Skip to Search Skip to Navigation Skip to Content

Section 2: Data and Systems Integrity

RED FLAG RULES

Effective Date:

08/01/09

Approved By:

Lenora Chapman, Interim Associate Vice President for Financial Affairs

Last Revised On:

04/15/13

For Assistance Contact:

Director of Financial Services and University Bursar: 210-458-4221

PURPOSE/SCOPE

The Federal Trade Commission Code of Federal Regulations (CFR) Title 16, Part 681 has implemented the Red Flag Rules, which requires that UTSA adopt guidelines to address the following situations:

  • Receiving an address change discrepancy notice from a consumer reporting agency (as per 681.1).

  • Opening and maintaining covered accounts (as per 681.2).

  • Issuing and reissuing debit or credit cards after an address change request (as per 681.3).

All areas, departments, colleges and schools of the University which hold personally identifiable financial records and information and/or covered accounts must comply with the requirements of this guideline.

AUTHORITY

Pursuant to HOP policy Chapter 9.39 – Red Flag Rules.  


UNIVERSITY GUIDELINES

Table of Contents

A. Background

The Red Flags Rule has been issued by the FTC under the Fair and Accurate Credit Transactions Act and requires that UTSA implement an Identity (ID) Theft Prevention Program to protect consumers in the following situations:

  • Upon accepting an extension of certain types of credit — either directly or indirectly — by UTSA.

  • Receiving a Notice of an Address Discrepancy after requesting a consumer report from a consumer reporting agency.

  • Requesting an additional or replacement debit or credit card that follows closely after an address change request.

B. Identifying and Responding to Red Flags

Red Flags are suspicious patterns or practices, or specific activities that indicate the possibility that identity theft may occur. All departments must review the required responses and actions if presented with any red flags listed below.

1. Alerts, notifications or warning from consumer reporting agencies

Red Flag Required Response/Action

  1. A fraud or active duty alert accompanies a consumer report requested by UTSA.

  1. Verify activity reported with applicant.

  2. If verified, proceed with evaluation of applicant based on consumer report received.

  3. If unable to verify, do not use this report in evaluating applicant – no further action required.

  1. A notice of a credit freeze is received in response to a request for a consumer report.

  1. Verify activity reported with applicant.

  2. If verified, proceed with evaluation of applicant based on consumer report received.

  3. If unable to verify, do not use this report in evaluating applicant – no further action required.

  1. A notice of address discrepancy is received in response to a request for a consumer report.

  1. Compare reported address with that provided by applicant and if necessary, contact the applicant to verify.

  2. If address has been verified, report to credit report agency.

  3. If unable to determine relationship between the applicant and the notice, do not use the report to evaluate the applicant and notify the applicant. No further action required.

  1. Indication from a consumer report of a pattern of activity inconsistent with the history and usual pattern of activity of an applicant or consumer.

  1. Verify activity reported with applicant.

  2. If verified, proceed with evaluation of applicant based on consumer report received.

  3. If unable to verify, do not use this report in evaluating applicant – no further action required.

2. Suspicious documents

Red Flag Required Response/Action

  1. Identification documents or card provided appears to have been altered or forged.

  1. Retain identification and notify management for assistance.

  2. If identification appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Identification documents or card provided on which the photograph or physical description is not consistent with the appearance of the customer presenting the documents.

  1. Retain identification, notify management for assistance.

  2. If identification appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Identification documents or card provided on which other identifying information is not consistent with information provided by the customer or other readily accessible information that is on file. For example, a birth date doesn’t match appearance of customer.

  1. Retain identification, notify management for assistance.

  2. If identification appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Request for information, applications, or other documents presented appear to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

  1. Retain documents, notify management for assistance.

  2. If documents appear fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.


3. Suspicious personal identifying information

Red Flag Required Response/Action

  1. Identifying information is inconsistent with other external information sources. For example, an address that does not match the address printed on a loan application.

  1. Inspect identification and compare with other external information sources.

  2. Retain identification and notify management for assistance.

  3. If information appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Identifying information is inconsistent with other information provided by the customer. For example, inconsistent birth dates.

  1. Inspect identification and compare with SPAPERS or SPAIDEN.

  2. Retain identification and notify management for assistance.

  3. If information appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Identifying information is associated with known fraudulent activity. For example, an address or phone number being used is also known to be associated with a fraudulent application.

  1. Inspect identification and compare with documentation indicating fraudulent activity.

  2. Retain identification and notify management for assistance.

  3. If information appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Identifying information is of the type commonly associated with fraudulent activity. For example, an address is fictitious or the phone number is invalid.

  1. Inspect identifying information.

  2. Retain identifying information and notify management for assistance.

  3. If information appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Social Security (SSN) or Banner ID number is the same as that submitted by another customer.

  1. Inspect identifying information.

  2. Retain document provided, request to see student’s SSN card, Banner ID or driver’s license card and retain a copy if discrepancy is not resolved.

  3. Do not provide any services until identity proven. Place hold on original customer who provided the duplicate ID number if identity is proven. Notify management for assistance.

  4. If information appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Address or phone number is the same as that presented by an unusually large number of other customers.

  1. Request and inspect identifying documents to confirm information provided.

  2. If information appears fraudulent, report to UTSAPD and Office of Institutional Compliance and Risk Services.

  1. A customer fails to provide all of the required personal identifying information on an application or in response to notification that the application is incomplete.

  1. Do not provide any services or award aid until application is complete.

  2. If fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Identifying information is inconsistent with internal information sources on file.

  1. Inspect identifying information.

  2. Retain identifying information and notify management for assistance.

  3. If information appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Customer cannot provide information in response to challenge questions beyond that which generally would be available from a wallet or consumer report.

  1. Do not provide any services, do not reset PIN’s.

  2. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

4. Unusual use of or suspicious activity related to covered accounts

Red Flag Required Response/Action

  1. Change of address for an account that is followed shortly by a request  for a name change

  1. Request official documentation reflecting name change (court order, marriage certificate, etc.) and compare with photo identification. 

  2. Verify change of address previously submitted.

  3. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. An account is used in a manner inconsistent with established patterns of activity on that account. For example, payments are no longer made on an otherwise consistently up-to-date account.

Banner automatically places financial hold and restricts any services from being provided until the hold has been removed by Office of Financial Services and University Bursar or Fiscal Services

If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Mail sent to customer is returned repeatedly although transactions continue to be conducted.

  1. Attempt to contact student via UTSA or other e-mail (SPAIDEN or GOAEMAL) or phone number (SPATELE).

  2. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Customer notifies UTSA — via phone, e-mail or in-person — that the customer is not receiving mail.

  1. Verify address information with customer and ensure listed addresses are active.

  2. If address on file was not entered by customer, notify management for assistance.

  3. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Customer notifies UTSA — via phone, e-mail or in-person — that an account has unauthorized activity.

  1. Notify management for assistance and investigation.

  2. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Customer notifies UTSA — via phone, e-mail or in-person — that unauthorized use of ASAP has occurred based on last logon date posted. For example, they did not attempt access during the time/date indicated on the date stamp.

  1. Request photo identification from the customer to verify identity.

  2. Reset ASAP password.

  3. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Customer notifies UTSA — via phone, e-mail or in-person — that unauthorized use of ASAP has occurred. For example, the customer was automatically logged off during an online session due to multiple log on attempts. 

  1. Request photo identification from the customer to verify identity.

  2. Reset ASAP password.

  3. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

5. Notice from customers, victims of identity theft, law enforcement or others regarding possible identity theft

Red Flag Required Response/Action

  1. Customer notifies UTSA — via phone, e-mail or in-person — that an  account has been opened fraudulently or is being maintained by UTSA for a person engaged in identity theft.

  1. Notify management for assistance.

  2. Place a financial hold on the account and contact UTSAPD and request officer assistance.

  3. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Customer reports — via phone, e-mail or in-person — receiving a bill for another individual or for a service that the customer denies receiving.

  1. Notify management for assistance and investigation.

  2. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Customer reports — via phone, e-mail or in-person — their personal information has been compromised.

  1. Notify management for assistance and investigation.

  2. Place a comment on appropriate Banner screen (TGACOMC, SPACMNT, RHACOMM, etc.).

  3. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

6. Other

Red Flag Required Response/Action

  1. Customer reports — via phone, e-mail or in-person — that an unauthorized change has occurred to direct deposit information on GXADIRD.

  1. Notify management and inactivate direct deposit entry.

  2. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

  1. Customer reports — via phone, e-mail or in-person — than an unauthorized change has occurred to the student address information on TUIADDR.

  1. Notify management and inactivate address entry.

  2. If situation appears fraudulent, report to UTSAPD and the Office of Institutional Compliance and Risk Services.

C. Consumer Reports

As a general rule, UTSA does not request reports of creditworthiness during background checks on candidates for employment by UTSA.  When such a requirement is justified, advance approval by the Associate Vice President for Human Resources is required to assure compliance with federal regulation Title 16: 681.1 Identity Theft Rules: Duties Regarding Address Discrepancies Related to Consumer Reports.

1. Oversight of third party service providers

In the event UTSA contracts with a service provider to perform an activity in connection with any section of this policy, UTSA will ensure that the contractor performs its contracted activities in a secure manner by requiring contract provisions that require the service providers have reasonable policies and procedures in place to prevent, detect and mitigate the risk of identity theft and that any suspected or actual situations involving identity theft be reported to the Program Administrator.

D. Debit Card and Credit Card Issuance

UTSA offers the UTSACard, a photo identification and all-campus debit card that is used by current students, faculty and staff.

Initial card requests must be made in-person at the UTSA Card office and be accompanied by a valid photo identification, such as a state issued identification card, driver’s license, passport or military ID.

Requests for replacement UTSACard’s — due to theft or loss — must also be made in-person at the UTSA Card Office. Requestors may be asked to provide a form of identification, such as a state issued identification card, driver’s license, passport or military ID for verification. Once verified, a new photo is taken and a replacement card is issued.

NOTE: UTSA does not issue credit cards.

E. ID Theft Prevention Program

UTSA is required to develop, implement and maintain a written Identity Theft Prevention Program to identify, prevent and decrease identity theft cases from occurring at the university in accordance with the 16 CFR 681.2, the Federal Trade Commission’s Red Flag Rules.

1. Oversight

The Director of Financial Services and University Bursar is the program administrator and is responsible for developing, implementing and maintaining the Identity Theft Prevention Program. The Director of Financial Services and University Bursar is also responsible for identifying those areas where covered accounts are held by the University, ensure University personnel are appropriately trained and provides an annual report to the University President on compliance with the program. A copy of this report is maintained on file.

2. Departmental responsibilities

UTSA has deemed any student account to be a “covered account.” Any department with access to student records, who also may interact with students/parents concerning that information is responsible for compliance with this guideline.  Although not meant to be an inclusive list, each UTSA department below has been identified as being responsible for opening — directly or indirectly — or maintaining covered accounts at UTSA and is responsible for adhering to this program:

Business Affairs:

  • Administration: Business Auxiliary Services Operations

  • Financial Affairs: Financial Services and University Bursar, Perkins Student Loans, Fiscal Services Office

Student Affairs:

  • Admissions

  • Registrar

  • Student Enrollment Services Center

  • Student Financial Aid

These departments may incorporate existing internal policies and procedures that promote the purpose of the ID Theft Prevention Program, including available security tools, as long as these tools can assist with the implementation of this program.

UTSA departments not specifically listed above must follow these guidelines and report their actions to the program administrator if identity theft is suspected.

In addition, all departments must report all suspected or confirmed incidents of identity theft to the Program Administrator. See Risk assessment and program review for more information.

3. Risk assessment and program review

An annual risk assessment is performed to determine if additional departments and/or areas have become responsible for opening or maintaining covered accounts. Each department must determine the following:

  • Types of covered accounts offered or maintained

  • Existing account opening processes

  • Methods that existing accounts are accessed

  • Previous instances where identity theft has occurred

Additionally, the program administrator completes an annual program and reviews any incidents of identity theft occurring since last review, changes in methods of identity theft, the types of accounts being opened and/or maintained and changes to the methods of identifying and preventing identity theft. The program administrator is also responsible for preparing and submitting an annual report illustrating the programs effectiveness, any third-party service provider agreements, significant incidents of identity theft and management’s response and any recommended changes to the program.

4. Training

Staff working in departments involved in the creation, modification or administration of covered accounts must complete the identity theft prevention training to ensure compliance with the Identity Theft Prevention Program.


DEFINITIONS

Term Description

Account

A continuing relationship established by a person with an institution to obtain a product or service for personal, family, household or business purposes.

It may involve the extension of credit for the purchase of a product or service or a deposit account.

Account Holder

Student, employee, retired employee, patient or other person that has a covered account held by or on behalf of UTSA.

NOTE: An account holder may also be referred to as a debtor.

Cardholder

Consumer to whom UTSA has issued a credit card or debit card.

Consumer

Student, employee, prospective employee or other individual.

Consumer Report

Any written, oral or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for purposes set forth in 15 U.S.C 161a (d).

Consumer Reporting Agency or Agency

Any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

Covered Account

An account that involves or is designed to permit multiple payments or transactions, which is primarily for personal, family or household purposes. It is also any account for which there is a reasonably foreseeable risk of identity theft.

Examples of Covered Accounts include, but are not limited to:

  • Student loan and tuition accounts

  • Patient medical service accounts

  • Accounts associated with employee benefits, student debit cards and meal plans.

Credit Card

Any card, plate, coupon book or other credit device existing for the purpose of obtaining money, property, labor, or services on credit.

Debit Card

Any card issued by UTSA to a consumer for use in initiating an electronic fund transfer from the account of the consumer at UTSA for the purpose of transferring money between accounts or obtaining money, property, labor, or services.

Creditor

Any institution that regularly extends, renews, or continues credit; any institution that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor that participates in the decision to extend, renew, or continue credit.

NOTE: UTSA is considered a creditor.

Identity Theft

Any use or attempt by an individual to use another person’s individual identifying information to obtain a thing of value including money, credit; items or services, such as medical care or education services to which the individual is not entitled.

Individual/Consumer Identifying Information

Any information that may be used alone or with other information to identify an individual, including, but not limited to:

  • Name

  • Social security number

  • Date of birth

  • Telephone or cell phone number

  • Government issued driver’s license or identification number

  • Alien registration number

  • Passport number

  • Employer or taxpayer identification number

  • Credit, debit, banking account numbers

  • Unique biometric data such as fingerprint, voice print, retina or iris image or other unique physical representation.

  • Unique electronic identification number; address or routing code; IP or other computer identifying address; or telecommunication identifying information or other access device.

NOTE: Includes information received about a consumer from a third party source.

Red Flag

A pattern, practice or specific activity that indicates the possible existence of identity theft.

Responsible Party

Appropriate senior officer or employee with sufficient training, experience and authority to develop, maintain, and oversee compliance with the University’s Program.

Service Provider

Any person or entity that provides a service to the University.

REFERENCES/LINKS

 

RELATED FORMS/WORKSHEETS

No related forms currently on file for this guideline.


REVISION HISTORY

Date Description
04/15/2013

Updated requirements for UTSAPD to comply with the section concerning consumer reports. Removed UTSAPD from the group that will be required to take consumer reports training.
03/12/2013

Updated Departmental Responsibilities section.

10/05/10

Changed section number from 4.12 to 4.2.

07/28/09

Added HOP policy chapter reference.
07/23/09

New guideline to be effective as of 08/01/09.
In All We Do, We Do With Excellence - Every Person - Every Day - Every Job