Michigan State University
Controller's Office

Administration Bldg
426 Auditorium Rd, Rm 305
East Lansing, MI 48824
517 355-5020

SECTION 9: Identity Theft Prevention Program (Red Flags Rule)

Last reviewed: February 2018

Last updated: February 2018

I. Overview

In response to the increasing incidents of identity theft, the Federal Trade Commission, along with other federal banking regulatory agencies, created the Red Flags Rule (the “Rule”). The Rule requires businesses to develop an Identity Theft Prevention Program (the “Program”) to detect, prevent, and mitigate identity theft. For purposes of the Program, identity theft is a type of fraud committed or attempted using personal identifying information of another person without authority. In general, the Rule applies to units that have covered accounts or use consumer credit reports. A covered account is a consumer account that involves or is designed to permit multiple payments or transactions, and any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the University from identity theft.

II. MSU Identity Theft Program (“Program”)

The MSU Board of Trustees adopted the Program which provides guidance and outlines the responsibilities of units that are subject to the Rule, summarized here:

  1. Unit Activities that:
    1. Administer financial accounts (open new accounts, post transactions, maintain, bill, close old accounts, etc.). Examples include student accounts billing, university-based loans to students, faculty, or staff, Spartan Cash, and payroll deductions.
    2. Provide goods or services that customers can pay for at a later date. This applies whether the unit bills and collects using payroll deductions or any other system.
    3. Use consumer credit reports (such as Equifax, Experian, and TransUnion).
    4. Report information to credit reporting agencies.
    5. Sell or transfer debt to a third party.
  2. Unit Responsibilities:
    1. Determine whether the unit's activities are subject to the Rule and if so, assess the risk of identity theft to its customers and the University.
    2. Create written unit-level identity theft prevention policies and procedures.
    3. Designate a compliance steward.
    4. Train staff at least annually.
    5. Oversee vendors that provide services that are subject to the Rule.
    6. Periodically review and update as needed the unit policies and procedures.
    7. Prepare and submit an annual report to the Office of the Controller.

Contact the MSU Cashier’s Office Manager at 517-355-5023 for guidance on determining whether the Rule is applicable to a particular activity. Please note that MSU as an entity is subject to the Rule and all departments must be mindful of protecting personally identifiable information as required by MSU’s Institutional Data Policy.

III. Policy

All applicable units will comply with the Rule and submit an annual report to the Office of the Controller to document their compliance.

IV. Procedures

  1. Identify Relevant Red Flags
    1. In order to identify relevant red flags, a Unit should consider the types of covered accounts it offers and maintains, methods used to open accounts, methods used to access covered accounts, and previous experiences with identity theft.

    2. Using Attachment 1 as a reference, a Unit must identify, in writing, all red flags associated with the Unit's covered account activity.

    3. Each Unit's description of red flags should be specific enough to enable the Unit's staff to identify them.

  2. Detect Red Flags
    1. Opening covered accounts – A Unit’s Plan must include procedures to obtain identifying information about, and verify the identity of, a person opening a covered account. Identifying information means a name or number that may be used alone or in conjunction with any other information to identify a person including the name, date of birth, social security number, driver’s license number, alien registration number, government passport number, employer or taxpayer identification number, or any other unique identification

    2. Existing covered accounts - A Unit's Plan must include procedures to detect red flags in connection with existing covered accounts such as authenticating customers, monitoring transactions and verifying the validity of change of address requests.

  3. Respond to Red Flags
    1. A Unit must respond to red flags in a manner that is commensurate with the degree of risk posed to prevent and mitigate identity theft.

    2. In determining an appropriate response to red flags, the Unit should consider aggravating factors that may heighten the risk of identity theft, such as a data security breach which results in unauthorized access to a customer's account records, or notice that a customer has provided information related to a covered account held by the Unit to someone fraudulently claiming to represent the Unit or University or to a fraudulent website.

    3. For illustrative purposes only, a Unit’s response to red flags may include the following:

      1. Monitoring the covered account for evidence of identity theft;
      2. Contacting the customer;
      3. Changing any passwords or other security devices that permit access to a covered account;
      4. Reopening a covered account with a new account number;
      5. Not opening a new covered account;
      6. Closing an existing covered account;
      7. Not attempting to collect on a covered account;
      8. Notifying the Program Administrator of incidents of identity theft;
      9. Notifying law enforcement after consulting the Program Administrator; and
      10. Determining that no response is warranted under the particular circumstances.

V. Exhibits/Forms