26 of 1: Compliance with the Red Flags Rule in Higher Education (166215255)

7/29/2019 26 of 1: Compliance with the Red Flags Rule in Higher Education (166215255)

http://slidepdf.com/reader/full/26-of-1-compliance-with-the-red-flags-rule-in-higher-education-166215255 1/19

26 of 1…Compliance With the Red Flags Rule

in Higher Education

Sarah Morrow, MBA-ISM, CIPP/US,

GISPChief Privacy Officer The Pennsylvania State University

Maura Johnston, JD, CIPP/USUniversity Privacy Officer

University of Pennsylvania



Abstract

Compliance with financial regulations inhigher education, especially the Red FlagsRule, is as complex as it gets; it is aregulation with elusive requirements. Join twouniversity privacy officers to hear about howcompliance was achieved at their respectiveinstitutions.



Objectives

• This presentation will provide an overview of the Red Flags Rule;

• How IT is an integral part of universitycompliance in this area; and

• Answer questions you may have aboutwhere, when, and why this law applies toinstitutions of higher learning.





Red Flags Rule Was Adopted by FTC to require:

• financial institutions and creditors thatmaintain certain accounts to have an identity theftprevention program;

• users of consumer reports to implement

procedures for handling notices of addressdiscrepancy from credit bureaus; and

• credit/debit card issuers to have procedures toassess validity of change of address notices.

Who has to comply with the Red Flags Rule?

• Financial institutions

• “Creditors” who have “covered accounts”



Effective date(s)

• The rule was vague and compliance seemeddifficult in many ways; theeffective/compliance date was postponed

several times.

November 2008

May 2009

August 2009

November 2009

June 2010

December 2010



“Creditor”

• Under Red Flags Program Clarification Act of 2010, a“creditor” is an entity that regularly, in the ordinarycourse of business:

• Obtains or uses credit reports in connection with a credittransaction;

• Provides information to credit bureaus, in connectionwith a credit transaction; or

• Advances funds that must be repaid in the future.

• Interpreted by FTC to cover higher education institutions.



“Covered Accounts”

• “Covered account" is an account

offered primarily for personal,family, or household purposesthat either:

• permits multiple payments ortransactions; or

• involves a reasonably foreseeable

risk of identity theft.



Identity Theft Prevention Program

Identify Relevant Red Flags• Identify the red flags of identity theft

you’re likely to come across

Detect Red Flags• Set up procedures to detect those red flags

in your day-to-day operationsPrevent and Mitigate Identity Theft•

If you spot the red flags you’ve identified,respond appropriately to prevent and/ormitigate harm

Design program appropriate to

organization’s size and complexity, andnature of operations

Update program periodically• Risks of identity theft can change

rapidly, so keep program current and



Some Potential Red Flags

• Federal Trade Commission identifies 26, in fivecategories:

• alerts, notifications, or warnings from a consumer

reporting agency

• suspicious documents

• suspicious identifying information, such as a suspiciousaddress

• unusual use of – or suspicious activity relating to – acovered account

• notices from customers, victims of identity theft, lawenforcement authorities, or other businesses about

possible identity theft in connection with “coveredaccounts”



Penn State’s Approach

• Committee formed to create and vet the requiredtraining.

• Bursar (leader)

• Corporate Controller Office

• Privacy

•

Financial Officers• IT and Security Offices

• CPO had final approval sign off

• Implemented prior to actual effective date

• Annual training




• At Penn State

• Financial Officers

• Student Aid

• Bursar

• Credit Card Transaction locations…. (all around us)

•Milton S. Hershey Medical Center

• University Health Services

• ID+ LionCash

• Security Operations and Services

● PCI




• Security Operation and Services

• Watches my back

• PCI-DSS may find more than simple credit cardfraud

• Teaching moments

•

Technological advances make identity theft morecommon and easier to achieve

• Keep APT on the radar

• Devise more accurate methods to assess risk



It’s just my opinion

• This is a really difficult rule with which to comply

because it is so vague

• It probably shouldn’t apply to colleges and

universities



Penn’s Approach

•

Formed Red Flags Task Force•Representatives from potentially covered areas

•Narrowed group to areas we concluded were covered

•Central policy developed

•Simplified content of Rule

•Specific to Penn•Procedures and training developed by each covered area



Penn’s Approach

•Covered areas:•Student Financial Services

• Tuition refunds

•Collections

•Student Health

•Dental Medicine

•Veterinary Medicine

•Home Ownership Services

•PennCard

•Health System



Penn’s Approach

IT’s role in preventing identity theft

Example: Health System - Medical Office Visit●If Red Flags present (such as ID that looks altered or forged)

Incident Report is created●Incident Report is forwarded to team that reviews and, if appropriate, posts Red Flags Alert●Alert interfaces with all core registration databases●Incident Report is scanned into electronic health record system

●



Penn’s Approach

• Review/update Red Flags program

periodically•

Experienced incidents of identitytheft in the past year?

• Experienced changes in methods of

identity theft in the past year?• Amended Red Flags procedures

since they were first adopted?• Any changes that might present

new potential opportunities for

identity theft?•

Staff received training on Red Flagsprocedures?• Suggestions for changes to Red

Flags program?



Questions?

• Sarah Morrow

[email protected]

(814)863-3049

• Maura Johnston

[email protected]

(215)898-1934

mailto:[email protected]%7C(814)863-3049








Date post:	14-Apr-2018
Category:	Documents
Upload:	educause
View:	212 times
Download:	0 times

26 of 1: Compliance with the Red Flags Rule in Higher Education (166215255)

Documents