The Red Flag regulations enumerate certain methods that financial institutions and creditors must undertake to administer the program. The University has incorporated the following methods into its program:
1. Oversight of the Program
The Finance Committee, on behalf of the Board of Trustees, has designated the Vice President for Financial Affairs to serve as the Program Administrator. The Program Administrator will be responsible for the oversight of the Red Flag Program. The responsibilities of the Program Administrator will be as follows:
- Ensure appropriate training of staff on the program.
- Review any staff reports regarding the detection of the red flags and the steps for preventing and mitigating identity theft.
- Determine which steps of prevention and mitigation should be taken in particular circumstances.
- Consider periodic changes to the Program.
2. Staff Training
The Program Administrator will ensure that applicable departments are training their staff in the detection of red flags and the responsive steps to be taken when a red flag is detected. University staff shall be trained, as necessary, to effectively implement the Program. All employees are expected to notify the Program Administrator once they become aware of an incident of identity theft or of the University's failure to comply with the Program.
The Program Administrator will annually report to the Finance Committee regarding the University's compliance with this Program. This report will address such issues as the effectiveness of the Program in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, service provider arrangements, significant incidents involving identity theft and the University's response, and recommendations for material changes to the Program.
4. Oversight of Service Provider Arrangements
In the event that the University engages a service provider to perform an activity in connection with one or more covered accounts, the University will take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Such steps may include the following:
- Require by contract, that the service provider have policies and procedures to detect relevant red flags that may arise in the performance of the service provider's activities.
- Review a copy of the service provider's identity theft policies and procedures.
- Require, by contract, that service providers review the University's Program and report any red flags to the Program Administrator.
Approved:Committee on Financial Affairs & Audit, Board of Trustees