Chapter 9 - General Provisions
Publication Date: November 23, 2009
Responsible Executive: VP for Business Affairs
9.39 Red Flag Rules Compliance for Identity Theft Detection
The Federal Trade Commission Code of Federal Regulations (CFR) Title 16, Part 681 has implemented the Red Flag Rules, which requires that UTSA adopt guidelines to address the following situations:
- Receiving a Notice of an Address Discrepancy after requesting a consumer report from a consumer reporting agency (as per 681.1).
- Upon accepting an extension of certain types of credit - either directly or indirectly - by UTSA (as per 681.2).Â
- Requesting an additional or replacement debit or credit card that following closely after an address change request (as per 681.3).
UTSA must implement an Identity (ID) Theft Prevention Program to protect consumers against identity theft.
All areas, departments, colleges and schools of the University which hold personally identifiable financial records and information and/or covered accounts must comply with the requirements of this guideline.
WEBSITE ADDRESS FOR THIS POLICY
RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS
UTSA or UT System Policies
Other Policies & Standards
Financial Management Operational Guideline
4.2 - Red Flag Rules
Red Flag Rules
If you have any questions about Red Flag Rules, contact the following office(s):
The Director of Financial Services and University Bursar is responsible for this policy and can be reached at 210-458-4221.
A continuing relationship established by a person with an institution to obtain a product or service for personal, family, household or business purposes. It may involve the extension of credit for the purchase of a product or service or a deposit account.
Student, employee, retired employee, patient or other person that has a covered account held by or on behalf of UTSA.
NOTE: An account holder may also be referred to as a debtor.
Consumer to whom UTSA has issued a credit card or debit card.
Student, employee, prospective employee or other individual.
Any written, oral or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for purposes set forth in 15 U.S.C 161a (d).
Consumer Reporting Agency or Agency
Any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.
An account that involves or is designed to permit multiple payments or transactions, which is primarily for personal, family or household purposes. It is also any account for which there is a reasonably foreseeable risk of identity theft.
Examples of Covered Accounts include, but are not limited to:
- Student loan and tuition accounts
- Patient medical service accounts
- Accounts associated with employee benefits, student debit cards and meal plans.
Any card, plate, coupon book or other credit device existing for the purpose of obtaining money, property, labor, or services on credit.
Any institution that regularly extends, renews, or continues credit; any institution that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor that participates in the decision to extend, renew, or continue credit.
NOTE: UTSA is considered a creditor.
Any card issued by UTSA to a consumer for use in initiating an electronic fund transfer from the account of the consumer at UTSA for the purpose of transferring money between accounts or obtaining money, property, labor, or services.
Any use or attempt by an individual to use another person's individual identifying information to obtain a thing of value including money, credit; items or services, such as medical care or education services to which the individual is not entitled.
Individual/Consumer Identifying Information
Any information that may be used alone or with other information to identify an individual, including, but not limited to:
- Social security number
- Date of birth
- Telephone or cell phone number
- Government issued driver's license or identification number
- Alien registration number
- Passport number
- Employer or taxpayer identification number
- Credit, debit, banking account numbers
- Unique biometric data such as fingerprint, voice print, retina or iris image or other unique physical representation
- Unique electronic identification number; address or routing code; IP or other computer identifying address; or telecommunication identifying information or other access device.
NOTE: Includes information received about a consumer from a third party source.
A pattern, practice or specific activity that indicates the possible existence of identity theft.
Appropriate senior officer or employee with sufficient training, experience and authority to develop, maintain, and oversee compliance with the University's Program.
Any person or entity that provides a service to the University.
The Director of Financial Services and University Bursar serves as UTSA's Responsible Party and is responsible for developing, implementing and maintaining the Identity Theft Prevention Program. The Director of Financial Services and University Bursar is also responsible for identifying those areas where covered accounts are held by the University, ensure University personnel are appropriately trained and provides an annual report to the University President on compliance with the program. A copy of this report is maintained on file.
Departmental Responsibilities for Covered Accounts
Each UTSA department below has been identified as being responsible for opening - directly or indirectly - or maintaining covered accounts at UTSA and is responsible for adhering to this program.
UTSA departments not specifically listed below must follow these guidelines and report their actions to the Responsible Party if identity theft is suspected.
- Administration: Business Auxiliary Services Operations
- Financial Affairs: Financial Services and University Bursar, Perkins Student Loans, Fiscal Services Office
- UTSA Police Department
- Student Enrollment Services Center
- Student Financial Aid
These departments may incorporate existing internal policies and procedures that promote the purpose of the ID Theft Prevention Program, including available security tools, as long as these tools can assist with the implementation of this program.
Departmental Responsibilities for Consumer Reports
The UTSA Police Department has been identified as being responsible for requesting consumer credit reports for UTSAPD Officer candidates via a contracted third-party vendor and must adhere to this policy.
Departmental Responsibilities for Issuing Debit Card and Credit Cards
The UTSA Card Office - within Business Auxiliary Services - has been identified as being responsible for issuing and reissuing the UTSACard, a photo identification and all-campus debit card that is used by current students, faculty and staff.
An annual risk assessment is performed by the Responsible Party to determine if additional departments and/or areas have become responsible for opening or maintaining covered accounts. Each department must determine the following:
- Types of covered accounts offered or maintained
- Existing account opening processes
- Methods that existing accounts are accessed
- Previous instances where identity theft has occurred
Additionally, the Responsible Party completes an annual program and reviews any incidents of identity theft occurring since last review, changes in methods of identity theft, the types of accounts being opened and/or maintained and changes to the methods of identifying and preventing identity theft. The Responsible Party is also responsible for preparing and submitting an annual report to the University President, illustrating the program's effectiveness, any third-party service provider agreements, significant incidents of identity theft and management's response and any recommended changes to the program.
Staff working in departments involved in the creation, modification or administration of covered accounts must complete the identity theft prevention training to ensure compliance with the Identity Theft Prevention Program.
Oversight of Third Party Service Providers
In the event UTSA contracts with a service provider to perform an activity in connection with any section of this policy, UTSA will ensure that the contractor performs its contracted activities in a secure manner by including contract provisions that require the service providers have reasonable policies and procedures in place to prevent, detect and mitigate the risk of identity theft and that any suspected or actual situations involving identity theft be reported to the Responsible Party.
As a general rule, UTSA does not request reports of creditworthiness during background checks on candidates for employment by UTSA. When such a requirement is justified, advance approval by the Associate Vice President for Human Resources is required to assure compliance with federal regulation Title 16: 681.1 Identity Theft Rules: Duties Regarding Address Discrepancies Related to Consumer Reports.
NOTE: UTSA has contracted with a third-party vendor to provide consumer credit reports for UTSAPD Officer candidates. It is the responsibility of UTSA to comply with these provisions.
Debit Card and Credit Card Issuance
UTSA offers the UTSACard, a photo identification and all-campus debit card that is used by current students, faculty and staff.
Initial card requests must be made in-person at the UTSA Card office and be accompanied by a valid photo identification, such as a state issued identification card, driver's license, passport or military ID.
Requests for replacement UTSACard's - due to theft or loss - must also be made in-person at the UTSA Card Office. Requestors may be asked to provide a form of identification, such as a state issued identification card, driver's license, passport or military ID for verification.
See Financial Management Operational Guideline 4.2 - Identifying and Responding to Red Flags for detailed procedures.
NOTE: UTSA does not issue credit cards.
Red Flags are suspicious patterns or practices or specific activities that indicate the possibility that identity theft may occur. All departments must review the required responses and actions if presented with any red flags. See Financial Management Operational Guideline 4.2 - Identifying and Responding to Red Flags for details.
FORMS AND TOOLS/ONLINE PROCESSES
- Identity Theft Prevention Training Presentation (currently being developed)