Washington State University
BUSINESS POLICIES AND PROCEDURES MANUAL

FINANCE
30.64
New 12-09
Finance and Administration
335-5524

Identity Theft Prevention Program

PDF link

POLICY

In order to minimize the possibility of identity theft, University departments and personnel are responsible for observing the requirements of the Identity Theft Prevention Program.

Program Adoption

Washington State University establishes an Identity Theft Prevention Program, described in this section, pursuant to the Federal Trade Commission regulations, 16 CFR Part 681.2.

References

15 USC 1681a, 1691a

18 USC 1029(e)

16 CFR 603.2(a)

16 CFR 681: Identity Theft Rules ("Red Flag Rules")

§ 334.82(b) Fairness and Accuracy in Credit Transactions Act

Definitions

Definitions used in this program:

Identity Theft

Identity theft is a fraud committed or attempted using the identifying information of another person without authority.

Red Flag

A red flag is a pattern, practice, or specific activity that indicates the existence of possible identity theft.

Covered Account

A covered account is an account that a creditor, e.g., WSU, offers or maintains, primarily for personal, family or household purposes that involve or are designed to permit multiple payments or transactions.

Purpose

The Identity Theft Prevention Program is designed to detect, prevent, and mitigate identity theft in connection with covered accounts. The program includes reasonable policies and procedures to:

COVERED ACCOUNTS

University Accounts

Covered accounts administered by the University include accounts that are used to process the following:

Service Provider Accounts

Covered accounts administered by service providers include services provided by contracted third-party commercial collection agencies for student loan accounts, student accounts, and general accounts receivable account collection and repayment.

IDENTIFICATION OF RELEVENT RED FLAGS

The program identifies the following as red flags: (See also Appendix: Red Flag Indicators.)

Risk Factors

The program promotes consideration of risk factors in identifying relevant red flags for covered accounts, e.g., the types of covered accounts (see above) and the methods required to open covered accounts.

Methods of Opening Accounts

The following circumstances may lead to opening covered accounts:

Access Methods

The University responds to requests to access covered account information in accordance with the following requirements.

DETECTION OF RED FLAGS

The program provides for detection of red flags relevant to each type of covered account. See also Appendix: Red Flag Indicators.

Refund of Student Loan Credit Balance

As directed by federal regulation (U.S. Department of Education) and/or departmental procedures, student loan credit balances must be refunded to the student. The refund can only be mailed to an address on file with the University or direct-deposited into the student's bank account. If the refund is picked up "in person" a valid WSU ID or picture ID is required.

Red Flags

Picture ID not appearing to be authentic or not matching the appearance of the student presenting it.

Student Loan Information

WSU has implemented specific procedures to protect confidential student information from being inappropriately released to third parties. Each involved employee receives training and is responsible for understanding and complying with department-specific procedures when responding to telephone calls.

Red Flags

While calls that resemble these examples are not necessarily red flags, extra care should be taken to ensure the authenticity of the call:

RESPONSES TO RED FLAG DETECTIONS

If a red flag has been detected by WSU personnel, an appropriate response may be one of the following:

OVERSIGHT OF SERVICE PROVIDER ARRANGEMENTS

The University Receivables Office is responsible for ensuring that activities of all service providers and contractors are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

A service provider or contractor that maintains its own Identity Theft Prevention Program, consistent with the guidance of the red flag rules (16 CFR Part 681) may be considered to be meeting these requirements.

Contractors and service providers must notify WSU of any security incidents, even if such incidents have not led to any actual compromise of WSU data.

WSU contracts with third parties to collect delinquent covered accounts. University Receivables Office requests and receives a red flag policy from each contracted service provider.

See Appendix: Red Flag Indicators as needed.