Purpose

The purpose of this policy and program is to ensure the compliance of 藏精阁 with the Red Flags Rule federal regulations, to identify risks associated with identity theft, and to mitigate the effects of identity theft upon the University, employees, students, constituents, board members, and customers. The Identity Theft Prevention Program was developed pursuant to the Federal Trade Commission’s red flag rules, pursuant to the Fair and Accurate Credit Transactions Act. It is designed to detect, prevent, and mitigate identity theft in connection with certain accounts. The program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable the entity with covered accounts to:

1. Describe and define relevant patterns, practices, and activities, dubbed "Red Flags," signaling possible identity theft and incorporate those Red Flags into the program;
2. Detect Red Flags;
3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
4. Ensure the program is updated periodically to reflect changes in risks.

Scope

The requirements of this program apply to all 藏精阁 locations, all employees and the third parties with whom 藏精阁 contracts to perform certain functions on its behalf.

Policy

This document outlines the required Red Flags Rule Program of 藏精阁 and is extended to encompass not just financial or credit accounts but any University account or database for which the University believes there is a reasonably foreseeable risk from identity theft to the University and its students, faculty, staff, constituents, board members, and/or customers.

• I. Definitions

  “Account” means a continuing financial relationship established by a person with 藏精阁, including an extension of credit, such as the purchase of services or property involving a deferred payment.

  "Covered account" means (1) "an account that a financial institution or creditor offers or maintains primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions ..." and (2) "any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks." Covered Account is extended to include any university account or database (financial or otherwise) for which the University believes there is a reasonably foreseeable risk to the university and its students, faculty, staff, constituents, board members, or customers from identity theft.

  "Credit" means "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase services or property and defer payment therefore."

  "Creditor" means "an entity [i.e. 藏精阁] that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit."

  "Financial institution" means "a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that has an account belonging to a consumer."

  "Identity theft" means "fraud committed using the identifying information of another person."

  "Red Flag" means "a pattern, practice, or specific activity that indicates the possible existence of identity theft."

  "Service provider" means "a person that provides a service directly to the financial institution or creditor [i.e. credit reporting agency or collection agency]."

  "Transaction account" means "a deposit or account (i.e. at a bank or savings and loan) on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others. Such term includes demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts."

• II. Identification and Detection of Red Flags

  A "Red Flag" is a pattern, practice, or specific activity that indicates the possible existence of identity theft. The following Red Flags are potential indicators or warning signs of potential or actual identity theft or similar fraud. Anytime a Red Flag or a situation resembling a Red Flag is apparent, it should be investigated for verification. The examples below are meant to be illustrative. Any time a 藏精阁 employee suspects a fraud involving personal information about an individual or individuals, the employee should assume that this identity theft program applies and follow protocols established by the employee’s office for investigating, reporting, and mitigating identity theft.

  Examples of Red Flags:

  Alerts, Notifications or Warnings from a Consumer Reporting Agency

  1. A fraud or active duty alert is included with a consumer report.
  2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
  3. A consumer reporting agency provides a notice of address discrepancy.
  4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as
     • A recent and significant increase in the volume of inquiries;
     • An unusual number of recently established credit relationships;
     • A material change in the use of credit, especially with respect to recently established credit relationships; or
     • An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

  Suspicious Documents

  1. Documents provided for identification appear to have been altered or forged.
  2. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
  3. Other information on the identification is not consistent with information provided by the person opening a new covered account or the customer presenting the identification.
  4. Other information on the identification is not consistent with readily accessible information that is on file with the university, such as a signature card or a recent check.
  5. An application either appears to have been altered or forged or gives the appearance of having been destroyed and reassembled.

  Suspicious Personal Identifying Information

  1. Personal identifying information provided is inconsistent when compared against external information sources used by the university. For example
     1. The address does not match any address in the consumer report; or
     2. The Social Security Number (SSN) either has not been issued or is listed on the Social Security Administration's Death Master File.
  2. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.
  3. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the university. For example
     1. The address on an application is the same as the address provided on a fraudulent application; or
     2. The phone number on the application is the same as the number provided on a fraudulent application.
  4. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the university. For example, the address on the application is fictitious, possibly a mail drop or prison, or the telephone number is invalid or is associated with a pager/answering service.
  5. The SSN provided is the same as that submitted by another person opening an account or another customer.
  6. The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other persons opening accounts or other customers.
  7. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
  8. Personal identifying information provided is not consistent with personal identifying information that is on file with the University.
  9. The person opening the covered account (or the customer) cannot provide authenticating information beyond that generally would be available from a wallet or consumer report (such as answers to "challenge questions").

  Suspicious Account Activity or Unusual Use of Account

  1. Shortly following the notice of a change of address for a covered account, the university receives a request for a new, additional, or replacement card, or for the addition of authorized users on the account.
  2. A new account is used in a manner commonly associated with known patterns of fraud. For example, the student fails to make the first payment or makes an initial payment but no subsequent payments.
  3. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example, nonpayment when there is no history of late or missed payments or material changes in the use of the account.
  4. A covered account that has been inactive for a lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage, and other relevant factors).
  5. Mail sent to the customer is returned repeatedly as undeliverable even though transactions continue to be conducted in connection with the customer's covered account.
  6. The University is notified that the customer is not receiving paper account statements.
  7. The University is notified of unauthorized charges or transactions in connection with a customer's covered account.

  Alerts from Other

  The University is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

• Appropriately Responding to Detected Red Flags

  Once potentially fraudulent activity is detected, an employee should inform the supervisor that the employee has detected an actual or potential Red Flag or has identified a similar area of concern of identity theft. The supervisor should determine the validity of the Red Flag. If it is found that a situation of identity theft has occurred, the division or department head should inform the Business Office of the matter so that it is documented as part of the monitoring portion of this program.

  If the Red Flag indicates that a fraudulent transaction has occurred, the division or department head should attempt to mitigate the effects of the transaction. Consideration should be given to the type of Red Flag identified, the type of transaction, the relationship with the victim of the fraud, the availability of contact information for the victim of the fraud, and numerous other factors. Appropriate actions may include but are not limited to:

  1. Canceling the transaction;
  2. Not opening a new account or closing the account in question;
  3. Notifying and cooperating with appropriate law enforcement;
  4. Notifying the chief operating officer, chief financial officer, and general counsel of the University;
  5. Notifying senior administration personnel of the University;
  6. Notifying the customer that fraud has been attempted or that it has occurred;
  7. Changing any passwords or other security devices that permit access to relevant accounts and/or databases;
  8. Continuing to monitor the account or database for evidence of identity theft;
  9. Alternatively, determining that no response is warranted after appropriate evaluation and consideration of the particular circumstances.

  In all situations where it is discovered that a Red Flag has been positively identified, the office responsible for the account shall document what occurred and describe its review of the matter and any specific actions taken to mitigate the impact of the effects of the actual or potential identity theft discovered. Such documentation shall also include a description of any additional actions the office believes are systemically necessary within that office (such as updating policies and procedures) in response to identified Red Flag to handle or prevent similar situations in the future.

• Consumer Reports-Address Verification

  Any University office that obtains and/or uses consumer reports from a consumer reporting agency that finds a discrepancy between the address on file with the University and the address on the report should attempt to form a reasonable belief that the university is dealing with the actual student being researched or investigated and not another person with the same or similar name. The office may reasonably confirm the accuracy of the consumer's address by:

  1. Verifying the address with the consumer about whom it has requested the report;
  2. Reviewing its own records to verify the address of the consumer;
  3. Verifying the address through third-party sources;
  4. Using other reasonable means.

  The office must provide the consumer's address that it has reasonably confirmed to be accurate to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer.

• V. Training

  Training is required for all employees, officials, and contractors who likely will come into contact with accounts or personally identifiable information that may constitute a risk to the University or its students.

  The division or department head of each office that maintains a covered account under this program is responsible for training employees by familiarizing them with the policies contained herein.

  As part of the training, all requisite employees, officials, and contractors should be informed of the contents of the University's identity theft program and afforded access to a copy of this document. In addition, all requisite employees, officials, and contractors should be trained by the division or department head of each office regarding how to identify Red Flags and what to do should they detect a Red Flag or have similar concerns regarding an actual or potential fraud involving personal information.

• VI. Oversight of 3rd Party Service Providers

  It is the responsibility of the University to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Before the University may engage a service provider to perform an activity in connection with one or more of the University's covered accounts, the University must take the following steps to ensure the service provider performs its activities in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risks of identity theft:

  1. The University must require that the service provider has identity theft policies and procedures in place; and
  2. The University must make the service provider aware of the University’s identity theft program by providing a copy of this document and require said provider to report to the University any Red Flags it identifies.

• VII. Program Administration

  Responsibility for overseeing the administration of this program has been delegated by the Board of Trustees to the University president (for general oversight) and to the University’s vice president for operations and finance (for general execution), with compliance monitoring to be performed by the Business Office. On an annual basis, and as part of the University's Compliance Monitoring Plan, the Business Office will confer with the University offices that maintain covered accounts under the program to review each office's list of covered accounts, training and policies, procedures, and practices as they relate to preventing, detecting, and mitigating identity theft, as well as the definitive identification of Red Flags or similar incidents documented by the offices who maintain covered accounts under this program. The chief financial officer of the Business Office will create an annual report based upon that office’s annual conferences with university offices that maintain covered accounts and assess the effectiveness of the University's identity theft program as a whole. As part of the report, the Business Office will make recommendations for updating or modifying the program as appropriate. The annual report will be provided by the chief financial officer of the Business Office to the vice president for operations and finance for review and presentation to the University’s president and Board of Trustees.

• VIII. Updating the Program

  On an annual basis, the program will be reevaluated by the vice president for operations and finance to determine whether all aspects of the program are up to date and applicable. This review will include an assessment of which accounts and/or databases are covered by the program, whether additional Red Flags need to be identified as part of the program, whether training has been implemented, and whether training has been effective. In addition, the review will include an assessment of whether mitigating steps included in the program remain appropriate and whether additional steps need to be defined.

• IX. Approval of the Policy

  Under the Red Flags regulations, implementation and oversight of the identity theft program is the responsibility of the governing body or an appropriate committee of such governing body. Approval of the initial plan must be appropriately documented and maintained. After its initial approval of the program, the governing body may delegate its responsibility to implement and oversee the identity theft program. As the governing body of the 藏精阁, the Board of Trustees, as of the date below, hereby approved the initial identity theft program. Having made such initial approval, the Board of Trustees hereby delegates the responsibility for implementing, monitoring and overseeing the university's identity theft program to the university administration, in accordance with procedures stipulated herein. Approved by the Board of Trustees on August 1, 2009.