March 24, 2009,
Volume 55, No. 26
Last summer, the Federal Trade Commission (FTC) issued final rules under the Fair and Accurate Credit Transaction Act (FACTA) called the Red Flag Rules. These rules require policy and procedural changes within Penn to assist in preventing identity theft as well as detecting and responding to identity theft. The following draft policy is one component of Penn’s compliance program regarding the new rules.
It calls upon operational units engaged in extending credit, or using credit reports, to follow certain steps as required by the rules and to do our part in curbing the incidence and impact of the very concerning crime of identity theft.
Please comment on the draft Policy on Red Flag Rules shown below by April 20 to Lauren Steinfeld, Chief Privacy Officer at firstname.lastname@example.org.
Policy on Red Flag Rules
The purpose of this policy is to require the identification, detection and response to activity that may indicate identity theft and to comply with the FTC Red Flag Rules.
a. “Red Flag” means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
a. Federal requirements—Extension of Credit
Where Penn operations involve the extension of credit, which includes allowing the deferment of payment, or arranging for the extension of credit, there must be procedures to identify, detect, and respond to Red Flags.
b. Federal requirements—Use of consumer reports
Where Penn operations involve the use of consumer reports, there must be procedures to respond to notices of address discrepancies received from covered consumer reporting agencies.
IV. Extension of Credit
In operations where Penn is involved in extending credit, which includes any operation in which Penn allows for the deferment of payment, or arranges for the extension of credit, the operational area is responsible for taking the following steps (referred to collectively as the “Identity Theft Prevention Program”):
a. Consider Red Flags in the operational area, utilizing the FTC Red Flag Rules Appendix A as a non-exhaustive checklist, and determine which Red Flags are appropriate for detection and follow-up.
b. Develop procedures that:
i. Based on identified applicable Red Flags:
1. Call for the detection of such Red Flags
2. Call for the evaluation of a detected Red Flag in a particular instance
3. Call for, where applicable, the reporting of Red Flags for further investigation to appropriate management (see Section VI)
ii. Require training staff involved in covered operations on such requirements
iii. Take reasonable steps to ensure that service providers engaged to perform services in connection with extending credit, or arranging for extension of credit on behalf of Penn have reasonable policies and procedures in place to detect, prevent and mitigate risks of identity theft
iv. Require periodic reports to the Office of Audit, Compliance and Privacy regarding:
1. Procedures of the Identity Theft Prevention Program
2. Significant incidents of identity theft and responses taken
3. Recommendations for material changes to the Policy on Red Flag Rules and/or its implementation
V. Users of Consumer Reports
When a user of consumer report receives a notice of address discrepancy from one of the three covered consumer reporting agencies, the user must:
a. Utilize procedures to form a reasonable belief that the consumer report does relate to the consumer about whom it has requested the report. These procedures may be:
i. Comparing the information in the consumer report provided by the consumer reporting agency with the information the user
1. Obtains and uses to verify the consumer’s identity
2. Maintains in its own records
3. Obtains from third party sources or
ii. Verifying information with the consumer
b. Utilize procedures, where required, to furnish a confirmed address for the consumer to the credit reporting agency that provided the notice of address discrepancy.
VI. Reporting Significant Risks of Identity Theft
In all areas of Penn, instances of possible identity theft must be referred to an appropriate office for investigation.
Many cases of discrepancies in address and other information may result from simple clerical errors or information that has not been updated. In such cases, please contact the organizational unit that is responsible for maintaining the data.
In more serious cases where there is suspected inappropriate conduct or a knowing or reckless misuse of data, please contact Penn’s Office of Audit, Compliance and Privacy or, particularly for concerns about criminal activity, the Penn Police.
VII. Office of Audit, Compliance and Privacy
Penn’s Office of Audit, Compliance and Privacy is responsible for:
a. Periodically reporting to the University and Penn Medicine Trustees Committee on Audit and Compliance about the Policy on Red Flag Rules, and its implementation
b. Periodically reviewing such Policy, and
c. Providing support and assistance to Penn staff and faculty involved in implementing the Policy on Red Flag Rules
VIII. Best Practices
a. Where Penn operations are susceptible to identity theft in a manner that presents a significant risk to an individual or to the institution, but is not technically covered by the Red Flag Rules, it is a best practice to apply the steps and procedures outlined above.