Policy, Fair and Accurate Credit Transaction Act

    Title: Fair & Accurate Credit Transaction Act Policy
    Effective Date: 08-01-2009
    Issuing Authority: Audit Committee of the Board of Regents
    Contact: Nate Engle at engle1@stolaf.edu or 507-786-3502
    Last Updated: 08-10-2022

    IDENTITY THEFT PREVENTION PROGRAM

    1. BACKGROUND
      1. Effective Date 
        St. Olaf College adopts this initial version of its Identity Theft Prevention  Program (the “Program”) as of August 1, 2009.
      2. Purpose and Policy
        This Program is intended to comply with the requirements of the Identity Theft Rules1, issued by the Federal Trade Commission (FTC), including the Red Flags Rule2 and the Address  Discrepancy Rule3 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). “Identity theft” occurs when a person commits or attempts to commit fraud using identifying information of another person without authority. It is the policy of the College to develop, implement, and maintain a comprehensive program to detect, prevent, and mitigate identity theft for our students and their families. No part of this Program or related policies and procedures should be interpreted as contravening or superseding any other applicable legal and regulatory requirements. This Program and its related policies and procedures reflect good faith efforts to comply with applicable law and reduce the potential for identity theft. This Program does not represent warranties, representations, or contractual obligations in favor of any person, entity or group.
      3. Responsibilities and Management
        The Audit Committee of the Board of Regents has the authority and responsibility to approve this Program and to direct that the President of the College designate a Program Coordinator to supervise the overall management of the Program. The Program Coordinator has the authority and responsibility to:

        • Oversee and manage the development, implementation, and administration of the Program;
        • Assign specific responsibility for the Program’s implementation;
        • Review reports prepared by staff regarding compliance with the Red Flags Rule and this Program;
        • Approve material changes to the Program as necessary to address changing identity theft risks; and
        • Exercise management control as necessary to ensure that all relevant operations and employees make compliance with this Program an integral part of regular operations.
    2. PROGRAM DEVELOPMENT AND ASSESSMENT
      The FTC’s Identity Theft Rules require that the College identify relevant Red Flags and methods of detecting relevant Red Flags, as well as periodically update this risk assessment and adjust the Program accordingly4. A “Red Flag” is a pattern, practice, or specific activity that indicates the possible existence of identity theft.

      1. Covered Accounts
        The College is subject to the requirements of the identity theft rule because it is a “creditor” under the definition in the Rule. The College would be considered a “creditor” in regard to the following activities where “covered accounts” exist:

        1. Participation in the Federal Perkins Loan program,
        2. Participation as a school lender in the Federal Family Education Loan program,
        3. Offering deferred tuition payments after classes begin, or
        4. Providing any goods or services for which students are invoiced or otherwise allowed to pay after the goods or services are provided (e.g., print center services and health care services).

        The College’s covered accounts include student accounts, under which loan payments are received and credits processed, and against which invoices are issued for health care services (if not insured), or print center services5. We have also analyzed our history of identity theft and the potential risks to the College from identity theft and determined that the only other accounts that might be considered “covered accounts” are development accounts with donors that include annuity payments to beneficiaries.

      2. Risk Assessment
        The College has evaluated the covered accounts and assessed the likely risk of identity theft causing a problem for the College or the individual whose identity is stolen and determined that risks are low. The College’s low risk is due in part to the following factors: (a) no historical experience with identity theft, (b) higher education institutions are not common targets for identity thieves, (c) student loan fraud is unlikely because loan payments are processed against tuition and other institutional accounts receivable and only any excess amounts are disbursed to students, and (d) identity theft is not likely to occur in connection with print center services or health care services.
    3. RED FLAG DETECTION AND RESPONSE

    The College will periodically identify relevant Red Flags for the types of covered accounts it offers or maintains by considering appropriate risk factors, categories of Red Flags, and other sources of Red Flags.

    In identifying the relevant Red Flags, the College considers the following categories of Red Flags:

    • Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
    • The presentation of suspicious documents;
    • The presentation of suspicious personal identifying information, such as a suspicious address change;
    • The unusual use of, or other suspicious activity related to, a covered account; and
    • Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

    In identifying the relevant Red Flags, the College considers the following sources of Red Flags:

    • Incidents involving identity theft that the College has experienced;
    • Methods of identity theft that reflect changes in identity theft risks; and
    • Applicable regulatory guidance, such as the Example Red Flags contained in Supplement A to Appendix A of the Red Flags Rule.

    Relevant Red Flags

    The College has identified the following relevant Red Flags that may be raised in connection with opening or servicing a covered account:

    1. The student does not have a photo ID.
    2. The student photo ID appears to have been altered.
    3. The photo ID is inconsistent with the appearance of the student.
    4. Documents presented by a student or beneficiary appear to be altered or forged, or appear to have been destroyed and re-assembled.
    5. The student or beneficiary refuses to provide all of the required personal information.
    6. Notification from a student or beneficiary, victim of identity theft, a law enforcement agency, or someone else that an account has been opened or used fraudulently.

    Procedure when Red Flags are Present

    If one or more of these risk factors is present, the person servicing the account should notify a supervisor and the supervisor should attempt to verify identity by:

    • More in-depth review of the documents and verification of the information; and/or
    • Asking the student or beneficiary for additional documentation to verify his or her identity.

    In any case where the transaction is delayed, the following script may be used to communicate with the student or beneficiary:

    We need to check additional information to confirm that this transaction can be completed. We will follow up to try to verify your identity and get back to you as soon as possible. We apologize for the inconvenience, but we are trying to prevent identity theft and fraud and need to take certain precautions.

    1. TRAINING, SERVICE PROVIDER OVERSIGHT, AND PROGRAM UPDATING
      1. Training
        It is the responsibility of the Program Coordinator to ensure that all relevant College personnel receive training, as necessary, to effectively implement the Program. The training will include, at a minimum, the following:

        • Distribution of a copy of this Program to all employees having duties that may involve covered accounts;
        • Training of all new employees having duties that may involve covered accounts; and
        • Training on a periodic basis as determined by the Program Coordinator to be necessary to reflect changes to the Program

        Such training program shall include, at a minimum, the pertinent requirements of the Red Flags Rule, the policies and procedures set forth in this Program, as updated from time to time, and the importance placed by the College on compliance with the Program and the prevention and mitigation of identity theft.

      2. Overseeing Service Providers
        It is the responsibility of the Program Coordinator to exercise appropriate and effective oversight of service provider arrangements. A service provider means a person who provides a service directly to the College in connection with covered accounts. The Program Coordinator shall take reasonable steps to select and retain service providers that are capable of maintaining safeguards to protect the information handled or accessed.
      3. Reports
        The Program Coordinator and other staff responsible for the development, implementation, and administration of the Program shall report to the Vice President and Chief Financial Officer, at least annually, on compliance with the Red Flags Rule and this Program. The report shall address material matters related to the Program and evaluate all material issues arising in connection with the Program since its inception or the most recent prior report. In any event, the following issues shall be addressed in each report:

        • The effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of covered accounts and, if and when applicable, with respect to existing covered accounts;
        • Service provider arrangements;
        • Significant incidents involving identity theft and management’s response; and
        • Recommendations for material changes to the Program.
      4. Periodic Updates
        It is the responsibility of the Program Coordinator to ensure that the Program is updated periodically based on changes in the regulatory guidance, the College’s experience with identity theft, or new methods of identity theft having been uncovered.
    2. APPOINTMENTS AND APPROVAL
      1. Identification of Responsible Employees
        The following employee has been appointed to the position indicated below, subject to modification from time to time:
        Program Coordinator: College Controller – Nate Engle
      2. Program Approval
        The Audit Committee of the Board of Regents has approved the foregoing Identity Theft Prevention Program pursuant to the Red Flags Rule as of July 24, 2009.
    1. 16 C.F.R. part 681.
    2. Section 114.
    3. Section 315.
    4. Additionally, to the extent that the College uses credit reports, the Identity Theft Rules require that reasonable policies and procedures are in place to handle notices of address discrepancies sent by a credit reporting agency. Currently, the College does not use credit reports and the Program does not address this portion of the Rule.
    5. Ole Cards, which are stored value cards issued to students to pay for dining hall meals or other expenses on campus, are not considered the extension of credit, as the money is debited at the time goods and services are received. If the College were to issue cards linked to bank accounts or national credit card programs, those accounts may be covered by the Rule.

    GP:2511610 v1