ESTABLISHING A RED FLAGS RULE IDENTITY THEFT PREVENTION PROGRAM FOR WINTHROP UNIVERSITY

WHEREAS, The Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act, requires rules regarding identity theft protection to be promulgated and adopted jointly by the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission; and

WHEREAS, Those rules become effective November 1, 2008, and require certain financial institutions and creditors to implement an identity theft prevention program; and

WHEREAS, The Federal Trade Commission suspended enforcement of the new "Red Flags Rule" until May 1, 2009; and

WHEREAS, The Federal Trade Commission delayed enforcement of the new "Red Flags Rule" until August 1, 2009; and

WHEREAS, The risk to the University, and its students, faculty, staff, and other constituents from data loss and identity theft is of significant concern to the University and the Board of Trustees has determined that the University should make reasonable efforts to detect, prevent, and mitigate identify theft; and

WHEREAS, The Board of Trustees has determined that the proposed Red Flags Rule Identity Theft Prevention Program is in the best interest of the University and its students, faculty, staff, and other constituents;

THEREFORE, LET IT BE RESOLVED by the Board of Trustees for Winthrop University meeting in Rock Hill, South Carolina on June 5, 2009 that:

1. the "Red Flags Rule Identity Theft Prevention Program" attached hereto as Exhibit A is hereby approved; and
2. the Vice President for Finance and Business of the University is hereby delegated operational responsibility of the Program, including but not limited to oversight, development, implementation, and administration of the Program; approval of needed changes to the Program; and implementation of needed changes to the Program.  

EXHIBIT A

RED FLAGS RULE

IDENTITY THEFT PREVENTION PROGRAM

Purpose

The purpose of this policy is to establish a Red Flags Rule Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program.  The Program shall include reasonable policies and procedures to:

  • Identify relevant Red Flags for covered accounts the University offers or maintains and incorporate those Red Flags into its Program;
  • Detect Red Flags that have been incorporated into the Program of the University;
  • Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft;
  • Ensure the Program is updated periodically to reflect changes in risks to students and borrowers and to the safety and soundness of the University from identity theft; and
  • The Program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.

Existing Policies and Practices

The University has policies to ensure compliance with Gramm-Leach-Bliley Act (GLB), Family Educational Rights and Privacy Act (FERPA), system and application security, and internal control procedures which provide an environment where identity theft opportunities are mitigated.  Records are safeguarded to ensure the privacy and confidentiality of student and borrower records. 

In addition, the University adheres to the following practices:

  • All paper files are kept in locked filing cabinets while not being used. 
  • Access to confidential information is limited to only those employees who need access in order to properly perform the duties for which they were hired.
  • Employees with access to confidential information understand that this is confidential business information and is not to be discussed with anyone who does not "need to know." 

Definitions

  • Identify theft means fraud committed or attempted using the identifying information of another person without authority.
  • Account means a continuing relationship established by a person with the creditor to obtain a product or service for personal purposes.  Account includes an extension of credit involving a deferred payment.
  • Covered account means an account that a creditor offers or maintains primarily for personal purposes that involves or is designed to permit multiple payments or transactions.
  • Red Flag means a pattern, practice or specific activity that indicates the possible existence of identity theft.

Covered Accounts

  • The University participates in the Federal Perkins Loan Program
  • The University participates in the South Carolina Teaching Fellows Program
  • The University offers and establishes student payment plans

Identifying Relevant Red Flags

  • The photograph or physical description on the identification is not consistent with the appearance of the student or borrower presenting the identification.
  • The SSN provided is the same as that submitted by other students or borrowers.
  • The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other students or borrowers.
  • The person opening the covered account or the student or borrower fails to provide all required personal identifying information on an application or in response to notification that the application is complete.
  • A covered account is used in a manner that is not consistent with established patterns of activity on the account — nonpayment when there is no history of late or missed payments.
  • The University is notified of unauthorized charges or transactions in connection with a student or borrower's covered account.
  • The University is notified by a student or borrower, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

Detecting Red Flag Activity

Covered accounts are opened as follows:

Federal Perkins Loan Program

  • Perkins borrowers sign their promissory notes using an electronic signature, which requires a PIN number that is unique to each borrower. 
  • Perkins borrowers can allow a third party to have access to his/her account information by completing the FERPA form in the electronic exit interview process.  If no one is listed, a third party will not have access to any account information without the borrower's written permission.  The borrower can log onto the exit site at any time to update this information if he/she decides that it would be beneficial for another party to have access to account information. 

South Carolina Teaching Fellows Program

  • Teaching Fellows borrowers sign their promissory notes manually, which must be notarized.
  • The promissory note must be signed by a Surety in addition to the borrower.  The Surety is required to be a parent or guardian if the borrower is under the age of 18.  If the borrower is over the age of 18, the Surety may be any SC resident over the age of 21. 

Student Payment Plans

Students must call, e-mail or come into the Controller's Office to request their account be placed on a tuition payment plan. 

Responding to Red Flags

The Program shall provide for appropriate responses to detected red flags to prevent and mitigate identity theft.  The appropriate responses to the relevant red flags are as follows:

  • Contacting the student or borrower;
  • Changing any passwords, security codes, or other security devices that permit access to a covered account;
  • Reopening a covered account with a new account number;
  • Closing an existing covered account;
  • Not attempting to collect on a covered account;
  • Notifying law enforcement; and/or
  • Determining that no response is warranted under the particular circumstances. 

Updating the Program

The University will update the Program annually in December, to reflect changes in risks to students or borrowers or to the safety and soundness of the University from identity theft, based on factors such as:

  • The experiences of the University with identity theft;
  • Changes in methods of identity theft;
  • Changes in methods to detect, prevent, and mitigate identity theft; and
  • Changes in the types of accounts that the University offers or maintains.

Oversight of Service Provider Arrangements

The University shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft whenever the University engages a service provider to perform an activity in connection with one or more covered accounts.

Currently the University uses UAS to administer the Perkins Loan Program.  Students contact UAS directly through its website or by telephone and provide personal identifying information to be matched to the records that the University has provided to UAS.