IDENTITY THEFT PREVENTION – RED FLAG

1. Purpose
The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the program. The program shall include reasonable policies and procedures to:

  1. Identify relevant red flags for covered accounts the College offers or maintains and incorporate those red flags into the program;
  2. Detect red flags that have been incorporated into the program;
  3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  4. Insure the program is updated periodically to reflect changes in identity theft risks, a) to students and b) to the safety and soundness of the College’s program for identifying Red Flags.

The program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.

2. Definitions

  1. Identity theft means: Fraud committed or attempted using identifying information of another person without authority.
  2. A covered account means: An account that the College offers or maintains, primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions.
  3. A red flag means: A pattern, practice or specific activity that indicates the possible existence of identity theft.
  4. Program administrator means: The designated individual with primary responsibility for oversight of the program.

3. Covered Accounts
Pratt Community College has identified three types of accounts administered by the College.

  1. Refund of credit balances involving direct loans.
  2. Refund of credit balance without direct loans.
  3. Tuition payment plans.

4. Identification of Relevant Red Flags
The program considers the following risk factors in identifying relevant red flags for covered accounts:

  1. The types of covered accounts as noted above;
  2. The methods provided to open covered accounts – acceptance to Pratt Community College and enrollment in classes requires some or all of the following information:
    1. High school transcripts
    2. Official ACT or SAT scores
    3. Medical history
    4. Immunization history
    5. Insurance card

3. The methods provided to access covered accounts:

  • a. Disbursement obtained in person; require picture identification
  • b. Disbursement obtained by mail can only be mailed to an address on file.

4. The program identifies the following red flags:

  • a. Documents provided for identification appear to have been altered or forged;
  • b. The photograph or physical description on the identification is not consistent with the appearance of the person presenting the identification;
  • c. A request made from an email account not on file;
  • d. A request to mail something to an address not on file; and
  • e. Notice from student, customer, and victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.

5. Detection of Red Flags
The program will detect red flags relevant to each type of covered account as follows:

  • a. Refund of credit balance involving a Plus loan – as directed by federal regulation (U.S. Department of Education) these balances are required to be refunded in the parent’s name and mailed to their address on file with the time period specified. No request is required. Red Flag – none as this is initiated by the college.
  • b. Refund of credit balance, no Plus loan – requests from current students must be made in person by presenting a picture ID or in writing from the student’s email account on file. The refund check can only be mailed to an address on file or picked up in person by showing a picture ID. Requests from students not currently enrolled or graduated from the college must be made in writing.Red Flag – picture ID not appearing to be authentic or not matching the appearance of the student presenting it. Request not coming from a student issued email account.
  • c. Deferment of tuition payment or tuition payment plan – Requests made in person require the students’ signature. If request is made through the colleges’ payment plan providers the student must enter their student ID, password, and other personally identifying information. Red Flag – Signature does not appear to be that of student. See oversight of service provider arrangements.

6. Third Party and Vendor Controls
All outsourcing agreements concerning covered accounts shall require compliance with the Pratt Community College Identity Theft Prevention Program and require periodic audit for compliance with the program and shall indemnify Pratt Community College, its officers, faculty, staff and students against harm due to third party providers’ failure to comply with this program.

7. Response
The program shall provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The appropriate responses to the relevant red flags are as follows:

  1. Deny access to the covered account until other information is available to eliminate the red flag;
  2. Notify the actual individual upon whom fraud has been attempted;
  3. Change any passwords, security codes or other security devices that permit access to covered account;
  4. Notify law enforcement;
  5. Determine no response is warranted under the particular circumstances

8. Oversight of the Program
Responsibility for developing, implementing, and updating this program lies with the Vice President of Finance and Operations. The program administrator will be responsible for ensuring appropriate training of College’s staff on administration, for ensuring appropriate training of College’s stuff on the program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and making changes to the program.

9. Updating the Program
This program will be periodically reviewed and updated to reflect changes in risks to students and to insure the soundness of the college’s identity theft program. At least
once per year the program administrator will consider the College’s experiences with identity theft, changes identity theft methods, changes in identify theft detection and prevention methods, change in types of account the College maintains and changes in the College’s business arrangements with outside entities. After considering these factors, the program administrator will determine whether changes to the program are needed.

10. Staff Training
College staff responsible for implementing the identity theft program shall be trained in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected. The College shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft whenever the organization engages a service provider to perform an activity in connection with covered accounts.

Administrative Policy
600-08
60008