Policy

Original Issuance Date: August 20, 2019
Last Revision Date: March 29, 2023

1. Policy Purpose

The purpose of this policy is to establish standard processes for verifying student, employee, and supplier contact and bank account information when change requests are received.

2. Responsible UW System Officer

Senior Associate Vice President for Finance

3. Scope

This policy applies to all student, employee, and supplier contact and bank account information, regardless of the University of Wisconsin (UW) System institution that maintains this information.

4. Background

In the past, payment fraud typically involved checks, where people perpetrating the fraud intercepted checks or falsely reported address changes to have checks redirected to them. While this type of fraudulent activity continues, there are reported increases in payment fraud via wire transfers and automated clearing house transactions. These activities may involve changes in bank account information and are concerning due to the speed with which funds can be transferred and no longer be recovered.

In addition, fraudulent schemes are becoming more sophisticated, using data available on public websites, such as contract numbers, to make the fraudulent activity more believable and the compromise of business email systems more difficult to detect.

5. Definitions

Contact Information: Mailing/postal addresses, phone numbers, and email addresses for UW System students, employees and suppliers.

Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. These types of credentials typically fall into three categories: something you know, such as a PIN or password; something you have, such as a one-time passcode generator, token or smart card; or something you are, such as a fingerprint or other biometric.

Out-of-Band Verification:  A process where validation of a change requires a secondary verification method through a separate communication channel or network.

6. Policy Statement

UW institutions must ensure adequate controls are in place when changes are made to student, employee, and supplier contact and bank account information. These controls are intended to ensure inappropriate changes are not made and to help prevent fraudulent payments.

When self-service functionality is used, and students and employees are able to change information within a UW student information or payroll/benefit system, the UW institution must employ multi-factor authentication mechanisms.  For supplier self-service functionality, the supplier is responsible for adequately protecting their access and passwords to the UW System.

When UW staff receive and enact the contact and/or bank account changes for someone else or a supplier, out-of-band verification is required. For example, when a UW institution receives a request via email to change a student’s bank account, the institution must verify the student’s identity by having the student present a legally-accepted identification card in person or call the student using contact information obtained from its student information system.

UW System Administration will develop written procedures for out-of-band verification for the UW System’s shared financial and payroll/benefits systems. For student information systems and any other system containing contact and bank account information, each institution must develop written procedures for how out-of-band verification will be completed at the local level. These procedures may differ by operational area, type of information, and system used within an institution.

7. Related Documents

None

8. Policy History

Revision 2: March 29, 2023
Revision 1: November 11, 2022
First Approved: August 20, 2019

9. Scheduled Review

August 2028