Purpose of the Policy
The U.S. Congress has provided protection for consumers from identity theft by enacting the Fair and Accurate Credit Act (“FACTA”) and the Fair Credit Reporting Act (“FCRA”). FACTA directed the Federal Trade Commission (“the FTC”) to issue regulations, now generally referred to as the “Red Flag Rules” (“the Rules”), which require financial institutions and creditors to adopt policies and procedures that protect consumers from identity theft. Red Flags are defined by the Rules as events which should alert an organization that there is a risk of identity theft.
There are three sections of Rules that are relevant to colleges and universities: 16 C.F.R. § 681.1 users of consumer reports; (2) 16 C.F.R. § 681.2 financial institutions and creditors; and (3) 16 C.F.R. § 681.3 issuers of debit or credit cards.
As set forth in the “Definitions” section below, NYU is a “user of consumer reports” and a “creditor” under the Rules, but not an “issuer of debit or credit cards.” Accordingly, NYU adopts this Policy to:
- Identify, prevent and mitigate identity theft in compliance with the Rules;
- Approve and establish an Identity Theft Prevention Program (which is attached hereto as Appendix A);
- Appoint an Identity Theft Prevention Program (“Program”) Administrator who has primary responsibility for oversight of the Program.
Who Needs to Know this Policy
All University personnel involved in the processing of personally identifying information as applied to the administration of covered accounts.
The following Red Flag Rule definitions will apply to this Policy and the Program:
• 16 C.F.R. § 681.1 users of consumer reports
Under the Rules, a user of consumer reports is someone who obtains a consumer report from a consumer reporting agency for legally permissible purposes, such as employment screening or background checks or credit purposes.
Application of Definition: NYU is a user of consumer reports as defined in the Rules.
• 16 C.F.R. § 681.2 financial institutions and creditors
Under the Rules, a financial institution or “creditor” who offers or maintains one or more “covered accounts” must develop and implement a written Identity Theft Prevention Program that will identify, detect, prevent and mitigate damages resulting from identity theft in connection with a “covered account.”
Creditor: For purposes of this component of the Rules, a “creditor” is defined under the FCRA as “… [any] person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; as any assignees of an original creditor who participates in the decision to extend, renew or continue credit.” (Emphasis added). 15 U.S.C.A. §1691(a)(e).
Credit: is defined as “… [the] right granted by a creditor to a debtor to defer payment or to incur debts and defer payment or to purchase property or services and defer payment therefore.” 15 U.S.C.A. § 1691 (a)(d).
Covered accounts: are accounts “… [established] primarily for personal, family or household purposes that involve or are designed to permit multiple payments of transactions, i.e. consumer accounts.” Such accounts specifically include transaction and credit accounts, “… [Or] any other accounts for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.” Under the Rules, Identity Theft Prevention Programs are only required for these “covered accounts”.
Application of Definitions: NYU is a covered entity under the Rules because the University acts as a “creditor” by regularly extending, renewing, or continuing credit and by regularly arranging for the extension, renewal, or continuation of credit. NYU Covered Accounts include all student, faculty or staff accounts or loans for personal, family or household purposes that permit deferred or multiple payments or transactions, and are administered by the University or an authorized service provider. These NYU covered accounts include Perkins Loans to students, Deferred Tuition Payments Plans, and loans to faculty or staff.
• 16 C.F.R. § 681.3 issuers of debit or credit cards
Under the Rules, issuers of debit and credit cards must develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card.
Debit Card: means any card issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account of the consumer at such financial institution, for the purpose of transferring money between accounts or obtaining money, property, labor, or services. 15 U.S.C. 1681a(r)(3). In the preamble to the Rules, the FTC states that stored value cards are not considered debit cards.
Application of Definitions:
NYU does not issue debit or credit cards. This provision of the Rules does not apply to NYU’s “Campus Cash” card. While the Campus Cash card has some debit card functionality, it is not a debit card under the Rules, but is a stored value card.
• Other Relevant Definitions
Identifying Information: is any name or number that may be used alone or in conjunction with any other information to identify a specific person, including: name, address, telephone number, social security number, date of birth, driver’s license or identification number, alien registration number, passport number, employer or taxpayer identification number.
Identity Theft: is a fraud committed or attempted using the identifying information of another person without authority.
Red Flag: is a pattern, practice or specific activity that indicates the potential for Identity Theft.
Program Administrator: is the individual designated by the Senior Vice President for Finance and Budget to have primary responsibility for oversight of the Program.
It is the policy of NYU to comply with the requirements of the FTC Red Flag Rules. Accordingly, NYU has developed an Identity Theft Prevention Program (“Program”) which is designed to meet the requirements of the Rules to identify, prevent, or mitigate identity theft. This written Program is attached to this Policy as Appendix A. The Program is tailored to NYU’s size, complexity and the nature of its operations, and is based upon the University’s previous experience with Identity Theft associated with relevant “covered accounts.” The program contains mechanisms to:
- Identify relevant Red Flags applicable to the type of credit extended and incorporate those red flags into the Program;
- Detect such Red Flags;
- Respond appropriately to any Red Flags that are detected to prevent theft and mitigate damages;
Ensure that the Program is updated periodically to reflect changes in risk.
- The Programs also addresses discrepancies related to consumer credit reports through procedures that:
- Help ensure that the person about whom a report is requested is the same as the subject of the report provided by the consumer reporting agency; and
- Provide the verified address of the subject back to the consumer reporting agency.