Safeguarding Customers from Identity Theft Policy - Northern Michigan University

NMU Identity Theft Program

The general purpose of this Program is to provide guidance to NMU employees regarding the reasonable assurance that Identifying Information is true and authorized. The Program requires the University to: 

• Verify Consumer’s identity before opening a Covered Account or changing the records related to the Consumer’s identity on a Covered Account; 
• Report accurate addresses and other Consumer information to Consumer reporting agency/credit bureaus. Investigate complaints related to accuracy of information provided to a Consumer reporting agency/credit bureau; and 
• Maintain internal records to document the support for opening and/or changing Consumer Account records. 

Definitions 

“Account” means a continuing relationship established by a person with a creditor to obtain a product or service for personal, family, household or business purposes.  It includes but is not limited to any extension of credit and/or deposit Accounts.

“Covered Account” means any Account that NMU offers or maintains for which there is a reasonably foreseeable risk to the Customer or to the safety and soundness of the creditor, from Identity Theft, including financial, operational, compliance, reputation, or litigation risks.   

“Customer”/”Consumer”/”Account Holder” are the terms used in the federal regulations. At NMU, this primarily means students, but can mean any person who, through utilizing University resources, receives an extension of credit or access to a deposit Account. By extension, it can also mean the person related to any Account that NMU reports to credit bureaus.   

“Identity Theft” means a fraud committed or attempted using Identifying Information without authority. 

“Red Flag” means a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.  

“Service Provider” means a person or entity that provides a service directly to Northern Michigan University. This may include entities such as internal or external loan Programs, student Accounts, or other Accounts that provide credit or debit services.

"Identifying Information":  Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including but not limited to:

• Name
• Address
• Telephone number
• Social security number
• Date of birth
• Government-issued driver's license or identification number
• Alien registration number
• Government passport number
• Employer or taxpayer identification number
• Unique electronic identification number
• Computer's Internet Protocol address or routing code
   

Identification of Red Flags
In order to identify relevant Red Flags, the University considers a set of risk factors, including the types of Accounts that it offers and maintains, the methods it provides to open its Accounts, the methods it provides to access its Accounts, and its previous experiences with Identity Theft. 

The following are examples of common and relevant Red Flags:

Notifications and Warnings from Credit Reporting Agencies

• Report of fraud accompanying a credit report;
• Notice or report from a credit agency of a credit freeze on a Customer or applicant;
• Notice or report from a credit agency of an active duty alert for an applicant; and/or
• Indication from a credit report of activity that is inconsistent with a Customer’s usual pattern or activity.

Suspicious Documents

• Identification document or card that appears to be forged, altered or inauthentic;
• Identification document or card on which a person's photograph or physical description is not consistent with the person presenting the document;
• Other document with information that is not consistent with existing Customer information (such as if a person's signature on a check appears forged); and
• Application for service that appears to have been altered or forged.

Suspicious Personal Identifying Information

• Identifying information presented that is inconsistent with other information the Customer provides (example: inconsistent birth dates);
• Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a credit report);
• Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
• Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
• Social security number/identification number presented that is the same as one given by another Customer;
• Failure to provide complete personal Identifying Information on an application when reminded to do so (however, by law social security numbers must not be required); and
• Identifying information is not consistent with the information that is on file for the Customer.

Suspicious Account Activity or Unusual Use of Account

• Change of address for an Account followed by a request to change the Account holder's name;
• Payments stop;
• Mail sent to the Account holder is repeatedly returned as undeliverable;
• Notice to the University that a Customer is not receiving mail sent by the University;
• Notice to the University that an Account has unauthorized activity;
• Breach in the University's computer system security; and
• Unauthorized access to or use of Customer Account information.

Alerts from Employers, Students, or Others
In addition, any notice to the University from a Customer, Identity Theft victim, law enforcement, or other party regarding the opening or maintenance of a fraudulent Account is an actionable Red Flag. 

Detecting Red Flags in New Accounts
In order to detect any of the Red Flags identified above associated with the opening of a new Account, University personnel will take the following steps to obtain and verify the identity of the person opening the Account:

• Require certain Identifying Information such as name, date of birth, residential or business address, driver's license or other identification;
• Verify the Customer's identity (for instance, review a driver's license or other government-issued identification card); or
• Independently contact the Customer.

Detecting Red Flags in Existing Accounts
In order to detect any of the Red Flags identified above for an existing Account, University personnel will take the following steps to monitor transactions with an Account:

• Verify the identification of Customers if they request information (in person, via telephone, via video telecommunication, via facsimile, via email);
• Verify the validity of requests to change billing addresses; and
• Verify changes in banking information given for billing and payment purposes.

Validation Requirements
NMU will use reasonable procedures to validate changes of address requests related to Covered Accounts. Validation will, when possible, be done at the time of the request. Any change authorized without immediate validation must, by regulation, occur within 30 days. 

No new access devices (such as cards to access a deposit account) can be reissued until the address change is properly validated. 

No deposits will be made to a bank account without proper validation of any requested change. 

Working with a Credit Reporting Agency
When credit reporting agencies inform NMU that there is an address discrepancy, typically meaning that mail has been returned, NMU will take reasonable steps to confirm the correct address and furnish it to the credit reporting agency. These measures may include:

• Verifying the address with the Consumer
• Reviewing NMU records, and/or
• Other reasonable means. 

Recordkeeping
When making changes to Covered Accounts, NMU will retain records that evidence the support for the change. The record retention period for these records will be at least as long as the Account is open at the University, including any credit reporting period. Each relevant department will attest to proper recordkeeping annually.  

Responding to Red Flags and Mitigating Identity Theft
In the event University personnel detect any identified Red Flags, such personnel shall take all appropriate steps to respond to and mitigate Identity Theft depending on the nature and degree of risk posed by the Red Flag, the identifying department will document the investigation and implement the following options as appropriate: 

• Contact the department supervisor and/or Customer; and
• Continue to monitor an Account for evidence of Identity Theft;
• Change any passwords or other security devices that permit access to Accounts;
• Not open a new Account;
• Close an existing Account;
• Reopen an Account with a new number;
• Notify law enforcement; or
• Determine that no response is warranted under the particular circumstances.

Staff Training and Reporting
University employees responsible for implementing the Program shall be trained under the direction of the Program Administrator, or their designate, in the detection of Red Flags and the responsive steps to be taken when a Red Flag is detected. The training will occur annually in the Compliance Committee meeting with relevant department-heads. Additional training will be available through departmental procedures and web-based training modules.

Appropriate staff shall provide reports to the Program Administrator or their designate, on incidents of Identity Theft, the effectiveness of the Program, and the University's compliance with the Program, via the NMU Compliance Committee. 

Service Provider Arrangements
In the event the University engages a Service Provider to perform an activity in connection with one or more Accounts, the University will take the following steps to ensure the Service Provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft:

• Require, by contract, that Service Providers have policies and procedures in place;
• Require, by contract, that Service Providers review the University's Program and report any Red Flags to the Program Administrator.

Annual Attestation and Program Update
Each applicable department head will be assigned an annual attestation to evidence the adherence to The Program. The attestation will include the following: 

The department identification of Covered Accounts is accurate and up to date, and the department has developed local policies and procedures for addressing the Red Flags associated with the related Covered Accounts.  The department has conducted the appropriate training for their staff as necessary and has taken the necessary steps to ensure any Service Provider activity is conducted appropriately. The department has retained record of Red Flags detected and the actions taken in response. The department has reported significant Red Flag occurrences to the Internal Auditor, as appropriate.  Finally, the department has forwarded or will forward in a timely manner suggestions to update the Program along with this attestation, including recommendations to update the program in response to changes in risk or operations to managerecords@nmu.edu.