Purpose
Due to growing Identity Theft concerns, the Federal Trade Commission (FTC) has issued "Red Flag Rules" to assist entities in detecting, preventing, and mitigating Identity Theft. To comply with the FTC Rules, NSU has adopted the following Identity Theft Prevention Policy for the Nova Southeastern University. It is the responsibility of NSU employees to familiarize themselves with the Red Flag examples and follow the procedures outlined below.
Policy
It is the policy of Nova Southeastern University to comply with the FTC Red Flag Rules. All employees working with covered accounts will be familiar with the Red Flag Rules. For policies and procedures relevant to any Covered Health Care Accounts, please refer to the HPD Division of Clinical Operations compliance with FTC Red Flag Rules policy which is incorporated herein by reference.
Covered Accounts
The Red Flag Policy applies to "covered accounts" maintained by NSU. The following are examples of NSU Covered Accounts:
- Federal Perkins Loan Program accounts
- Parent Loan for Undergraduate Student (PLUS) program accounts
- Federal Subsidized FEEL Stafford Loans accounts
- Unsubsidized Stafford Loans accounts
- Federal Family Education Loan Program accounts
- Student accounts maintained for deferment of tuition payment
- Payment plans for tuition or fees throughout the semester, rather than requiring full payment at the start of the semester
- Payment plans and promissory notes for other covered student accounts
- Accounts receivable
- Emergency loans to students, faculty or staff
Procedure
- Identification of Red Flags
There are 5 categories of Red Flags. Although some Red Flags can appear harmless on their own, they may signal identity theft when paired with one or more others.
The following are relevant Red Flags, in each of the listed categories, which employees should be aware of and diligent in monitoring for when dealing with covered accounts:
- Alerts, Notifications and Warnings from Consumer Reporting Agencies
- Report of fraud accompanying a credit report;
- Notice or report from a credit agency of a credit freeze on an applicant, employee or student;
- Notice or report from a credit agency of an active duty alert for an applicant, employee or student; and
- Indication from a credit report of activity that is inconsistent with applicant, employee or student's usual pattern or activity, including:
- A recent and significant increase in the volume of inquiries;
- An unusual number of recently established credit relationships;
- A material change in the use of credit, especially with respect to recently established credit relationships; or
- An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
- Suspicious Documents
- Identification document or card that appears to be forged, altered or inauthentic;
- Identification document or card on which a person's photograph or physical description is not consistent with the applicant, employee or student presenting the document;
- Other information on the identification is not consistent with information provided by the applicant, employee or student opening a new covered account presenting the identification;
- Other information on the identification is not consistent with readily accessible information that is on file with the municipality, such as a signature card or a recent check; and
- Application for service that appears to have been altered or forged or gives the appearance of having been destroyed and reassembled.
- Suspicious Personal Identifying Information
- Identifying information presented that is inconsistent with other information the applicant, employee or student provides (example: inconsistent birth dates);
- Photograph or physical description on the identifying information is not consistent with the appearance of the applicant, employee or student presenting the information;
- Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a credit report);
- Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
- Identifying information presented that is consistent with fraudulent activity, such as
- The phone number is invalid or is associated with a pager or answering service
- The billing address is fictitious, a mail drop, or a prison
- Social security number presented that is the same as one given by another person; has not been issued or is listed on the Social Security Administration's Death Master file;
- An address or phone number presented that is the same as that of another person;
- An applicant, employee or student fails to provide complete personal identifying information on an application when opening the covered account or in response to a notification that the application is incomplete
- An applicant, employee or student's identifying information is not consistent with the information that is on file for the customer;
- When using security questions (e.g., mother's maiden name or high school mascot), the applicant, employee or student opening the covered account cannot provide identifying information beyond that which is usually contained in a wallet or found in a consumer report;
- A request for information contained in a covered account is requested from a non-NSU issued e-mail account;
- A request to mail information contained in a covered account is to mail to an address not listed on file
- Suspicious Account Activity or Unusual Use of Account
- Change of address for an account followed by a request to change the account holder's name;
- Change of address for an account followed by a request for new, additional, or replacement services, or for the addition of authorized users on the account;
- A covered account is used that has been inactive for a lengthy period of time, taking into consideration the type of account, the expected pattern of usage, and other relevant factors;
- Payments stop on an otherwise consistently up-to-date account;
- Account used in a way that is not consistent with prior use, for example:
- very high activity;
- nonpayment when there is no history of late or missed payments;
- a material change in purchasing or usage patterns
- Mail sent to the account holder is repeatedly returned as undeliverable;
- Notice to NSU that a customer is not receiving mail or account statements sent by NSU;
- Notice to NSU that an account has unauthorized activity;
- Breach in NSU's computer system security; and
- Unauthorized access to or use of customer account information.
- Alerts from Others
- Notice to NSU from a victim of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.
- Detecting Red Flags
The following protocol must be followed for opening new accounts, maintaining existing accounts, and accessing covered accounts:
- New Accounts
In order to detect any of the Red Flags identified above associated with the opening of a new account, NSU employees must take the following steps to obtain and verify the identity of the person opening the account:
- Require identifying information, including name, date of birth, residential or business address, driver's license or other photo identification;
- Verify the applicant, employee or student's identity (for instance, review a driver's license or other I.D. card);
- Independently contact the applicant, employee or student to verify the new account;
- For Emergency loans, requests must be made in person by presenting photo identification or in writing from the student's NSU-issued e-mail account. The loan check can only be mailed to an address on file or picked up in person by showing picture ID.
- Existing Accounts
In order to detect any of the Red Flags identified above for an existing account, NSU employees must take the following steps to monitor transactions with an account:
- Verify the identification of applicant, employee or student if they request information (either in person, via telephone, via facsimile, or via email by asking them to provide the identifying information on file);
- Verify the validity of requests to change billing addresses with the applicant, employee or student; and
- Verify changes in banking information given for billing and payment purposes.
- Methods to Access Covered Accounts
- Disbursement of information contained in covered accounts obtained in person requires provision of photo identification
- Disbursement of information contained in covered accounts by mail can only be mailed to the address on file under the covered account
- Refunds of credit balances, including loan balances, must be refunded in person by presenting photo identification or in writing from the employee or student's NSU-issued e-mail account. Refund checks can only be mailed to an address on file or picked up in person by showing photo identification.
- Refunds of a credit balance for a PLUS loan is required to be refunded in the parent's name and mailed to their address on file within the time period specified. No request is required.
- Credit card information used in association with covered accounts must be maintained in accordance with NSU's Credit Card Processing Controls.
- Responding to Red Flags
When a potentially fraudulent activity is detected, NSU must act quickly as appropriate to protect applicants, employees and students. In the event an employee detects any of the identified Red Flags, the following steps shall be taken to respond to and mitigate identity theft:
- Stop the billing/admissions process and require provision of additional documentation to resolve the discrepancy. Reporting employee shall notify his/her supervisor or designated authority of discrepancy for further instruction.
- NSU Collections Services will be notified and instructed to place a hold and flag suspected applicant, employee or student accounts in the appropriate information system.
- NSU Information Systems Support will be notified to lock suspicious customer/student account in the appropriate information systems.
- The supervisor or designated authority will complete additional authentication to determine whether the attempted transaction based upon information available at that time could be fraudulent or authentic.
- If discrepancy is resolved, re-verify information with the patient and continue with the billing/admissions process.
- If discrepancy is not resolved, all related documentation should be gathered and a description of the situation should be written utilizing the NSU Red Flag Report Form. This information should be presented to a supervisor or designated authority for further instruction. The employee detecting the Red Flag must fill out and complete the Red Flag Report Form. The supervisor or designated authority must fill out the initial action taken.
- The supervisor or designated authority will open a file on suspicious account which is to be submitted to the Program Administrator for further investigation. For purposes of reporting, the file must include the following information:
- Copy of any and all documentation supporting the report of suspicious account activity/individual
- A completed NSU Red Flag Report Form
- Identification of any third party interests for the affected customer/student, including but not limited to student loan programs, which may be affected or impacted by the suspicious activity. This information is to include customer/student name, associated third party account number, and third party contact information.
- The Program Administrator or authorized designee will conduct investigation to determine whether the attempted transaction was fraudulent or authentic. Depending on the nature and degree of risk posed by the Red Flag, the Program Administrator or authorized designee authority will:
- Instruct the supervisor or designated authority to continue to monitor an account for evidence of Identity theft;
- Other appropriate responses and actions may include:
- Determining that no response is warranted under the particular circumstances;
- Canceling the transaction;
- Terminating treatment or credit until the discrepancy is resolved;
- Contacting the customer/student against whom the fraud has been attempted;
- Changing any passwords or other security devices that permit access to accounts;
- Not opening a new account;
- Closing an existing account;
- Reopening an account with a new account number;
- Notifying and cooperating with appropriate law enforcement;
- Determining the extent of liability of NSU or damage to NSU; and
- Notifying any appropriate insurers or third parties.
- If a consumer report includes an initial fraud alert or an active duty alert regarding an account, NSU employees must provide additional services to be billed to the account for which the fraud alert was issued, unless the employee forms a reasonable belief that the user he/she knows the identity of the person making the request and obtains authority from his/her supervisor.
- The Program Administrator or authorized designee must complete the remainder of the Red Flag Report Form.
- A copy of the Form must be maintained on file with the supervisor or designated authority and the Program Administrator.