DEFINITIONS: The following definitions apply to this policy:
Account: A continuing relationship established by a person with a financial institution or Creditor to obtain a product or service for personal, family, household or business purposes. Account includes:
i. An extension of credit, such as the purchase of property or services involving a deferred payment; andConsumer Reporting Agency: Are entities that collect and disseminate information about consumers to be used for credit evaluation and certain other purposes.
ii. A deposit Account.
Consumer Reports: Any written, oral, or other communication of any information by a Consumer Reporting Agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for:
i. Credit or insurance to be used primarily for personal, family, or household purposes;Covered Accounts:
ii. Employment purposes; or
iii. Any other purpose authorized under US Code: Title 15, 1681b.
i. An Account that a financial institution or Creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card Account, mortgage loan, automobile loan, margin Account, cell phone Account, utility Account, checking Account, or savings Account; andCreditor: Any person, corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative, or association who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original Creditor who participates in the decision to extend, renew, or continue credit.
ii. Any other Account that the financial institution or Creditor offers or maintains for which there is a reasonably foreseeable risk to Customers or to the safety and soundness of the financial institution or Creditor from Identity Theft, including financial, operational, compliance, reputation, or litigation risks.
Customer: Person that has a covered Account with a financial institution or Creditor.
Debit Card: Any card issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the Account of the consumer at such financial institution, for the purpose of transferring money between Accounts or obtaining money.
Notice of Address Discrepancy: A notice sent to a user by a Consumer Reporting Agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.
Identity Theft: A fraud committed or attempted using the identifying information of another person without authority.
Red Flag: A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
Service Provider: A person that provides a service directly to the financial institution or Creditor.
Card Issuer: Financial institution or Creditor that issues a debit or credit card
Duties of Users Regarding Address Discrepancies
A. University departments which use Consumer Reports will form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report when a Notice of Address Discrepancy is received by:
i. Comparing the information in the consumer report provided by the Consumer Reporting Agency with information the department:
1. Maintains in its own records, such as applications, change of address notifications, other Customer Account records; or
2. Obtains from third-party sources; or
ii. Verifying the information in the consumer report provided by the Consumer Reporting Agency with the consumer. B. University departments which use Consumer Reports will furnish an address for the consumer that the department has reasonably confirmed is accurate to the Consumer Reporting Agency from whom it received the Notice of Address Discrepancy when the department:
i. Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;
ii. Established a continuing relationship with the consumer; and
iii. Regularly and in the ordinary course of business furnishes information to the Consumer Reporting Agency from which the Notice of Address Discrepancy relating to the consumer was obtained.
iv. The department may reasonably confirm an address is accurate by:
1. Verifying the address with the consumer about whom it has requested the report;
2. Reviewing its own records to verify the address of the consumer;
3. Verifying the address through third-party sources; or
4. Using other reasonable means.
v. If applicable, a department will furnish a consumer’s address that the department has reasonably confirmed is accurate to the Consumer Reporting Agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer. Duties Regarding the Detection, Prevention, and Mitigation of Identity Theft
A. University departments will periodically determine whether they offer or maintain Covered Accounts and as part of the determination, departments will conduct a risk assessment to determine whether it offers or maintains Covered Accounts for which there is a reasonably foreseeable risk to Customers or to the safety and soundness of the University from Identity Theft, including financial, operational, compliance, reputation, or litigation risks, taking into consideration:
i. The methods it provides to open its Accounts; B. Each University department which offers or maintains Covered Accounts will develop and implement a written procedure (“Program”) that is designed to detect, prevent, and mitigate Identity Theft in connection with opening of a Covered Account and that is appropriate to the department’s size, complexity, and the scope of its activities designed to:
ii. The methods it provides to access its Accounts; and
iii. Its previous experiences with Identity Theft.
i. Identify relevant Red Flags for the Covered Accounts that the department offers or maintains, and incorporate those Red Flags into its Program; C. Each University department which offers or maintains Covered Accounts will update its Program periodically to reflect changes in risks to Customers and to the safety and soundness of the department from Identity Theft and will:
ii. Detect Red Flags that have been incorporated into the Program of the department;
iii. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and
i. Involve the President and/or his designees, in the oversight development, implementation and administration of the Program; Duties of Card Issuers Regarding Changes of Address
ii. Train staff, as necessary, to effectively implement the Program; and
iii. Exercise appropriate and effective oversight of Service Provider arrangements.
iv. Consider guidelines included in Appendix A of 16 C.F.R. 681 and include in its Program those guidelines that are appropriate.
A. University departments which are Card Issuers, if any, will assess the validity of a change of address if it receives notification of a change of address for consumer’s Debit or Credit Card Account and, within a short period of time afterwards (during at least the first 30 calendar days after it receives such notification), the department receives a request for an additional or replacement card for the same Account. The department will not issue an additional or replacement card until the department:
i. Notifies the cardholder of the request:
1. At the cardholder’s former address; or
2. By any other means of communication that the Card Issuer and the cardholder have previously agreed to use; and
ii. Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or
B. A department may satisfy the requirements of the preceding section by validating an address when it receives an address change notification before it receives a request for an additional or replacement card. Any written or electronic notice that the department provides under the preceding section should be clear and conspicuous and be provided separately from its regular correspondence with the cardholder.
1. Otherwise assesses the validity of the change of address by reasonable means
Conformity to Law
All programs implemented pursuant to this policy must be in compliance with the law and with University policies and regulations and shall conform to the legal standards and requirements of the University General Counsel.