Millions of Americans have their identities stolen each year. Identity thieves may drain accounts, damage credit, and even put medical treatment at risk. The cost to business - left with unpaid bills racked up by scam artists - can be staggering, too.
The Red Flags Rule (issued by the Federal Trade Commission) requires many businesses and organizations to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate its damage. The bottom line is that a program can help businesses spot suspicious patterns and prevent the costly consequences of identity theft.
The Red Flags Rule applies to “covered accounts” which is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. Examples include the Bursar student account, student loans, the Bobcat Cash account, patient/client accounts (e.g. WellWorks, clinics), and program/travel/research/payroll advances.
The categories of red flags to watch for include:
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers
- Presentation of suspicious documents
- Presentation of suspicious personal identifying information
- Unusual use of, or other suspicious activity related to, a covered account
- Notice from customers, victims of identity theft, or law enforcement authorities
Once a red flag or potential red flag is detected, the employee must act quickly to gather all related documentation and present it to the department supervisor. The supervisor should then work with the Program Administrator (Controller) or her designee to determine whether the transaction was fraudulent or authentic. Appropriate responses may include:
- Monitoring account for evidence of identity theft
- Contacting the customer
- Changing any passwords, security codes, or other security devices that permit access to the account
- Notifying law enforcement
- Determining no response is warranted under the particular circumstances
The Red Flags Rule requires that relevant staff receive training. Who needs training? Staff directly involved in the customer identity verification process, staff who respond to customer inquiries, and staff who have the type of access to account information such that they could recognize potential red flags in account activity. An online training is currently in process and a communication will be sent to applicable departments when the training is available. Training will be made available by the end of fiscal year 2019.
For questions related to the Red Flags policy please contact Sherry Rossiter, downs@ohio.edu or 740-593-4129.