x
  
  

Office of the Comptroller

Menu

Identity Theft Prevention Program

Policy Statement

Texas A&M International University developed this Identity Theft Prevention Program pursuant to the Federal Trade Commission's Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. This program was developed with oversight and approval of the chancellor as designated by the board of Regents. After consideration of the size and complexity of the University’s operations and account systems, and the nature and scope of the University’s activities, the chancellor determined that this program was appropriate for the University, and approved this Program on
May 1, 2009.

Definitions

  • Identity Theft: a fraud committed or attempted using the identifying information of another
    person without authority.
  • Red Flag: a pattern, practice, or specific activity that indicates the possible existence of identity
    theft.
  • Covered Account: a consumer account designed to permit multiple payments or transactions,
    and any other account for which there is a reasonably foreseeable risk from identity theft. This
    generally includes all student accounts or loans that are administered by the University.
  • Program Administrator: the individual designated with primary responsibility for oversight of
    the program.
  • Identifying information: any name or number that may be used, alone or in conjunction with
    any other information, to identify a specific person, including: name, address, telephone
    number, social security number, date of birth, government issued driver’s license or
    identification number, alien registration number, government passport number, employer or
    taxpayer identification number, University issued identification number, computer’s internet
    protocol address, or routing code.

Requirements of the Red Flags Rule

  1. Under the red flags rule, the University is required to establish an Identity Theft Prevention
    Program tailored to its size, complexity and the nature of its operation. Each program must
    contain reasonable procedures to:
  2. Identify relevant red flags for new and existing covered accounts and incorporate those
    red flags into the program;
  3. Detect red flags that have been incorporated into the program;
  4. Respond appropriately to any red flags that are detected to prevent and mitigate
    identity theft; and
  5. Ensure the program is updated periodically to reflect changes in risks to customers
    including students or to the safety and soundness of the University from identity theft.

Identification of Red Flags

In identifying relevant red flags, the University considers the types of accounts it maintains, how accounts are opened and accessed, and previous experiences with identity theft.

The following red flags are identified:

  1. Suspicious Documents
    • Identification that appears forged, altered, or inauthentic
    • Photo or physical description that does not match the person
    • Documents inconsistent with existing student/customer information
    • Applications that appear altered or forged
  2. Suspicious Personal Identifying Information
    • Information inconsistent with what the individual provides (e.g., mismatched birth dates)
    • Information that does not match external records
    • Information linked to known fraudulent applications
    • Use of invalid contact details (e.g., fake address or phone number)
    • Social Security Number matching another individual
    • Failure to provide complete required information
    • Information not matching existing records
  3. Suspicious Account Activity
    • Address change followed by a name change request
    • Unexpected stop in account payments
    • Mail repeatedly returned as undeliverable
    • Reports of missing mail
    • Unauthorized account activity
    • System security breach
    • Unauthorized access to account information
  4. Alerts from Others
    • Reports from students, victims, law enforcement, or others about possible identity theft or fraudulent accounts

Detection of Red Flags

  1. Student Enrollment - To detect red flags during student enrollment, University personnel will:
    • Collect identifying information such as name, date of birth, address, and academic records
    • Verify identity when issuing student identification cards using a government-issued photo ID or other acceptable documentation
  2. Existing Accounts - To detect red flags in existing accounts, University personnel will:
    • Verify student identity when account information is requested in person, by phone, email, or fax
    • Confirm and validate requests to change billing or contact information and provide a way to report incorrect changes
  3. Background Report Requests - To detect red flags related to employment or volunteer background checks, University personnel will:
    • Require applicants to confirm the accuracy of their provided address when requesting a background check
    • Verify applicant identity if an address discrepancy is identified in the background report

Preventing and Mitigating Identity Theft

When red flags are detected, University personnel may take one or more of the following actions based on risk level:

  • Flag the covered amount for continued monitoring
  • Contact the student/customer or applicant
  • Change passwords or other security credentials
  • Assign a new student identification number if necessary
  • Notify the program administrator for further action
  • Report to law enforcement when appropriate
  • File or assist in filing a Suspicious Activity Report
  • Determine that no action is needed based on circumstances

To further reduce the risk of identity theft, the University will:

  • Maintain secure websites or indicate when a site is not secure
  • Properly destroy paper and electronic records containing student information when no longer needed
  • Password-protect computers with access to covered account data
  • Avoid or limit the use of Social Security numbers when possible
  • Maintain updated antivirus and security protections
  • Collect and retain only necessary student information

Responding to Red Flags

Once potentially fraudulent activity is detected, an employee must:

  • Act quickly to protect customers and the University from damages and loss;
  • Gather the documentation and write a description of the situation; and
  • Present this information to the program administrator for determination.
  • The program administrator or their designee will complete additional authentication to determine if the transaction was fraudulent or authentic.
  • If fraudulent, the following actions must be taken:
    • Canceling the transaction;
    • Notifying and cooperating with appropriate law enforcement;
    • Determining the extent of liability, if any, of the University; and
    • Notifying the customer that fraud has been attempted.

Program Administration

a. Oversight

An Identity Theft Committee oversees the development, implementation, and updates of this program. The committee is led by a program administrator and includes representatives from key University departments.

The program administrator is responsible for training staff, reviewing reports of red flags, determining appropriate responses, and updating the program as needed.  

b. Staff Training and Reporting

Relevant staff are trained to detect red flags and respond appropriately. Employees must report suspected identity theft or program issues to the program administrator.

The program administrator receives periodic reports on program compliance, effectiveness, incidents of identity theft, and recommendations for improvements.

c. Service Provider Arrangements

When the University uses service providers for covered accounts, contracts must require providers to maintain appropriate safeguards and report suspected identity theft or red flags to the University.

d. Confidentiality

Specific identity theft detection and prevention procedures are restricted to the committee and authorized personnel to maintain program effectiveness. Such information is kept confidential where permitted by law.

e. Program Updates

The committee periodically reviews and updates the program based on changes in identity theft risks, methods, account types, and University operations. Updates are made when necessary to improve effectiveness.

f. Contact Information

Report suspected identity theft using the Identity Theft Prevention Form.

For questions regarding the Red Flags Rule or this program, please contact the Program Administrator at 956-326-2812.

Download the full Identity Theft Prevention Program (PDF)

Return to Policies & Procedures Main Page