Red Flag Policy

Background

In response to the growing threat of identity theft, the United States Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Public Law 108-159. This amendment to the Fair Credit Reporting Act charged the Federal Trade Commission with promulgating rules regarding identity theft. On November 7, 2007, the Federal Trade Commission promulgated the final rules, know as "Red Flag" rules, which have an effective date of November 1, 2008 and an enforcement date of August 1, 2009 for all non-banking institutions falling under these requirements.

Hope College is required to provide for the identification, detection, and response to patterns, practices, or specific activities ("Red Flags") that could indicate identity theft of students. This is because the College serves as a creditor in relation to its students. The Office of Chief Financial Officer is directed to develop procedures to implement an Identity Theft Prevention Program (ITPP) to control reasonably foreseeable risks to students from identity theft.

The risk to the College from identity theft is of significant concern to the College and can be reduced only through the combined efforts of all employees whose job function relates to the administration of covered accounts.

Program Administrator

Holli Overbeek
Hope College Business Services Office
Anderson-Werkman Financial Center
100 East 8th Street-Suite 280
Holland, MI  49423
phone:  616.395.7810
fax:  616.395.7140
email:  overbeek@hope.edu

Program Adoption

Hope College ("College") developed this Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission's Red Flags Rule ("Rule"), which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2000.

Purpose

The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program. The Program shall include reasonable policies and procedures to:

1.  Identify risks (i.e. red flags) that signify potentially fraudulent activity within new or existing covered accounts.
2. Detect red flags when they occur in covered accounts.
3. Respond to red flags to determine if fraudulent activity has occurred and act if fraud has been attempted or committed, and
4. Evolve with the current environment and or institutional changes to remain current in its efforts to prevent identity theft. In order to do this, the College will update the program periodically, including reviewing the accounts that are covered and the identified risks that are part of the program.

The program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.     

Definitions

The rules apply to "financial institutions" and "creditors" with "covered accounts."

1. "Financial Institution" is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a transaction account belonging to a consumer. Hope College is considered a financial institution due mainly to the various student loan programs and tuition payment plans in which it participates.
2. A "creditor" is defined as someone who regularly extends, renews, or continues credit, who regularly arranges for an extension, renewal, or continuation of credit, or who is an assignee of an original creditor. The College is considered a creditor with respect to the student loan programs and monthly tuition payment plans.
3. A "covered account" is an "account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account." This policy incorporates this definition and charges the College with monitoring any such account for which there is a reasonably foreseeable risk of identity theft.
4. "Identity theft" means fraud committed or attempted using the identifying information of another person without authority.
5. "A "red flag" means a pattern, practice or specific activity that indicates the possible existence of identity theft.
6. A "customer" is anyone doing business on a regular basis with the college (i.e. students, parents, etc.).

Covered Accounts

A covered account includes any account that involves or is designed to permit multiple payments or transactions. Every new and existing customer account for which there is a reasonably foreseeable risk of identity theft, or a reasonably foreseeable risk to the safety or soundness of the College from identity theft is covered by this program.

Hope College has the following covered accounts that are subject to these criteria of which are covered accounts administered by the College.

College covered accounts:

1. Student Loans including the Federal Perkins Loan, Federal Plus Loan and other institutional and donor loans.
2. Refund of credit balances involving PLUS loans.
3. Refund of credit balances, without PLUS loans.
4. Monthly tuition payment plan account.
5. Deferment of tuition payments.
6. Accounts credited and billed through the cashier's office including student accounts.

All faculty, staff, and students have a card, referred to as an ID card, that they add money to for use at the cafeteria, library, and bookstore where they charge items directly to their account. This card is not used off campus. The risk of identity theft is low as the card holder's picture is on the front of the card, which is checked when the card is being used. All cards are non-transferable and are confiscated if the person using the card does not match the photo. As such, we do not consider these accounts to be a "covered account."

Identification of Relevant Red Flags

The Program considers the following risk factors in identifying relevant red flags for covered accounts:

1. The types of covered accounts as noted above.
2. The methods provided to open covered accounts.
3. Common application with personally identifying information
• high school transcript
• official ACT or SAT scores
• letters of recommendation
• entrance medical record
• medical history
• immunization history
• insurance card
4. The methods provided to access covered accounts:
• Disbursements obtained in person require picture identification
• Disbursements obtained by mail can only be mailed to an address on file
5. The College's previous history of identity theft.

The program identifies the following general red flags:

1. Documents provided for identification appear to have been altered or forged;
2. The photograph or physical description on the identification is not consistent with the appearance of the student presenting the identification;
3. A request made from a non-College issued E-mail account.
4. A request to mail something to an address not listed on file; and
5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.

The Program identifies the following specific red flags:

Consumer Reports

The following red flags are potential indicators of fraud. Any time a red flag, or a situation closely resembling a red flag, is apparent, it should be investigated for verification.

1. Alerts, notifications or warnings from a consumer reporting agency;
2. A fraud or active duty alert included with a report from a consumer reporting agency;
3. A notice of credit freeze from a consumer reporting agency in response to a request for a consumer report, or
4. A notice of address discrepancy from a consumer reporting agency as defined in 334.82(b) of the Fairness and Accuracy in Credit Transactions Act.

Red flags also include consumer reports that indicate a pattern of activity inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

1. A recent and significant increase in the volume of inquiries;
2. An unusual number of recently established credit relationships;
3. A material change in the use of credit, especially with respect to recently established credit relationships; or
4. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Suspicious Documents

1. Documents provided for identification that appear to have been altered or forged.
2. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
3. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
4. Other information on the identification is not consistent with readily accessible information that is on file with the College.
5. An application appears to have been altered or gorged, or gives the appearance of having been destroyed and reassembled.

Suspicious Personal Identifying Information

Personal identifying information provided is inconsistent when compared against external information sources used by the College. For example:

1. The address provided does not match any addresses in the report from a Consumer Reporting Agency;
2. The Social Security number (SSN) has not been issued or is listed on the Social Security Administration's Death Master File, or
3. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.
4. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the College. For example, the address on an application is the same as the address provided on a fraudulent application.
5. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the College. For example:
   • The address on an application is fictitious.
   • The phone number is invalid or is associated with a pager or answering service.
   • The SSN provided is the same as that submitted by other persons opening an account or other customers.
   • The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other customers.
   • The customer or the person opening the covered account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
   • Personal identifying information provided is not consistent with personal identifying information that is on file with the College.
   • When using security questions (mother's maiden name, pet's name, etc.), the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Unusual use of, or suspicious activity related to the covered account

1. A covered account is used in a manner that is not consistent with established patterns on the account.
2. Nonpayment when there is no history of late or missed payments.
3. A material change in purchasing or usage patterns.
4. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account.
5. The College is notified that the customer is not receiving paper account statements.
6. The College is notified of unauthorized charges or transactions in connection with a customer's covered account.
7. The College receives notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the College.
8. The College is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

Detection of Red Flags

The Program will detect red flags relevant to specific covered account as follows:

1. Refund of a credit balance involving a PLUS loan - As directed by federal regulation (U.S. Department of Education) these balances are required to be refunded in the parent's name and mailed to their address on file within the time period specified. A request is required by parent or student. Red Flag - Picture ID not appearing to be authentic or not matching the appearance of the student presenting it. Request not coming from a student issued e-mail account or a parent listed as PLUS loan borrower.
2. Refund of credit balance, no PLUS loan - request from current students must be made in person by presenting a picture ID or in writing from the student's college issued e-mail account. The refund check can only be mailed to an address on file or picked up on person by showing picture ID. Requests from students not currently enrolled or graduated from the college must be made in writing. Red Flag - Picture ID not appearing to be authentic or not matching the appearance of the student presenting it. Request not coming from a student issued e-mail account or a parent listed as PLUS loan borrower.
3. Deferment of tuition payment - requests are made in person only and require the student's signature. Red Flag - none.
4. Tuition payment plan - Students must enroll in the Budget Payment Plan or Electronic Payment Plan via enrollment application. Student must provide personally identifying information (name, ID#, address & phone) and banking information by way of canceled check or deposit ticket. Red Flag - Account information not verifiable. Names on personal checking or savings account do not match student /parent name.

Response

Once potentially fraudulent activity is detected, an employee must act quickly as a rapid appropriate response can protect customers and the College from damages and loss.

1. Once potentially fraudulent activity is detected, gather all related documentation and present this information to your supervisor (i.e. department head).
2. The department head will complete additional authentification to determine whether the attempted transaction was fraudulent or authentic.   

The appropriate responses to the relevant red flags are as follows:

1. Cancel the transaction;
2. Deny access to the covered account until other information is available to eliminate the red flag.
3. Notify the actual customer that fraud has been attempted and detected.
4. Change any passwords, security codes or other security devices that permit access to a covered account.
5. Notify the Controller, appropriate college administration, law enforcement, and/or 
6. Determine no response is warranted under the particular circumstances.

Oversight of the Program

Responsibility for developing, implementing and updating this Program lies with the Office of Chief Financial Officer. The Program Administrator will be responsible for the Program administration, for ensuring appropriate training of College's staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and litigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.

Updating the Program

This Program will be periodically reviewed and updated to reflect changes in risks to students and the soundness of the College from identity theft. At least once per year in October, the Program Administrator will consider the College's experiences with identity theft, changes in identity theft methods, changes in identity theft detection and arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Program Administrator will update the Program.

Staff Training

College staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected.