Compliance with Compliance with Federal Trade Federal Trade

Commission’s “Red Commission’s “Red Flag Rule”Flag Rule”

BackgroundBackground

Identify Theft is one of the fastest growing areas of white collar crime

U.S. Congress passed Fair and Accurate Credit Transactions of 2003 (FACT Act)

Act charged Federal Trade Commission (FTC) to address identity theft

FTC issued “Red Flags Rules”

Primarily designed for banks Primarily designed for banks and financial institutionsand financial institutions

Red Flags Rules requires “financial institutions” and “creditors” that hold “covered accounts” to develop and implement “an identity theft prevention program”

Why Lehigh?Why Lehigh?

We meet the criteria because of loan programs, installment payment plans, use of credit reports. For example:

◦Federal Perkins Loans◦University Loans◦Bursar’s Office Installment Payment Plans◦Lehigh credit and/or background checks

University systems maintain and communicate confidential personal information, consider for example:

W-2’s1098-T’sLoan NotesOffer Letters

Why Lehigh?

Implementation of the ProgramImplementation of the Program

Board of Trustees has approved Lehigh’s Identity Theft Prevention Program

Oversight by Peggy Plympton

Training appropriate University staff is part of the program

New hires will be trained in coordination with Banner training

Questions to Consider:Questions to Consider:

What’s a common method used to gain information about someone in order to “steal” their identity?

What’s a thief’s common strategy to delay someone from discovering their identity has already been stolen?

Answer: Change their address

Why are you being trained?Why are you being trained?

You have access to change addresses in BANNER using one of the following forms:

1. SPAIDEN2. PPAIDEN3. FOAIDEN4. APAIDEN

Lehigh is already “ahead of the curve”

The University has already established policies and procedures that include very good controls to safeguard identity and financial information

Purpose of the trainingPurpose of the training

To raise your level of awareness

To help you maximize the effectiveness of your department’s policies and procedures

To make sure your day-to-day practices = your policies and procedures

To know what to do if you encounter a red flag

Three Key Rules Three Key Rules

1) Debit and credit card issuers must develop policies and procedures to assess validity of a request for change of address

2) Users of consumer reports must develop reasonable policies and procedures to apply when they receive notice of an address discrepancy from a consumer reporting agency

3) Financial institutions and creditors holding “covered accounts” must develop and implement a written identity theft prevention program

How can you help?How can you help?

Identify relevant “red flags” you may encounter

Detect those “red flags”

Respond appropriately to detected red flags

Update the procedures periodically

““Red Flags” that could occur at Red Flags” that could occur at LehighLehigh

Documents provided for identification appearing altered or forged

Photograph on ID inconsistent with appearance of customer

Personal information inconsistent with information already on file at Lehigh

More red flags:More red flags:

Mail sent to customer repeatedly returned as undeliverable despite being an active account

A fraud alert included with a consumer report

A consumer reporting agency providing a notice of address discrepancy

Making an address changeMaking an address change

Preferred method of making student address changes is for the individual to make his/her own changes via Banner self-service.

See Registrar’s Office website for complete instructions

Requests made In-PersonRequests made In-Person

Acceptable identity verification:Government issued Picture ID

Additional confirming information is required if :

Picture ID is issued by non-government organization (ex: employer-issued ID card) OR

ID does not include a picture(ex: Social Security Card)

NOTE: All requests for change of address must be in writing!

Requests made by EmailRequests made by Email

Acceptable by Itself:

◦Email from a “lehigh.edu” account

Additional Confirmation is Required If:

◦Email is sent from any other email account

Requests by Mail or FaxRequests by Mail or Fax

All such requests must be signed. If any question about validity, take additional steps to confirm, for example:

Photocopy of driver’s licenseCopy of utility billSend sample mail to address to confirmPhone directoryInternet directories

Requests by PhoneRequests by Phone

No address should be changed without having something in writing from the customer.

This is for your protection as well as the customer’s.

Red Flags are not Black & Red Flags are not Black & White!White!

Before concluding you have an identity theft situation, consider the “big picture”:

Did a payment accompany the updated information?

How much was the payment?How/who benefited from the payment?Can the individual answer questions only student

would know?Have you ever temporarily forgotten some of

your personal information?

What to Do If You Suspect What to Do If You Suspect Identify TheftIdentify Theft

Delay opening new account

Suspend access to an existing account

Attempt to contact customer at the last known legitimate address/phone number

If you’ve done the above and still suspect identity theft, contact Lehigh Police

Why you should be concernedWhy you should be concerned

Fines from the government

Costs to Lehigh to help mitigate damages

Possible lawsuit

Damage to Lehigh’s reputation

Its the right thing to do!

Where to go for more InformationWhere to go for more Information

Contact Mike King, Bursar

See Federal Trade Commission website: www.ftc.gov