Identity Theft Prevention Program
Click Here for Print-Friendly PDF
Purpose of this Policy
The U.S. Congress has provided protection for consumers from identity theft by enacting the Fair and Accurate Credit Transactions Act (“FACTA”) and the Fair Credit Reporting Act (“FCRA”). FACTA directed the Federal Trade Commission (“FTC”) to issue regulations, now generally referred to as the “Red Flags Rule” (the “Rule”), which require financial institutions and creditors to adopt policies and procedures that protect consumers from identity theft. “Red Flags” are defined by the Rules as patterns, practices, or activities that indicate the possibility of identity theft.
As set forth in the “Definitions” section below, New York University (“NYU” or the “University”) is a “creditor” under the Rule because it advances funds to or on behalf of persons in connection with its participation in federal student loan programs and in making housing loans to faculty and staff. NYU has “covered accounts” relating to these activities under the Rule and is therefore required to establish an Identity Theft Prevention Program. Accordingly, NYU adopts this Policy to: Identify, prevent and mitigate identity theft in compliance with the Rule; approve and establish an Identity Theft Prevention Program, attached to this Policy as Appendix A (the “Program”); and appoint a Program Administrator who has primary responsibility for oversight of the Program.
It is the policy of NYU to comply with the requirements of the Rule. Accordingly, NYU has developed a Program that is designed to meet the requirements of the Rule to identify, prevent, and mitigate identity theft. This written Program is attached to this Policy as Appendix A. The Program is tailored to NYU’s size, complexity and the nature of its operations, and is based upon the University’s previous experience with identity theft associated with covered accounts. The Program contains mechanisms to: identify and detect relevant Red Flags; respond appropriately to prevent Identity Theft and mitigate damages; and ensure that the Program is updated periodically to reflect changes in risks.
Scope of this Policy
This Policy applies to all University employees, students, volunteers and agents who are involved in handling information that can be used to identify a specific person in connection with certain accounts of that person maintained by NYU. Specific operations and activities that implicate application of this policy include, but are not limited to, the following:
• The Bursar’s Office - Participating in the Federal Perkins loan program, participating as a school lender in the Federal Family Education Loan Program (FFELP)
• The Financial Aid Office - Offering loans to students or a plan for payment of tuition during the school year or thereafter
• NYU-sponsored housing and general loan programs
Policy Adoption and Oversight
The Audit and Compliance Committee of the NYU Board of Trustees has oversight of the adoption and implementation of and compliance with this Policy. The Chief Financial Officer, as the Responsible Officer for this Policy, will provide the Audit and Compliance Committee with periodic reports concerning the implementation of and compliance with this Policy and with such other reports as may be requested by the Audit and Compliance Committee.
The following Rule definitions apply to this Policy and the Program:
“Creditor” means any natural person, corporation or other entity that regularly, and in the ordinary course of business advances funds to or on behalf of a person based on an obligation to repay the funds or repayable from specific property pledged by the person.
“Covered Account” means an account that is (1) primarily for personal, family or household purposes and is designed to permit multiple payments or transactions, or (2) any account that is subject to a reasonably foreseeable risk of identity theft.
“Identifying Information” means any name or number that may be used alone or in conjunction with any other information to identify a specific person, including: name, address, telephone number, social security number, date of birth, driver’s license or identification number, alien registration number, passport number, employer or taxpayer identification number.
“Identity Theft” means a fraud committed or attempted using the identifying information of another person without authority.
“Red Flag” is a pattern, practice or specific activity that indicates the potential for Identity Theft.
“Program Administrator is the University Controller or such other individual designated by the Chief Financial Officer to have primary responsibility for oversight of the Program.
The Identity Theft Prevention Program
Identification of Red Flags
To identify relevant Red Flags, the University considers the types of Covered Accounts that it offers and maintains; the methods it provides to open and access the Covered Accounts, including in-person, mail or online methods, and the University’s previous experience with Identity Theft. Covered Accounts include but are not limited to the following:
• Accounts managed by Faculty Housing or other units related to the administration of housing or general loan programs for faculty and staff
• Accounts managed by the Bursar’s Office related to the administration of student loan programs including the federal Perkins Loan, Health Professions Student Loan and Nursing loan programs
• Accounts managed by the Financial Aid Office related to the administration of emergency short-term loans and disbursement of funds from money specifically donated to be used for student loans, or tuition payment plans
The University has identified the following Red Flags:
Notifications or Warnings from Consumer/Credit Reporting Agencies: Alerts, notifications, or other warnings received from consumer reporting agencies or service providers indicating:
o A credit freeze
o Active duty alert
o Address discrepancy in response to a credit report request
o Activity that is inconsistent with the usual pattern or activity of the account holder
Suspicious Documents: Presentation of suspicious documents which appear to be altered, forged or inauthentic, including inconsistent appearance of photographs or physical description on a document with the person presenting it.
Suspicious Personal Identifying Information: Presentation of inconsistent personal identifying information such as:
- An inconsistent birth date
- An address that does not match a prior address submitted on an application
- A social security number, telephone number or address that is the same as that given by another account holder
- Repeated failure to provide identifying information on an application
- Dates of official enactment and amendments: May 9, 2009
- History: Approved by the Audit and Compliance Committee of the Board of Trustees on June 14th, 2017
- Cross References: 15 U.S.C. Section 1681m (e); 16 C.F.R. Section 68