Red Flag Policy

Last Modified: May 31st 2018

Purpose of this Policy

The Federal Trade Commission (“FTC”) has issued regulations, now generally referred to as the “Red Flags Rule” (“Rule”), which require certain institutions and creditors to adopt policies and procedures that protect consumers from identity theft. “Red Flags” are defined by the Rules as patterns, practices, or activities that indicate the possibility of identity theft.

ID123 is neither a “financial institution” or a “creditor” under the Rule because we do not advance funds to persons in connection with loans programs. When an institution such as a school or university contracts with us under a paid plan, we become an entity acting for the institution in the performance of functions that an institutional employee otherwise would perform. We, therefore, participate in each applicable institutions Identity Theft Prevention Program (“Program”) and have also implemented our own Program to identify, prevent and mitigate identity theft in compliance with the Rule.

Policy

It is the policy of ID123 to enable our institutional customers to comply with the requirements of the Rule to identify, prevent, and mitigate identity theft.  Each institution based in the U.S that has “covered accounts” should have a Program in place which is tailored to their size, complexity and the nature of its operations.  It is the policy of ID123 to maintain our own processes to also identify and detect relevant Red Flags, train employees and contractors to identify and respond to Red Flags, respond appropriately to prevent Identity Theft and mitigate damages, and ensure that our processes are updated periodically as our software and services evolve all without affecting the privacy of our institutional customers’ data or end-user data. It is also our policy to provide a means for which end users can report identity theft to us in a safe and secure manner.

Scope of this Policy

This Policy applies to all ID123 employees, subcontractors, and agents who are involved in handling information that can be used to identify a specific person in connection with a Covered Account.

Policy Definitions

“Creditor” means any natural person, corporation or other entity that regularly, and in the ordinary course of business advances funds to or on behalf of a person based on an obligation to repay the funds or repayable from specific property pledged by the person.

“Covered Account” means an account that is (1) primarily for personal, family or household purposes and is designed to permit multiple payments or transactions, or (2) any account that is subject to a reasonably foreseeable risk of identity theft.

“Identifying Information” means any name or number that may be used alone or in conjunction with any other information to identify a specific person, including: name, address, telephone number, social security number, date of birth, driver’s license or identification number, alien registration number, passport number, employer or taxpayer identification number.

“Identity Theft” means a fraud committed or attempted using the identifying information of another person without authority.

“Red Flag” is a pattern, practice or specific activity that indicates the potential for Identity Theft.

“Program Administrator” is the individual designated to have primary responsibility for oversight of the Program.

ID123 Program

The Identity Theft Prevention Program

Identification

To identify relevant Red Flags, ID123 considers the types of institution, the data that we maintain for the institution; the methods we provide institutions to open, access and administrate their ID card data, and the functionality made available by the institution to end users in our mobile applications.

Goals

We strive to prevent:

  • Fraudulent Institutional accounts from being created
  • Fraudulent administrators accessing an IDMS account
  • Fraudulent app users or devices accessing another app users account
  • Fraudulent creation or modification of Digital ID cards by institutions
  • Fraudulent creation or modification of Digital ID cards by app users
  • Fraudulent use, duplication or sharing of ID cards by app users
  • Exchanging data from the app to fraudulent third parties

Preventing Identity Theft

App User Notifications & Safeguards

Issuers are required by law to have a process in place to notify Covered Accounts of physical address changes and requests for additional or duplicate physical cards.  This is because physical cards are mailed to the physical address on file for that Covered Account. However, digital ID cards within ID123 are linked to a person through their confirmed email address and phone number.  We therefore automatically notify each mobile application user to their email address of any new device logging into their account and having access to their digital ID cards. We also notify mobile application user of any change requested to their accounts registered email address and phone number. We require any change in the email address or phone number go through a double confirmation process with both the old and new email addresses to confirm the change.

Institution Notices

When adding a card to an account, mobile application users are notified that we may submit their identity and device data to the institution issuing the card to verify their identity and to prevent identity theft. We provide options to Institutions to receive notifications of changes to accounts with their ID cards installed. This notification will enable them to know when new cards are duplicated, new devices are added or certain information has changed. The institution can then determine their obligations to investigate.

IDMS Administrator Safeguards

Institutions manage their IDMS(ID Management System) and are solely responsible for the account administrators they invite to manage the account and the accuracy of the data they add, edit, modify or delete from their account. The invitation process uses a two-factor activation in order to confirm the email address of the invitee. Institutions can revoke any administrators access to the IDMS instantly from within the IDMS. Roles are given to each administrator so that access can be configured only by those with more privilege. ID123 will keep a log of most actions taken by each administrator. An email notification is sent to IDMS administrators when a new administrator is added or an existing administrator is removed from the system.

Institutional Existence

When a mobile app user wants to add their digital ID card to the mobile application we create the Institution in our system and card templates for the type of card (ie Student, Parent, Employee, Member, etc) being requested. During this process, we make commercially reasonable efforts to check for the existence of the Institution being requested. This often times requires us to request additional supporting information from the requestor. Because the card data is being manually added by the mobile app user either through a scan or typed in, we are not able to authenticate the card in question. To prevent misuse we do not display a ‘verified’ symbol a card of an institution that has not been authenticated so that it can be distinguished from an institution that has claimed and authenticated their account and issued their card to the user.

Institutional Authority

When a person claims to represent an institution and wants to creates or claim an account we take steps to authenticate their request and authority. We will compare their submitted information with known databases and request additional attestations. We continually review our procedures for authenticating IDMS ownership and authority.

What we look out for

Suspicious Documents: 

Presentation of suspicious documents which appear to be altered, forged or inauthentic, including an inconsistent appearance of photographs or physical description on a document with the person presenting it.

Suspicious Personal Identifying Information: 

Presentation of inconsistent personal identifying information such as:

  • Inconsistent profile identity data submitted
  • An address that does not match a prior address submitted
  • A telephone number or email address that is used by another account holder
  • Repeated failure to provide complete identifying information
  • Multiple Failed facial recognition attempts

Suspicious Use of the Mobile Application

Including but not limited to:

  • Non-institutional email used
  • Too many cards installed in an account
  • Cards which are installed in more than 1 account
  • Material Changes to the Identity (ie Name)
  • Material Number of Changes to the Account
  • Number of devices the card is installed on.
  • Country differences between the device and the institutions’ cards

Our Reporting and responding

Reporting: 

We investigate and report suspected identity theft to the institution issuing the credentials so that they can investigate and respond appropriately according to their Program. We provide institutions with the ability to suspend or remove credentials instantly from devices where suspected identity theft and we provide the contact information of the app user which has been authenticated. If we find that identity theft has occurred on by an app user with multiple cards, we may also notify the other institutions so they can take investigate as well.

There are various types of identity theft we report including but not limited to:

  • Suspected unauthorized installation of an ID Card linked to someone else’s identity.
  • Suspected unauthorized use of an ID Card linked to someone else’s identity.
  • Suspected tampering with an ID Card cryptography.
  • Suspected use of another persons photo for a persons own identity.
  • Suspected use of another persons information for a persons own identity.
  • Suspected unauthorized claim of authority to an app user account or institutional account.
  • Suspected creation of a false identity with the intent to use it fraudulently