Red Flag Policy
Columbia College recognizes that identity theft is a continuing and growing issue that can result in harm to its students and employees as well as the institution. Pursuant to the Federal Trade Commission’s (FTC) Red Flag Rules, which implements the Fair and Accurate Credit Transaction Act (the FACT Act) of 2003, Columbia College has enacted the Red Flag Policy to protect Columbia College, its’ students and employees from Identity Theft and the related damages that may result from Identity Theft. This policy establishes procedures to:
- Identify Covered Accounts;
- Identify the Red Flags relevant to Columbia College;
- Detect Red Flags;
- Respond appropriately to detected Red Flags;
- Train responsible staff;
- Update the program and perform risk assessment.
This policy applies to all College departments that collect and maintain personal information.
Account- a continuing relationship established by a person with a creditor to obtain a product or service for personal, family, household or business purposes. It includes a) an extension of credit, such as the purchase of property or services involving a deferred payment, and b) a deposit account.
Covered Account- a) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and b) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from Identity Theft, including financial, operational, compliance, reputation, or litigation risks.
Identity Theft - fraud committed or attempted using the identifying information of another person without their knowledge or permission.
Red Flag - a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
Service Provider – a person that provides a service directly to the financial institution or creditor.
Identify Covered Accounts
College departments are responsible for determining whether they have oversight of Covered Accounts. Those departments that have a Covered Account must develop and implement a written plan that identifies relevant Red Flags for their specific Covered Account.
Identify Red Flags
Each department will identify the Red Flags associated with their Covered Accounts taking into consideration the types of accounts offered and maintained, the methods provided to open and access accounts, and previous experiences with identity theft.
The following are examples of Red Flags that can be potential indicators of Identity Theft:
- Alerts, notifications, or other warnings received from consumer reporting agencies or Service Providers;
- Notice of credit freeze from a consumer reporting agency in response to a request for a consumer report;
- Notice from customers, victims of Identity Theft, law enforcement authorities, or other persons regarding possible identity;
- The presentation of suspicious documents;
- The presentation of suspicious personally identifying information, such as a suspicious address change;
- Personal identifying information provided is inconsistent when compared against external information sources used by the College;
- The unusual use of, or other suspicious activity related to a covered account;
- Photograph or physical description of student is not consistent with the appearance of the student providing identification;
- Requests to mail information to addresses not on file with the college;
- Documents presented for the purpose of personal identification are incomplete or appear to have been altered, forged or inauthentic;
- Questions are not consistent with basic, general knowledge (lack of knowledge of basic information such as familiarity with college policy, campus attended, eServices, etc);
- Person is very vague about contact information or refused to provide it.
This is not an exhaustive list.
Detect Red Flags
Departments should develop and implement procedures to detect Red Flags associated with opening new or accessing existing Covered Accounts.
- Monitor account transactions for possible Red Flags. Require certain identifying information such as name, date of birth, residential or business address, driver license, or other photo identification.
- Require multi-factor identification before conducting any transaction over the phone that relates to a Covered Account.
- Require authorization on file before releasing personal information to a third party;
- Require that online transactions come through a secure, password protected portal in accordance with the Standards for Securing Regulated Private Data policy.
- Thoroughly follow up on each billing inquiry, especially inquiries regarding services not received and/or billing errors.
- Verify the validity of a change of address request on an existing account and provide the customer with a means to promptly report an incorrect address.
Response to Detected Red Flags
Departments should respond appropriately to detected Red Flags in order to prevent and mitigate Identity Theft. The response should be commensurate with the degree of risk posed. Once potentially fraudulent activity is detected, an employee must act quickly as a rapid response can protect customers and the College from damages and loss.
If Red Flags are detected, one or more of the following steps may be taken:
- monitor the Covered Accounts for evidence of identity theft;
- request additional documentation to validate identity;
- contact the consumer and verify if the activity is fraudulent;
- where appropriate, disable access or change passwords, security codes, or other security devices;
- close the Covered Account, and if needed reopen with a new account number;
- refuse to open a new Covered Account for the customer;
- notify the department’s supervisor and, the College’s General Counsel;
- determine if law enforcement should be notified;
- determine that no response is warranted under the particular circumstances.
Any department who is involved in a case of Identity Theft should maintain a log of the incident(s). The log should contain the date, description of the incident, what Red Flags were involved, and what actions were taken to avoid a similar situation from occurring in the future.
Train Responsible Staff
Each department having Covered Accounts will compile a list of their staff that are responsible for performing the day-to-day application of the Red Flags procedures to a specific Covered Account.
Responsible staff should receive training on Red Flags Identity Theft prevention and their department’s Red Flag procedures.
Program Update and Risk Assessment
The department head or their designee of a Covered Account shall conduct a risk assessment periodically. The assessment should consider prior experience with Identity Theft; changes in the methods of Identity Theft; changes in the detection, prevention, and mitigation of Identity Theft; the Covered Accounts offered and administered by the College; and the potential Red Flags that may arise with respect to the Covered Accounts. The assessment should also consider any changes in risks to students and individual account holders and to the safety and soundness of the College from Identity Theft. Documentation of the review must be maintained in the department.