Identity Theft and Red FlagIdentity Theft and Red FlagRulesRules

Training ModuleTraining Module

The University of Texas at Tyler

Identity Theft - Red FlagIdentity Theft - Red FlagTrainingTraining

This training is intended for view prior to each area creating their own unique policies and procedures for identifying, detecting, preventing, and mitigating identity theft.

Identity Theft - Red FlagsIdentity Theft - Red Flags

Red flags in this training means a pattern, practice, or specific activity that indicates the possible existence of identity theft.

Red Flag Rules Background Red Flag Rules Background

In November 2007, final rules were issued to implement the Identity Theft Flags Rule.

The Rule applies to financial Institutions including universities that offer or maintain Accounts;

The Rule requires the implementation of a written Identity Theft Prevention Program.

UT Tyler falls within the scope of the Red Flag UT Tyler falls within the scope of the Red Flag

Rules because we act as a “creditor” by:Rules because we act as a “creditor” by: regularly extending, renewing, or continuing credit; regularly arranging for such credit; acting as an assignee of an original creditor.

Simply accepting credit cards as a form of payment does not make you a “creditor” under the Red Flags Rule. But if you offer a debit or credit card, arrange credit for your customers, or extend credit by selling customers goods or services now and billing them later, you are a “creditor” under the law.

COVERED ACCOUNTSCOVERED ACCOUNTS

The Rule’s goal is to detect, prevent, and mitigate identity theft in certain 'covered accounts.'

A ‘covered account’ is any account that the University of Texas at Tyler offers or maintains: – Primarily for personal, family, or household purposes, or – That permits multiple payments or transactions, or – For which there is a reasonably foreseeable risk of identity theft.

THE RULETHE RULE …is actually three different but related rules - all will

definitely apply to the following areas at UT Tyler: (681.1) Users of Consumer Reports and background

checks (681.2) Creditors holding ‘Covered Accounts’ (681.3) Issuers of Debit and Credit Cards

USERS OF CONSUMER REPORTSUSERS OF CONSUMER REPORTS

(681.1) Users of consumer reports must develop reasonable policies and procedures

to verify the identity of consumers and confirm their addresses, when necessary. Applies to any areas of UT Tyler that utilize

consumer reporting agencies (Equifax, Experion, TransUnion) for any reason, i.e. credit or background checks for loans or collection purposes, or for new hire applicants. Includes Human Resources, Campus Police, Nursing, etc.

CREDITORSCREDITORS

(681.2) “…creditors holding ‘covered accounts’ must develop and implement written procedures for both new and existing accounts.” – This provision applies to any areas of UT Tyler

that issue any type of credit, i.e. Stafford Loans, Housing or Meal Payment Plans, Student Deferred Payment Plans, emergency loans, P2 cards, Swoop cards, Procards, Travel cards, etc.

Debit and Credit Card IssuersDebit and Credit Card Issuers

(681.3) Debit and credit card issuers must develop reasonable policies and procedures to assess the validity of a request for change of address followed closely by a request for an additional or replacement card.

Identifying Red FlagsIdentifying Red Flagsand Fraud Indicatorsand Fraud Indicators

A Red Flag, or any situation closely resembling one, should be investigated for verification.

    The following are potential indicators of fraud:

Alerts, notifications, or other warnings from credit agencies

• Suspicious documents or personal identifying information

• Unusual or suspicious account activities • Notices from customers, victims of identity theft, law

enforcement authorities, or others

Alerts, Notifications, and WarningsAlerts, Notifications, and Warnings

Watch for these notices from consumer reporting Watch for these notices from consumer reporting agencies, service providers, or fraud detection services: agencies, service providers, or fraud detection services: – An An active duty alert or a fraud alert included with a consumer

report; – A notice of A notice of credit freeze in response to a request for a consumer

report; or– A notice of A notice of address discrepancy.

You'll need to add a procedure for appropriate You'll need to add a procedure for appropriate responses to notices.responses to notices.

Suspicious DocumentsSuspicious Documents

Identification documents that appear to have been altered or forged.

The photograph or physical description on an ID that doesn’t match the Customer presenting it.

Information on the identification that is inconsistent with other information provided or readily accessible, such as a signature card or a recent check.

An application or document that appears to have been destroyed and reassembled.

Suspicious Personal InformationSuspicious Personal Information

Personal Identifying Information (PII) is any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual.

Examples of suspicious personal information: PII provided is inconsistent with PII that is on file, or when

compared to external sources. For example, The address does not match any address in the consumer

report; The SSN has not been issued or is listed on the Social

Security Administration’s Death Master File; There is a lack of correlation between the SSN range and

date of birth.

Fraudulent Personal InformationFraudulent Personal Information

PII provided is associated with known fraudulent activity, or is of a type commonly associated with fraudulent activity. For example,

The address on a document is the same as the address provided on a known fraudulent document;

The address on a document is fictitious, a mail drop, or a prison;

The phone number is invalid or is associated with a pager or answering service.

Just how suspicious….?Just how suspicious….?

…a SSN provided for an account is the same as one provided by another person for a different account?

– How would you know?

– …the person opening a Covered Account fails to provide all the required personal identifying information on an application and then doesn’t respond to notices that the application is incomplete?

What do you do next?

…a person requesting access to a Covered Account cannot answer the security questions (mother’s maiden name, pet’s name, etc.)?

How do you handle this?

Looking Below the SurfaceLooking Below the Surface

Sometimes fraudulent activity is not that obvious.

Do you know what to do if… 

…mail sent to the account-holder is returned repeatedly as

undeliverable although transactions continue to be conducted in connection with the Covered Account??

…the University is notified that a customer is not receiving paper account statements, even though they are being mailed and not returned??

On The Other Hand…On The Other Hand…

Sometimes the problem is obvious, but do you know the procedure when…

…the University receives a notice regarding possible identity theft in connection with Covered Accounts held by your unit???

…the University is notified that your department has opened a fraudulent account for a person engaged in identity theft???

Responding to Red FlagsResponding to Red Flags

Report known and suspected fraudulent activity immediately - to protect both Customers and the University from damages and loss:

  Gather all related documentation and

– provide a complete description of the situation and report to your supervisor.

Taking ActionTaking Action

If a transaction is or appears to be fraudulent, take appropriate actions immediately:

Cancel the transaction; Notify your supervisor and if necessary, contact

and cooperate with University Police and appropriate law enforcement;

Determine the extent of liability of the University; Notify the Customer that fraud has been

attempted.

The Next Steps:The Next Steps:

Identify the red flags in your area; Set up procedures to detect those red

flags in day-to-day operations; Train all employees on the procedures; Decide what actions to take when a red

flag is detected; Periodically review the red flag list to

ensure that they are still relevant.

Test Your KnowledgeTest Your Knowledge

Following are several questions to test your knowledge of the information presented.

Answer all questions correctly to receive credit for the training.

Question #1Question #1

The Red Flag Rules applies to financial institutions and creditors that offer or maintain “Accounts”. Universities must comply with the Red Flag Rules.

TRUETRUE FALSEFALSE

REVIEWREVIEW

Question #2Question #2

The Rule’s goal is to detect, prevent, and mitigate identify theft in certain covered accounts the University maintains.

TRUETRUE FALSEFALSE

REVIEWREVIEW

Question #3Question #3

Users of consumer reports must develop reasonable policies and procedures to verify the identity of consumers and confirm their address when necessary.

TRUETRUE FALSEFALSE

REVIEWREVIEW

Question #4Question #4

Debit and Credit cards must develop reasonable policies and procedures to assess the validity of a request for change of address followed closely by a request for an additional or replacement card.

TRUETRUE FALSEFALSE

REVIEWREVIEW

Question #5Question #5Which of the following are potential indicators of fraud?

Alerts, notifications, or other Alerts, notifications, or other warnings from credit agencieswarnings from credit agencies

Suspicious documents or personalSuspicious documents or personalidentifying informationidentifying information

Unusual or suspicious accountUnusual or suspicious accountactivitiesactivities

Any and all of the aboveAny and all of the above

REVIEWREVIEW

Question #6Question #6

“Suspicious” documents include:

Identification documents appearIdentification documents appearto have been altered or forgedto have been altered or forged

Driver’s license photo does notDriver’s license photo does notmatch personmatch person

Identification provided isIdentification provided isinconsistent with information on fileinconsistent with information on file

Any and all of the aboveAny and all of the above

REVIEWREVIEW

Question #7Question #7

Personal Identification Information (PII) includes any name or number that may be used alone or in conjunction with any other information, to identify a specific individual.

TRUETRUE FALSEFALSE

REVIEWREVIEW

Question #8Question #8If a transaction is or appears to be fraudulent, you should immediately cancel the transaction, notify your supervisor and if necessary the campus police, determine the extent of liability of the University, and notify the customer that a fraud has been attempted.

TRUETRUE FALSEFALSE

REVIEWREVIEW

Question #9Question #9After you have identified the red flags of ID theft, what do you do next?

Set up procedures to detect thoseSet up procedures to detect thosered flags in your daily operations.red flags in your daily operations.

Train all employees who will useTrain all employees who will usethe procedures.the procedures.

Decide what actions to take whenDecide what actions to take whena red flag is detected.a red flag is detected.

All of the above.All of the above.

REVIEWREVIEW

Question #10Question #10

Your list of red flags should be reviewed periodically to be sure they are still relevant.

TRUETRUE FALSEFALSE

REVIEWREVIEW

Congratulations… Congratulations… you have completed your training you have completed your training

on Identity Theft and Red Flag on Identity Theft and Red Flag Rules.Rules.

The University of Texas at Tyler

General Compliance Training

The Training Post An Educational Computer Based Training Program

CBT