Michigan State University
Controller's Office
In response to the increasing incidents of identity theft, the Federal Trade Commission, along with other federal banking regulatory agencies, created the Red Flags Rule (the “Rule”). The Rule requires businesses to develop an Identity Theft Prevention Program (the “Program”) to detect, prevent, and mitigate identity theft. For purposes of the Program, identity theft is a type of fraud committed or attempted using personal identifying information of another person without authority. In general, the Rule applies to units that have covered accounts or use consumer credit reports. A covered account is a consumer account that involves or is designed to permit multiple payments or transactions, and any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the University from identity theft.
The MSU Board of Trustees adopted the Program which provides guidance and outlines the responsibilities of units that are subject to the Rule, summarized here:
Contact the MSU Cashier’s Office Manager at 517-355-5023 for guidance on determining whether the Rule is applicable to a particular activity. Please note that MSU as an entity is subject to the Rule and all departments must be mindful of protecting personally identifiable information as required by MSU’s Institutional Data Policy.
All applicable units will comply with the Rule and submit an annual report to the Office of the Controller to document their compliance.
In order to identify relevant red flags, a Unit should consider the types of covered accounts it offers and maintains, methods used to open accounts, methods used to access covered accounts, and previous experiences with identity theft.
Using Attachment 1 as a reference, a Unit must identify, in writing, all red flags associated with the Unit's covered account activity.
Each Unit's description of red flags should be specific enough to enable the Unit's staff to identify them.
Opening covered accounts – A Unit’s Plan must include procedures to obtain identifying information about, and verify the identity of, a person opening a covered account. Identifying information means a name or number that may be used alone or in conjunction with any other information to identify a person including the name, date of birth, social security number, driver’s license number, alien registration number, government passport number, employer or taxpayer identification number, or any other unique identification
Existing covered accounts - A Unit's Plan must include procedures to detect red flags in connection with existing covered accounts such as authenticating customers, monitoring transactions and verifying the validity of change of address requests.
A Unit must respond to red flags in a manner that is commensurate with the degree of risk posed to prevent and mitigate identity theft.
In determining an appropriate response to red flags, the Unit should consider aggravating factors that may heighten the risk of identity theft, such as a data security breach which results in unauthorized access to a customer's account records, or notice that a customer has provided information related to a covered account held by the Unit to someone fraudulently claiming to represent the Unit or University or to a fraudulent website.
For illustrative purposes only, a Unit’s response to red flags may include the following: