious usage activity.
Red Flag 3: A change of name request occurs without appropriate identification and/or documentation.
Response: Deny name change request until student’s identity has been established through acceptable means and/or appropriate documentation is provided.
Covered Account: Financial Aid Account Responsible Staff: Financial Aid Staff
Red Flag 1: Department of Education selects student's FAFSA for verification
Response: Collect supplemental information from student and resolve any conflict between FAFSA and supplemental information provided by student
Red Flag 2: Student submits multiple FAFSAs containing conflicting information Response: Contact student to resolve conflict and verify information
Covered Account: Email Accounts Responsible Staff: ETS; Public Safety
Red Flag: Notification from student or employee that email has been accessed without authorization
Response(s): Freeze account; secure account. Report to Public Safety. Issue new account if necessary
Covered Account: Banner Accounts Responsible Staff: ETS; Public Safety
Red Flag 1: Notification from student or employee that Banner has been accessed without authorization
Response(s): Freeze account; secure account. Report to Public Safety. Issue new account if necessary
Red Flag 2: Multiple failed login attempts
Response: Account will be locked after five (5) failed login attempts. Employee Password reset:
Internet Native Banner – ETS Computing will reset password if employee provides proper
identification in person. If sufficient identification provided via telephone, ETS Computing will email new password to employee.
Banner Self Service - ETS Help Desk will reset password if employee provides proper
identification in person. If sufficient identification provided via telephone, ETS Help Desk will email new password to employee.
Student Password reset:
identification in person. If sufficient identification provided via telephone, Records & Registration will email new password to student.
Covered Account: Deferred Tuition Payment Plan
Responsible Party: Outsourced to third party service provider – Nelnet Business Solutions Response: Obtain/review Nelnet’s Identity Theft Prevention