19.5.1. IDENTITY THEFT PREVENTION PROGRAM

The University of Texas at Austin is required to develop, implement, and maintain a written Identity (ID) Theft Prevention Program to identify, prevent, and decrease identity theft cases from occurring in accordance with the 16 CFR 681.2, the Federal Trade Commission's Red Flags Rule.

A. Oversight

The Director of Treasury, Risk and Payment Information is the program administrator and is responsible for developing, implementing, and maintaining the Identity Theft Prevention Program:

• identify areas where covered accounts are held by the university
• ensure university personnel are appropriately trained to comply with the Red Flags Rule.
• provide an annual report to the University President on compliance with the program

B. Departmental Responsibilities

The university has deemed federal and institutional loans and tuition installment accounts to be covered accounts. All areas, departments, colleges, and schools that offer or maintain one or more covered accounts are responsible for compliance with the 19.5.1. Identity Theft Program Guidelines. Although not meant to be an inclusive list, each University of Texas at Austin department below has been identified as being responsible for opening, directly or indirectly, or maintaining covered accounts at the university and is responsible for adhering to the Identity Theft Prevention program.

• Cashier's Office
•  Division of Housing and Food Service
• ID Center/Information Technology Services
• Office of Student Financial Services
• Student Accounts Receivable
• Loan Services
• Tuition Billing

These departments may incorporate existing internal policies and procedures that promote the purpose of the ID Theft Prevention Program, including available security tools, as long as these tools can assist with the implementation of this program.

Departments not specifically listed above must follow the 19.5.1. Identity Theft Program Guidelines and report their actions if identity theft is suspected. In addition, all departments must report all suspected or confirmed incidents of identity theft to the Office of Risk Management .

C. Risk Assessment and Program Review

An annual risk assessment is performed by the Office of Risk Management to determine if additional departments and/or areas have become responsible for opening or maintaining covered accounts. Each department must determine the following:

• types of covered accounts
• existing account opening processes
• methods of how existing accounts are accessed
• previous instances where identity theft has occurred

Additionally,the Office of Risk Management completes an annual review of any incidents of identity theft occurring since the last review, changes in methods of identity theft, the types of accounts being opened and/or maintained, and changes to the methods of identifying and preventing identity theft. The program administrator is also responsible for preparing and submitting an annual report illustrating the program's effectiveness, significant incidents of identity theft, managements' responses, and any recommended changes to the program.

D. Training

Staff working in departments involved in the creation, modification, or administration of covered accounts must complete the identity theft prevention training to ensure compliance with the Identity Theft Prevention Program.

Part 19. Risk Management - Table of Contents