Gramm-Leach-Bliley Act (GLBA)
The Financial Services Modernization Act of 1999 (also known as Gramm Leach Bliley Act (GLBA) 15 U.S.C. §6801) governs the use, sharing, and collection of financial information. It requires “financial institutions” to take steps to protect customers’ nonpublic personal information. Because Ohio State and higher education institutions like Ohio State participate in financial activities such as making student loans, the Federal Trade Commission's regulations consider them financial institutions and subject to certain GLBA regulations. Higher education institutions must comply with the Safeguards Rule of GLBA however they are exempt from the Privacy Rule by being compliant with the Family Educational Rights and Privacy Act (FERPA).
GLBA Security Plan
Purpose
This document is The Ohio State University Gramm Leach Bliley Act (GLBA) Security Plan. The goal of this document is to provide an outline to assure ongoing compliance with federal regulations related to the Safeguards Rule of GLBA. The University Bursar is responsible for the GLBA Security Plan and its periodic review. While not limited to the following, these offices are known to be covered under the scope of GLBA regulations to the extent they have access to in scope data: Office of the University Bursar, Student Financial Aid, Office of the Controller, the Office of the University Registrar, and the Office of Technology and Digital Innovation. The University’s Security Framework and Privacy and Release of Student Education Records Policy, which addresses FERPA compliance at Ohio State, supplement this document.
GLBA mandates that the University:
- Designate one or more employees to coordinate its information security program;
- Identify and assess the risks to customer information in each relevant area of the University’s operations, and evaluate the effectiveness of the current safeguards for controlling these risks
- Design and implement a safeguards program, and regularly monitor and test it;
- Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the University’s business or operations, or the results of security testing and monitoring.
Scope
For purposes of GLBA, covered data is limited to financial information connected to student and parent finances such as student and parent loans, bank account information and income tax information for financial aid packages. Emergency faculty loans are also considered in scope. Covered data resides in the University’s Student Information System (SIS), Tableau, Workday, Salesforce, and the Reporting and Analytics Environment (RAE).
Plan Statement
I. Information Security Program Coordinator
The Chief Information Security Officer is the Information Security Program Coordinator for the University. The GLBA Information Security Program is part of the larger University Information Security Program.
The GLBA Information Security Program is evaluated periodically to make appropriate adjustments and educational reminders are sent to the University community. Questions regarding interpretations and applicability of the GLBA and implementing federal regulations is coordinated with the Office of the University Bursar.
II. Risk Assessment and Safeguards
Covered data is housed in several systems therefore multiple areas of the University are responsible for assessing risks and putting safeguards in place to protect customer’s information. The Office of the University Bursar and the Office of Technology and Digital Innovation work together to identify and assess risks to (a) customer information including detection, prevention and response to attacks, intrusions and other system failures, (b) information systems, including network and software design, as well information processing, storage, transmission and disposal, and (c) employee training and education, and in each case, put safeguards in place to address those risks and regularly test those safeguards to make sure they are effective.
III. Employee training and education
While directors and supervisors are ultimately responsible for ensuring compliance with information security practices, the Office of the University Bursar has developed and implemented GLBA training for all employees who have access to covered data. These employees typically fall into three categories: professionals in information technology; data stewards; and those employees who use the data as part of their essential job duties. New employees must successfully complete GLBA training as well as pass a quiz in order to gain access to student financial or financial aid data. In addition, current employees that have access to student financial or financial aid data must complete GLBA training and pass a quiz at least once every fiscal year. Current employees that do not complete the training by the required deadline have their access removed and must complete the training as well as pass the quiz before access is restored.
IV. Oversight of Service Providers and Contracts
GLBA requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. Vendors who will have access to covered data must undergo a security risk assessment to identify and document risks associated with them transmitting and/or storing customer data. Appropriate data security provisions are included in contracts with such vendors.
V. Evaluation and Revision of the Information Security Program
GLBA mandates that the Information Security Program be subject to periodic review and adjustment as a result of the risk assessments and material changes to the University’s operations or business. Processes such as data access procedures and the training program undergo regular review in relevant offices of the University.
Resources:
- GLBA Training - BuckeyeLearn
- Cybersecurity at Ohio State - Office of Technology and Digital Innovation
- FERPA at Ohio State - Office of the University Registrar
- How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act - Federal Trade Commission
Identity Theft Red Flags
The Ohio State University recognizes that identity theft is an issue that can result in harm to its customers as well as the institution. The purpose of a red flags program is to detect patterns, practices and specific forms of activity that indicate the existence of identity theft and prevent a customer from using false identifying information to obtain goods, services or credit. In addition, identifying information maintained by the University must be protected to the greatest possible extent.
Ohio State Red Flags Program
Coming Soon!
University Account Establishment Red Flags Guidelines
Initiation of a relationship with a customer for the purpose of establishing a University Account as defined in the Identity Theft Red Flags policy. Examples include individual submits a credit application request, patient completes registration paperwork, individual requests to purchase a good or service such as memberships, tuition payment plans, etc.
Red Flag # 1 – Fraud alert is included with a consumer report:
Examples of Detection Mechanism
- Credit report where there are statements regarding identification mismatch, fraud alert or credit freeze.
Employee Action Steps
- Do not process transaction until further information can be obtained
- Unit should contact consumer reporting agency to validate identifying information
- If validation is acceptable, proceed with customer initiation activity
- If validation is not acceptable, do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #2 - Notice of a credit freeze in response to a request for a consumer report:
Examples of Detection Mechanism
- Credit report where there are statements regarding identification mismatch, fraud alert or credit freeze.
Employee Action Steps
- Do not process transaction until further information can be obtained
- Unit should contact consumer reporting agency to validate identifying information
- If validation is acceptable, proceed with customer initiation activity
- If validation is not acceptable, do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #3 – Consumer reporting agency provides a notice of address discrepancy:
Examples of Detection Mechanism
- Credit report where there is an indication of an address discrepancy
Employee Action Steps
- Do not process transaction until further information can be obtained
- Unit should contact consumer reporting agency to validate identifying information
- If validation is acceptable, proceed with customer initiation activity
- If validation is not acceptable, do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #4 – Unusual credit activity, such as an increased number of accounts or inquiries:
Examples of Detection Mechanism
- Credit report where there is an indication of an unusual number of inquiries
Employee Action Steps
- Do not process transaction until further information can be obtained
- Unit should contact consumer reporting agency to validate identifying information
- If validation is acceptable, proceed with customer initiation activity
- If validation is not acceptable, do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #5 – Document provided for identification appears to be altered or forged:
Examples of Detection Mechanism
- Picture on identification is not representative of customer
- Picture on identification is blurry
- Signature on presented identification does not match signature on any available application
- Identification contains unusual typeface or typographical errors
- Identification appears to have white-out, taped, Xeroxed, etc.
Employee Action Steps
- Request additional government issued ID
- If second identification is satisfactory, proceed with the customer initiation activity
- If second identification is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #6 – Photograph on identification is inconsistent with the appearance of the customer:
Examples of Detection Mechanism
- Picture on identification is not representative of customer
- Picture on identification is blurry
Employee Action Steps
- Request additional government issued ID
- If second identification is satisfactory, proceed with the customer initiation activity
- If second identification is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #7 – Information on identification is inconsistent with information provided by the person opening the account:
Examples of Detection Mechanism
- Name, address or other information from identification does not match application form
Employee Action Steps
- Ask customer to clarify discrepancy and provide additional government issued ID, if necessary
- If explanation is reasonable, proceed with the customer initiation activity
- If explanation is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #8 – Information on identification (such as signature) is inconsistent with existing information on file:
Examples of Detection Mechanism
- Name, address or other information from identification does not match application form
Employee Action Steps
- Ask customer to clarify discrepancy and provide additional government issued ID, if necessary
- If explanation is reasonable, proceed with the customer initiation activity
- If explanation is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #9 – Application appears to be forged, altered or destroyed and reassembled:
Examples of Detection Mechanism
- Signature on completed application does not match signature on identification or other documentation
- Application appears to have white-out, taped, Xeroxed, etc.
Employee Action Steps
- Request additional government issued ID
- If second identification is satisfactory, proceed with the customer initiation activity
- If second identification is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #10A – Information on identification does not match the address in a consumer report or existing system/application:
Examples of Detection Mechanism
- Name, address or other information from identification does not match application form
Employee Action Steps
- Ask customer to clarify discrepancy and provide additional government issued ID, if necessary
- If explanation is reasonable, proceed with the customer initiation activity
- If explanation is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #10B – Social security number provided has not been issued or appears on the SSA Death Master File:
Employee Action Steps
- Verify SSN via Social Security Number Verification Service
- If SSN appears valid, proceed with customer initiation activity
- If SSN does not appear valid, ask customer to confirm the number
- If same number is provided, do not proceed and report to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #11 – Range in the social security number does not correlate to the date of birth:
Employee Action Steps
- Verify SSN via Social Security Number Verification Service
- If SSN appears valid, proceed with customer initiation activity
- If SSN does not appear valid, ask customer to confirm the number
- If same number is provided, do not proceed and report to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #12 – Personal identifying information has been associated with known fraud activity:
Examples of Detection Mechanism
- Person’s name has been included in a University alert
- Person’s name appears on a list of individuals writing bad checks
Employee Action Steps
- Do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #13 – Suspicious address is supplied (e.g., mail drop, prison, pager/answering service):
Employee Action Steps
- Do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #14 – SSN matches that submitted by another person opening an account:
Employee Action Steps
- Verify SSN via Social Security Number Verification Service
- If SSN appears valid, proceed with customer initiation activity
- If SSN does not appear valid, ask customer to confirm the number
- If same number is provided, do not proceed and report to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #15 – Address or phone number matches that supplied by a large number of applicants:
Employee Action Steps
- Do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #16 – Person opening the account is unable to supply identifying information after notification of incomplete application:
Employee Action Steps
- Do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #17 – Personal information is inconsistent with information already on file:
Examples of Detection Mechanism
- Name, address or other information from identification does not match application form or other documents
Employee Action Steps
- Ask customer to clarify discrepancy and provide additional government issued ID, if necessary
- If explanation is reasonable, proceed with the customer initiation activity
- If explanation is not satisfactory, do not proceed and report to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #18 – Person opening an account or customer is unable to correctly answer challenge questions:
Employee Action Steps
- Do not proceed with the customer initiation activity and report the incident to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #19 – Shortly after change of address, request for additional users of the account is received:
Employee Action Steps
- Ask customer to clarify discrepancy and provide additional government issued ID, if necessary
- If explanation is reasonable, proceed with the customer initiation activity
- If explanation is not satisfactory, do not proceed and report to supervisor
Supervisor Action Steps
- Notify customer that the transaction cannot be processed
- Collect and retain any documents for potential evidence
- Report incident to the University Police as appropriate
Red Flag #20 – Most available credit used for cash advances, jewelry, electronics and/or customer fails to make first payment:
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #21 – Drastic changes in payment patterns, use of available credit or spending patterns:
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #22 – Inactive account suddenly exhibits unusual activity:
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #23 – Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions:
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #24 – Customer indicates they are not receiving paper account statements:
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #25 – Customer notifies of unauthorized charges or transactions:
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #26 – Institution notified that it has opened a fraudulent account for a person engaged in identity theft:
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
University Billing and Account Payment Red Flags Guidelines
Red Flag #1 – Fraud alert is included with a consumer report:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #2 – Notice of a credit freeze in response to a request for a consumer report:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #3 – Consumer reporting agency provides a notice of address discrepancy:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #4 – Unusual credit activity, such as an increased number of accounts or inquiries:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #5 – Document provided for identification appears to be altered or forged:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #6 – Photograph on identification is inconsistent with the appearance of the customer:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #7 – Information on identification is inconsistent with information provided by the person opening the account:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #8 – Information on identification (such as signature) is inconsistent with existing information on file:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #9 – Application appears to be forged, altered or destroyed and reassembled:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #10A – Information on identification does not match the address in a consumer report or existing system or application:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #10B – Social security number provided by customer has not been issued or appears on the SSA Death Master File:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #11 – Range in the social security number does not correlate to the date of birth:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #12 – Personal identifying information has been associated with known fraud activity:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #13 – Suspicious address is supplied, such as a mail drop or prison or phone numbers associated with pagers or answering service:
Examples of Detection Mechanism
- Payment sent by mail statement indicates suspicious change of address or phone number
Employee Action Steps
- Call the customer to verify change
- If the change is valid, proceed with change
- If the change appears to be suspicious, report the incident to supervisor
Supervisor Action Steps
- Collect and retain any documents for potential evidence
- Report the incident to University Police as appropriate
- Report any financial fraud per the Financial Fraud Reporting Policy
Red Flag #14 – Social security number provided matches that submitted by another person opening an account or other customers:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #15 – An address or phone number matching that supplied by a large number of applicants:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #16 – Person opening the account is unable to supply identifying information in response to notification that an application is incomplete:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #17 – Personal information is inconsistent with information already on file:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #18 – Person opening an account or customer is unable to correctly answer challenge questions:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #19 – Shortly after change of address is received, receive request for additional users of the account:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #20 – Most of the available credit is used for cash advances, jewelry or electronics and/or customer fails to make first payment:
Examples of Detection Mechanism
- First payment is missed on account
Employee Action Steps
- If first payment is missed, review the application to verify that the account is not fraudulent
- If the application detects fraudulent activity, report the incident to supervisor
Supervisor Action Steps
- Collect and retain any documents for potential evidence
- Report the incident to University Police as appropriate
- Report any financial fraud per the Financial Fraud Reporting Policy
Red Flag #21 – Drastic changes in payment patterns, use of available credit or spending patterns:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #22 – An account that has been inactive for a lengthy time suddenly exhibits unusual activity:
Examples of Detection Mechanism
- Not applicable
Employee Action Steps
- Not applicable
Supervisor Action Steps
- Not applicable
Red Flag #23 – Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account:
Employee Action Steps
- Call the customer to verify address
- If the change is valid, proceed with change
- If the change appears to be suspicious, report the incident to supervisor
Supervisor Action Steps
- Collect and retain any documents for potential evidence
- Report the incident to University Police as appropriate
- Report any financial fraud per the Financial Fraud Reporting Policy
Red Flag #24 – Customer indicates that they are not receiving paper account statements:
Examples of Detection Mechanism
- Customer did not receive their statement
Employee Action Steps
- Verify address with customer
- If the customer states that the address on file is incorrect, verify the customer’s personal identification and obtain correct address. If information cannot be verified, report the incident to supervisor
- If the customer states that the address on file is correct, refer the customer to the US Postal Service for further investigation
Supervisor Action Steps
- Collect and retain any documents for potential evidence
- If the customer cannot produce verifying information, report the incident to University Police as appropriate
- Report any financial fraud per the Financial Fraud Reporting Policy
Red Flag #25 – Customer notifies that there are unauthorized charges or transactions on customer’s account:
Examples of Detection Mechanism
- Upon receiving their statement, the customer notices unauthorized charges or transactions
Employee Action Steps
- Review statement transactions with customer to verify that the transactions were fraudulent
- If the employee believes the transaction to be fraudulent, report the incident to supervisor
Supervisor Action Steps
- Collect and retain any documents for potential evidence
- Report the incident to University Police as appropriate
- Report any financial fraud per the Financial Fraud Reporting Policy
Red Flag #26 – Institution notified that it has opened a fraudulent account for a person engaged in identity theft:
Employee Action Steps
- Review statement transactions with customer to verify that the transactions were fraudulent
- If the transaction appears to be fraudulent, report the incident to supervisor
Supervisor Action Steps
- Collect and retain any documents for potential evidence
- Report the incident to University Police as appropriate
- Report any financial fraud per the Financial Fraud Reporting Policy
Red Flag #27 – Other:
Employee Action Steps
- If the transaction appears to be fraudulent, report the incident to supervisor
Supervisor Action Steps
- Collect and retain any documents for potential evidence
- Report the incident to University Police as appropriate
- Report any financial fraud per the Financial Fraud Reporting Policy
Manager's Checklist
Note: All of the following steps should be reviewed on an annual basis.
- Review internal processes where goods, services or credit are provided to customers and implement the guidelines as necessary.
- Develop a compliance plan for your college or department to meet the requirements of the university red flags policy. Determine which of the 26 red flags apply to your business practices and which of the university red flag guidelines you should incorporate into your plan.
- Your compliance plan should begin with an assessment of your current business practices. Identify areas in your business processes where there is risk for identity theft to occur.
- Consider the types of accounts and the number of ways those accounts are created or assessed. Have you been defrauded before by someone using stolen information? How was it done? Are they process or technology based?
- The compliance plan should include details such as roles and responsibilities of each staff member.
- Update internal control structure or standard operating procedures as appropriate to reflect university guidelines.
- Determine the risk associated with each of your business processes.
- Determine whether you have proper controls in place or whether you should add some. Do gaps exist in your business procedures to identify individuals establishing university accounts? Do your procedures require a customer to present a photo identification to establish an account?
- Your compliance plan may incorporate documenting and reinforcing many of your existing controls.
- Annually review internal processes, control structures and standard operating procedures for continued compliance with guidelines.
- The updates should document the action steps as defined in the Identity Theft Red Flags guidelines and how these guidelines will be applied within your unit.
- Don’t forget to update any internal training manuals or other materials.
- Identify employees who must complete training and ensure that training is completed in BuckeyeLearn.
- Ensure that your staff receives the necessary training. This includes training on the unit’s internal processes as well as taking the online red flags training. Make sure that you and your staff are familiar with university policies related to protecting identifying information.
- New employees will need to complete this training within two weeks of their hire date.
Questions regarding the policy and training should be directed to the University Bursar (internalbursar@osu.edu).
Resources:
- Identity Theft Red Flags Training - BuckeyeLearn
- Identity Theft Red Flags Policy
- University Account Establishment Red Flags Guidelines - Printable Version
- University Billing and Account Payment Red Flags Guidelines - Printable Version
Cash Management Regulations
The U.S. Department of Education published cash management regulations (34CFR668.161-167) via the Federal Register on October 30, 2015. This web page is published to comply with these regulatory reporting requirements.
Any United States bank account may be used for your student refund via direct deposit. Ohio State has partnered with Huntington National Bank; however, opening a Huntington account is voluntary and is not required to receive any Ohio State services, including direct deposit. No preferential treatment is given to Huntington account holders. For a listing of Huntington account options, including features and fees, please visit Huntington Personal Checking. The agreement allows the BuckID Card to be linked to a Huntington banking account as a choice and provides additional optional banking as a convenience.
In compliance with the Department of Education cash management regulations, the following information was provided by Huntington National Bank to The Ohio State University and is in regards to the number of Ohio State students who had a Huntington Asterisk-Free checking account open at any time during the most recently completed award year and the mean and median of the actual costs incurred by Ohio State students who have Huntington Financial Account(s).
Award Year Ending June 30, 2024
Huntington National Bank
Category | Data |
---|---|
Student Accounts | 19,706 |
Mean Student Cost | $1.20 |
Median Student Cost | $0.00 |
Total Consideration | $0.00 |
**OSU Student accounts = consumer Asterisk-Free checking account, primary owner 18-24 (at reporting month), household match to OSU student file
Please visit Huntington’s Asterisk-Free Checking Account for more information.
Resources:
- The Ohio State University and The Huntington National Bank Affinity and License Agreement
- Amendment #2 to Huntington Affinity and License Agreement
Digital information and digital services acquired, developed, or delivered prior to August 1, 2018, are subject to the applicable web and digital accessibility standards in effect at that time and specifically to the provisions for “legacy” content in the Digital Accessibility Policy.
Related Resources
- Registration, Fees and Important Dates
- Buckeye Link
- Student Financial Aid
- My Buckeye Link Reference Guide
- Ohio Residency for Tuition
- University Housing
- Dining Services
- Student Health Insurance
- Student Legal Services
- The Graduate School
- Military and Veterans Services
- Office of International Affairs
- Admissions
- Office of Human Resources
Contact Buckeye Link
P: 614-292-0300
W: help.osu.edu
Location
1st Floor Lobby
Student Academic Services Building
281 W. Lane Avenue
Columbus, Ohio 43210
Office Hours
M-R 9:00am - 5:00pm
F 9:00am - 4:00pm