Red Flag

Board of Trustee Policy: 5.16

Date: December 2021

Supersedes: June 2014, June 2009


Purpose

As defined in Part 681 of Title 16 of the Code of Federal Regulations implementing Sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003, the Federal Trade Commission (FTC) mandates that Montgomery County Community College implement a written Red Flag Program. The purpose of this policy is to provide guidance in the proper identification, detection, and response to warning signs of identity theft as required by these regulations.

This policy is subject to review and revision, pursuant to corresponding changes in FACTA law and FTC regulations.

Scope

This policy applies to all Montgomery County Community College covered accounts, both old and new, that offer credit, or other forms of deferred payment (e.g., deferred payment accounts, refund of credit balances, emergency loans). Additionally, the policy applies to all administrators and staff who work with the authentication of persons in the enrollment and management of covered accounts.

Policy

In compliance with federal law, Montgomery County Community College will develop, implement, and maintain a written Red Flag Program. The Red Flag Program will identify red flags, detect the occurrence of red flags, outline appropriate actions for when red flags are found, and be reevaluated in order that the Policy remain sufficiently up-to-date to ensure protection against identity theft. All covered accounts will have administrative and/or technical controls in place to detect and respond to red flags that could indicate identity theft.

Procedure

As part of Montgomery County Community College’s Red Flag Program, the College will:

  • Incorporate operating procedures which address the identification, detection, and response to reasonably foreseeable red flags;
  • Train the appropriate staff on how to detect and respond to red flags;
  • Take steps to ensure that the activity of any third-party service provider is conducted in accordance with reasonable policies and procedures which comply with regulations mandated by the FTC regarding identity theft prevention;
  • Review and update the program on an annual basis, as per the regulations, and update when necessary.
Roles and Responsibilities

Following approval of the Red Flag Policy, the Board of Trustees delegates responsibility of the Red Flag Program to the Vice President of Finance.

The Vice President of Finance is responsible for the development, implementation, and continued administration of the Red Flag Program. In addition, the Vice President of Finance is responsible for identifying new applications of the policy when systems and/or processes include applicable covered accounts and for training applicable staff on detection of and response to the defined red flags of identity theft for each account type applicable to this policy. The Red Flag Program will be reviewed on an annual basis (August of each year) to ensure compliance to the FTC regulations. The review will include material matters related to the program, and evaluate the effectiveness of the program, significant issues regarding identity theft, management’s response, and a recommendation as to how to improve the program. Documents will be created, revised, updated, expanded, or depreciated as necessary. The Board of Trustees will be informed of the result of the annual review.

The Vice President of Information Technology and Institutional Effectiveness in conjunction with the Executive Director of Information Technology Security is responsible for providing assistance in implementing technical controls to detect and respond to red flags.

Definitions

Identity theft is a fraud committed or attempted using the identifying information of another person.

A covered account is an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, which involves or is designed to permit multiple payments or transactions. Accounts for tuition deferred payments are also considered covered accounts.

A red flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft.