Red Flag Rule, Identity Theft Program

Identity Theft Program

Purpose

This Identity Theft Program ("Program") is designed to detect, prevent and mitigate identity theft in connection with opening or maintaining a covered account, in compliance with regulations. Codified at 16 CFR Part 681, and promulgated under the Fair and Accurate Credit Transaction Act of 2003 ("FACTA").

Definitions

Identity Theft means fraud committed or attempted using the identifying information of another person without authority.

Covered Account means

• an account that Rockhurst offers or maintains, primarily for personal purposes, that involves or is designed to permit multiple payments or transactions
• any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of Rockhurst from identity theft

Red Flag means a pattern, practice or specific activity that indicates the possible existence of identity theft.

Procedure

Rockhurst has identified relevant Red Flags concerning the opening and maintenance of its Covered Accounts.  Those Red Flags are:

• Presentation of suspicious documents when opening or accessing a Covered Account including but not limited to:
  • Identification documents that appear to have been altered or forged
  • The photograph or description on the document is not consistent with the individual presenting the document
  • An application appears to be altered or forged, or gives the appearance of having been destroyed and reassembled 
• Presentation of suspicious personal identifying information when opening or accessing a Covered Account, including but not limited to:
  • Personal identifying information provided by the consumer is not consistent with other personal identifying information provided by the consumer. For example, there is a lack of correlation between the SSN range and date of birth
  • Address information is fictitious or a mail drop
  • Phone number is invalid or is associated with a pager or answering service
  • Address or phone number information is the same or similar to other address or phone number information submitted
  • SSN provided is the same as that submitted by other persons opening an account or other consumers
  • Failure to provide all required personal identifying information or fail me to respond to a notification the information provided is incomplete 
• Unusual use of or suspicious activity related to the Covered Account including, but not limited to:
  • Failure to make an initial payment, or failure to make any payments following the initial payment
  • Nonpayment when there is no history of late or missed payments
  • Mail sent to consumer is returned as non-deliverable, but transactions continue on the consumer's account
  • Rockhurst is notified that the consumer is not receiving paper account statements
  • Notification of unauthorized transactions
  • Notification by consumer of payments not received or not made 
• Notification of identity theft or of possible identity theft by a service provider or other individual or entity.

Detection of Red Flags

Rockhurst will take the following measures in connection with opening or accessing a Covered Account:

• Rockhurst will obtain identifying information about, and will verify the identity of, a person opening a Covered Account, including that Rockhurst will:
  • Require the submission of personal identifying information before opening an account, including photo identification if in person, and ensure the completeness of the submission;
  • Review personal identifying information for Red Flags;
  • Rockhurst will authenticate those seeking to access Covered Accounts, and will verify changes of address for Covered Account-holders, including that Rockhurst will:
  • Require photo identification for in-person requests including, but not limited to, credit payments.
  • Monitor account activity;
  • Confirm change of address requests through alternate means;

Steps on Occurrence of a Red Flag

Upon occurrence of a Red Flag, Rockhurst will take steps to prevent and mitigate identify theft, including:

• Rockhurst may contact the account holder;
• Rockhurst may change security codes or passwords used to access accounts;
• Rockhurst may put a hold on an account;
• Rockhurst may close the account and re-open the account with new account information; or
• Rockhurst may notify law enforcement.

In certain circumstances, Rockhurst may determine no action is warranted.

An individual who discovers a Red Flag must immediately advise the Manager of Student Accounts so the most appropriate response may be determined.

Third-Party Service Providers:

To the extent Rockhurst engages third-party service providers to open and/or maintain Covered Accounts, Rockhurst will take steps to ensure the third-party service providers act in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.  Such steps may include, but are not limited to, contractual requirements about the service provider's obligations to prevent, detect and mitigate identity theft.

Training

Rockhurst will train staff with responsibilities in opening and maintaining Covered Accounts in the implementation of this Program.

Periodic Review and Reporting

Rockhurst will review the nature of its Covered Accounts, its experiences and this Program on a periodic basis (at least bi-annually and more frequently as appropriate), and will revise this Program where the nature of its Covered Accounts and its experience warrant such revision in order to reflect and respond to changes in risks. Staff responsible for administering this Program (as designated by the Manager of Student Accounts) will prepare a report concerning compliance with the Program on an annual basis, to be submitted to the Manager of Student Accounts.  The report will address the effectiveness of this Program and its procedures concerning opening and accessing Covered Accounts, service provider arrangements, any significant incidents of identity theft and the institution's response, and any recommendations for material changes.

Oversight

Rockhurst has designated the Manager of Student Accounts to have oversight of, and overall responsibility for administering and implementing, this Program. The Manager of Student Accounts will also be responsible for reviewing this Program and the reports concerning its implementation, for approving and implementing any changes to this Program, and for exercising oversight of service provider arrangements. The Manager of Student Accounts will report annually to the Board about this Program.