Compliance

Gramm-Leach-Bliley Act (GLBA)


The Financial Services Modernization Act of 1999 (also known as Gramm Leach Bliley Act (GLBA (link is external)) 15 U.S.C. §6801) governs the use, sharing, and collection of financial information. It requires “financial institutions” to take steps to protect customers’ nonpublic personal information. Because Ohio State and higher education institutions like Ohio State participate in financial activities such as making student loans, the Federal Trade Commission's regulations consider them financial institutions and subject to certain GLBA regulations. Higher education institutions must comply with the Safeguards Rule of GLBA however they are exempt from the Privacy Rule by being compliant with the Family Educational Rights and Privacy Act (FERPA).

GLBA Security Plan

Purpose

This document is The Ohio State University Gramm Leach Bliley Act (GLBA) Security Plan. The goal of this document is to provide an outline to assure ongoing compliance with federal regulations related to the Safeguards Rule of GLBA. The University Bursar is responsible for the GLBA Security Plan and its periodic review. While not limited to the following, these offices are known to be covered under the scope of GLBA regulations to the extent they have access to in scope data: Office of the University Bursar, Student Financial Aid, Office of the Controller, the Office of the University Registrar, and the Office of Technology and Digital Innovation. The University’s Security Framework and Privacy and Release of Student Education Records Policy, which addresses FERPA compliance at Ohio State, supplement this document.

GLBA mandates that the University:

  • Designate one or more employees to coordinate its information security program;
  • Identify and assess the risks to customer information in each relevant area of the University’s operations, and evaluate the effectiveness of the current safeguards for controlling these risks
  • Design and implement a safeguards program, and regularly monitor and test it;
  • Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
  • Evaluate and adjust the program in light of relevant circumstances, including changes in the University’s business or operations, or the results of security testing and monitoring.

Scope

For purposes of GLBA, covered data is limited to financial information connected to student and parent finances such as student and parent loans, bank account information and income tax information for financial aid packages. Emergency faculty loans are also considered in scope. Covered data resides in the University’s Student Information System (SIS), Tableau, Workday, and the Operational Data Store (ODS).

Plan Statement

I. Information Security Program Coordinator

The Chief Information Security Officer is the Information Security Program Coordinator for the University. The GLBA Information Security Program is part of the larger University Information Security Program.

The GLBA Information Security Program is evaluated periodically to make appropriate adjustments and educational reminders are sent to the University community. Questions regarding interpretations and applicability of the GLBA and implementing federal regulations is coordinated with the Office of the University Bursar.

II. Risk Assessment and Safeguards

Covered data is housed in several systems therefore multiple areas of the University are responsible for assessing risks and putting safeguards in place to protect customer’s information. The Office of the University Bursar and the Office of Technology and Digital Innovation work together to identify and assess risks to (a) customer information including detection, prevention and response to attacks, intrusions and other system failures, (b) information systems, including network and software design, as well information processing, storage, transmission and disposal, and (c) employee training and education, and in each case, put safeguards in place to address those risks and regularly test those safeguards to make sure they are effective.

III. Employee training and education

While directors and supervisors are ultimately responsible for ensuring compliance with information security practices, the Office of the University Bursar has developed and implemented GLBA training for all employees who have access to covered data. These employees typically fall into three categories: professionals in information technology; data stewards; and those employees who use the data as part of their essential job duties. New employees must successfully complete GLBA training as well as pass a quiz in order to gain access to student financial or financial aid data. In addition, current employees that have access to student financial or financial aid data must complete GLBA training and pass a quiz at least once every fiscal year. Current employees that do not complete the training by the required deadline have their access removed and must complete the training as well as pass the quiz before access is restored.

IV. Oversight of Service Providers and Contracts

GLBA requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. Vendors who will have access to covered data must undergo a security risk assessment to identify and document risks associated with them transmitting and/or storing customer data. Appropriate data security provisions are included in contracts with such vendors.

V. Evaluation and Revision of the Information Security Program

GLBA mandates that the Information Security Program be subject to periodic review and adjustment as a result of the risk assessments and material changes to the University’s operations or business. Processes such as data access procedures and the training program undergo regular review in relevant offices of the University.

Resources

 

Identity Theft Red Flags


The Ohio State University recognizes that identity theft is an issue that can result in harm to its customers as well as the institution. The purpose of a red flags program is to detect patterns, practices and specific forms of activity that indicate the existence of identity theft and prevent a customer from using false identifying information to obtain goods, services or credit. In addition, identifying information maintained by the University must be protected to the greatest possible extent.

Ohio State Red Flags Program

Coming Soon!

University Account Establishment Red Flags Guidelines

Initiation of a relationship with a customer for the purpose of establishing a University Account as defined in the Identity Theft Red Flags policy. Examples include individual submits a credit application request, patient completes registration paperwork, individual requests to purchase a good or service such as memberships, tuition payment plans, etc. 

Red Flag ID #Description of Red FlagExamples of Detection Mechanisms*Employee Action StepsSupervisor Action Steps
1Fraud alert is included with a consumer reportCredit report where there are statements regarding identification mismatch, fraud alert or credit freeze.

1) Do not process transaction until further information can be obtained

2) Unit should contact consumer reporting agency to validate identifying information

3) If validation is acceptable, proceed with customer initiation activity

4) If validation is not acceptable, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
2Notice of a credit freeze in response to a request for a consumer reportCredit report where there are statements regarding identification mismatch, fraud alert or credit freeze.

1) Do not process transaction until further information can be obtained

2) Unit should contact consumer reporting agency to validate identifying information

3) If validation is acceptable, proceed with customer initiation activity

4) If validation is not acceptable, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
3Consumer reporting agency provides a notice of address discrepancyCredit report where there is an indication of an address discrepancy

1) Do not process transaction until further information can be obtained

2) Unit should contact consumer reporting agency to validate identifying information

3) If validation is acceptable, proceed with customer initiation activity

4) If validation is not acceptable, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate

4Unusual credit activity, such as an increased number of accounts or inquiriesCredit report where there is an indication of an unusual number of inquiries

1) Do not process transaction until further information can be obtained

2) Unit should contact consumer reporting agency to validate identifying information

3) If validation is acceptable, proceed with customer initiation activity

4) If validation is not acceptable, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
5Document provided for identification appears to be altered or forged

Picture on identification is not representative of customer

  • Picture on identification is blurry
  • Signature on presented identification does not match signature on any available application
  • Identification contains unusual type face or typographical errors
  • Identification appears to have white-out, taped, Xeroxed, etc.

1) Request additional government issued ID

2) If second identification is satisfactory, proceed with the customer initiation activity

3) If second identification is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
6Photograph on identification is inconsistent with the appearance of the customer

Picture on identification is not representative of customer

  • Picture on identification is blurry

1) Request additional government issued ID

2) If second identification is satisfactory, proceed with the customer initiation activity

3) If second identification is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate

7Information on identification is inconsistent with information provided by the person opening the accountName, address or other information from identification does not match application form

1) Ask customer to clarify discrepancy and provide additional government issued ID, if necessary

2) If explanation is reasonable, proceed with the customer initiation activity

3) If explanation is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
8Information on identification (such as signature) is inconsistent with existing information on fileName, address or other information from identification does not match application form

1) Ask customer to clarify discrepancy and provide additional government issued ID, if necessary

2) If explanation is reasonable, proceed with the customer initiation activity

3) If explanation is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
9Application appears to be forged, altered or destroyed and reassembled

Signature on completed application does not match signature on identification or any other available documentation or

  • Application appears to have white-out, taped, Xeroxed, etc.

1) Request additional government issued ID

2) If second identification is satisfactory, proceed with the customer initiation activity

3) If second identification is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
10A

Information on identification does not match the address in a consumer report or existing system or application

Name, address or other information from identification does not match application form

1) Ask customer to clarify discrepancy and provide additional government issued ID, if necessary

2) If explanation is reasonable, proceed with the customer initiation activity

3) If explanation is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate

10BSocial security number provided by customer has not been issued or appears on the Social Security Administrator’s Death Master File 

1) Verify Social Security number has been issued via Social Security Number Verification Service

2) If Social Security number appears to be valid, proceed with customer initiation activity

3) If Social Security number does not appear to be valid, ask customer to confirm provided Social security number

4) If same number is provided, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
11Range in the social security number does not correlate to the date of birth 

1) Verify Social Security number has been issued via Social Security Number Verification Service

2) If Social Security number appears to be valid, proceed with customer initiation activity

3) If Social Security number does not appear to be valid, ask customer to confirm provided Social security number

4) If same number is provided, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
12

Personal identifying information has been associated with known fraud activity

Person’s name has been included in an University alert

  • Person’s name appears on a list of writing bad checks
1) Do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate

13Suspicious address is supplied, such as a mail drop or prison or phone numbers associated with pagers or answering service 1) Do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
14Social security number provided matches that submitted by another person opening an account or other customers 

1) Verify Social Security number has been issued via Social Security Number Verification Service

2) If Social Security number appears to be valid, proceed with customer initiation activity

3) If Social Security number does not appear to be valid, ask customer to confirm provided Social security number

4) If same number is provided, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
15An address or phone number matching that supplied by a large number of applicants 1) Do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
16Person opening the account is unable to supply identifying information in response to notification that an application is incomplete 1) Do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate

17Personal information is inconsistent with information already on file

Name, address or other information from identification does not match application form, other available documents or information already on file in system

1) Ask customer to clarify discrepancy and provide additional government issued ID, if necessary

2) If explanation is reasonable, proceed with the customer initiation activity

3)  If explanation is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
18Person opening an account or customer is unable to correctly answer challenge questions 1) Do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
19Shortly after change of address is received, receive request for additional users of the account 

1) Ask customer to clarify discrepancy and provide additional government issued ID, if necessary

2) If explanation is reasonable, proceed with the customer initiation activity

3) If explanation is not satisfactory, do not proceed with the customer initiation activity and report the incident to supervisor

1) Notify customer that the transaction cannot be processed

2) Collect and retain any documents for potential evidence

3) Report incident to the University Police as appropriate
20

Most of the available credit is used for cash advances, jewelry or electronics and/or customer fails to make first payment

 Not applicableNot applicable
21

Drastic changes in payment patterns, use of available credit or spending patterns

 Not applicableNot applicable
22

An account that has been inactive for a lengthy time suddenly exhibits unusual activity

 Not applicableNot applicable
23

Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account

 Not applicableNot applicable
24Customer indicates that they are not receiving paper account statements Not applicableNot applicable
25

Customer notifies that there are unauthorized charges or transactions on customer’s account

 Not applicableNot applicable
26

Institution notified that is has opened a fraudulent account for a person engaged in identity theft

 Not applicableNot applicable

* Below is the list of the forms of acceptable identification. The presented identification must contain a photograph.

  • Current validated OSU employee or student identification card OSU ID number (e.g. BuckID or other University issued ID card)
  • State issued driver’s license
  • State issued identification
  • U.S. passport
  • Non-U.S. passport with I-94 card (Visa)
  • Government issued military ID
  • U.S. Bureau of Indian Affairs ID
  • Major credit card

University Billing and Account Payments Red Flags Guidelines

Payment on an account or closure of an account as defined in the Identity Theft Red Flags policy. Examples include missing account statements, unauthorized transactions, suspicious address or phone changes by the customer, etc. 

Red Flag ID #Description of Red FlagExamples of Detection Mechanisms*Employee Action StepsSupervisor Action Steps
1Fraud alert is included with a consumer report 

Not applicable

Not applicable
2Notice of a credit freeze in response to a request for a consumer report Not applicableNot applicable
3Consumer reporting agency provides a notice of address discrepancy Not applicableNot applicable
4Unusual credit activity, such as an increased number of accounts or inquiries Not applicableNot applicable
5Document provided for identification appears to be altered or forged

 

Not applicableNot applicable
6Photograph on identification is inconsistent with the appearance of the customer

 

Not applicableNot applicable
7Information on identification is inconsistent with information provided by the person opening the account Not applicableNot applicable
8Information on identification (such as signature) is inconsistent with existing information on file Not applicableNot applicable
9Application appears to be forged, altered or destroyed and reassembled

 

Not applicableNot applicable
10A

Information on identification does not match the address in a consumer report or existing system or application

 

Not applicableNot applicable
10BSocial security number provided by customer has not been issued or appears on the Social Security Administrator’s Death Master File 

Not applicable

Not applicable
11Range in the social security number does not correlate to the date of birth 

Not applicable

Not applicable
12

Personal identifying information has been associated with known fraud activity

 

Not applicableNot applicable
13Suspicious address is supplied, such as a mail drop or prison or phone numbers associated with pagers or answering servicePayment sent by mail statement indicates suspicious change of address or phone number

1) Call the customer to verify change

2) If the change is valid, proceed with change

3) If the change appears to be suspicious report the incident to supervisor

1) Collect and retain any documents for potential evidence

2) Report the incident to University Police as appropriate

3) Report any financial fraud per the Financial Fraud Reporting Policy
14Social security number provided matches that submitted by another person opening an account or other customers 

Not applicable

Not applicable
15An address or phone number matching that supplied by a large number of applicants Not applicableNot applicable
16Person opening the account is unable to supply identifying information in response to notification that an application is incomplete Not applicable

Not applicable

17Personal information is inconsistent with information already on file

 

Not applicable

Not applicable
18Person opening an account or customer is unable to correctly answer challenge questions Not applicableNot applicable
19Shortly after change of address is received, receive request for additional users of the account 

Not applicable

Not applicable
20

Most of the available credit is used for cash advances, jewelry or electronics and/or customer fails to make first payment

First payment is missed on account

1) If first payment is missed, review the application to verify that the account is not fraudulent

2) If the application detects fraudulent activity and report the incident to supervisor

1) Collect and retain any documents for potential evidence

2) Report the incident to University Police as appropriate

3) Report any financial fraud per the Financial Fraud Reporting Policy
21

Drastic changes in payment patterns, use of available credit or spending patterns

 Not applicableNot applicable
22

An account that has been inactive for a lengthy time suddenly exhibits unusual activity

 Not applicableNot applicable
23

Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account

 

1) Call the customer to verify address

2) If the change is valid, proceed with change

3) If the change appears to be suspicious report the incident to supervisor

1) Collect and retain any documents for potential evidence

2) Report the incident to University Police as appropriate

3) Report any financial fraud per the Financial Fraud Reporting policy
24Customer indicates that they are not receiving paper account statementsCustomer did not receive their statement

1) Verify address with customer

2) If the customer states that the address on file is incorrect, then verify the customer’s personal identification and obtain correct address from customer. If information cannot be verified report the incident to supervisor.

3) If the customer states that the address on file is correct refer the customer to the US Postal Service for further investigation

1) Collect and retain any documents for potential evidence

2) If the customer cannot produce verifying information, report the incident to University Policy as appropriate

3) Report any financial fraud per the Financial Fraud Reporting policy
25

Customer notifies that there are unauthorized charges or transactions on customer’s account

Upon receiving their statement, the customer notices unauthorized charges or transactions

1) Review statement transactions with customer in order to verify that the transactions were fraudulent

2) If the employee believes the transaction to be fraudulent, employee reports the incident to supervisor

1) Collect and retain any documents for potential evidence

2) Report the incident to University Police as appropriate

3) Report any financial fraud per the Financial Fraud Reporting policy
26

Institution notified that is has opened a fraudulent account for a person engaged in identity theft

 

1) Review statement transactions with customer in order to verify that the transactions were fraudulent

2) If the transaction appears to be fraudulent, report the incident to supervisor

1) Collect and retain any documents for potential evidence

2) Report the incident to University Police as appropriate

3) Report any financial fraud per the Financial Fraud Reporting policy
27Other 1) If the transaction appears to be fraudulent, report the incident to supervisor

1) Collect and retain any documents for potential evidence

2) Report the incident to University Police as appropriate

3) Report any financial fraud per the Financial Fraud Reporting policy

Manager's Checklist

Note: All of the following steps should be reviewed on an annual basis. For more information about the university red flags policy and guidelines go to Policy 5.16 Identity Theft Red Flags Policy.

  1. Review internal processes where goods, services or credit are provided to customers and implement the guidelines as necessary.
    1. Develop a compliance plan for your college or department to meet the requirements of the university red flags policy. Determine which of the 26 red flags apply to your business practices and which of the university red flag guidelines you should incorporate into your plan.
    2. Your compliance plan should begin with an assessment of your current business practices. Identify areas in your business processes where there is risk for identity theft to occur.

    3. Consider the types of accounts and the number of ways those accounts are created or assessed. Have you been defrauded before by someone using stolen information? How was it done? Are they process or technology based?

    4. The compliance plan should include details such as roles and responsibilities of each staff member.

  2. Update internal control structure or standard operating procedures as appropriate to reflect university guidelines.
    1. Determine the risk associated with each of your business processes.
    2. Determine whether you have proper controls in place or whether you should add some. Do gaps exist in your business procedures to identify individuals establishing university accounts? Do your procedures require a customer to present a photo identification to establish an account?

    3. Your compliance plan may incorporate documenting and reinforcing many of your existing controls.

  3. Annually review internal processes, control structures and standard operating procedures for continued compliance with guidelines.
    1. The updates should document the action steps as defined in the Identity Theft Red Flags guidelines and how these guidelines will be applied within your unit.
    2. Don't forget to update any internal training manuals or other materials.

  4. Identify employees who must complete training and ensure that training is completed in BuckeyeLearn.
    1. Ensure that your staff receives the necessary training. This includes training on the unit's internal processes as well as taking the online red flags training. Make sure that you and your staff are familiar with university policies related to protecting identifying information.
    2. New employees will need to complete this training within two weeks of their hire date.

Questions regarding the policy and training should be directed to the University Bursar (internalbursar@osu.edu).

Resources

 

Cash Management Regulations


The U.S. Department of Education (link is external) published cash management regulations (34CFR668.161-167 (link is external)) via the Federal Register (link is external) on October 30, 2015. This web page is published to comply with these regulatory reporting requirements.

Any United States bank account may be used for your student refund via direct deposit.  Ohio State has partnered with Huntington National Bank; however, opening a Huntington account is voluntary and is not required to receive any Ohio State services, including direct deposit.  No preferential treatment is given to Huntington account holders.  For a listing of Huntington account options, including features and fees, please visit https://www.huntington.com/personal/checking (link is external). The agreement allows the BuckID Card to be linked to a Huntington banking account as a choice and provides additional optional banking as a convenience.

In compliance with the Department of Education cash management regulations, the following information was provided by Huntington National Bank to The Ohio State University and is in regards to the number of Ohio State students who had a Huntington Asterisk-Free checking account open at any time during the most recently completed award year and the mean and median of the actual costs incurred by Ohio State students who have Huntington Financial Account(s).

Award Year Ending June 30, 2021*

Huntington National Bank  

CATEGORYDaTA 
Student Accounts17,555
Mean Student Cost$1.43
Median Student Cost$0.00
Total Consideration$0.00

*July 2020 through June 2021 used Huntington's matching procedure, which has previously shown to produce similar matching results.

**OSU Student accounts = consumer Asterisk-Free checking account, primary owner 18-24 (at reporting month), household match to OSU student file


Please visit Huntington's Asterisk-Free Checking Account (link is external) for more information. 

Resources