Original Issuance Date: November 27, 2019
Last Revision Date: November 27 , 2019
1. Purpose of Procedures
This procedure outlines the processes through which changes to employee bank (direct deposit) and contact information in the UW System’s human resource systems are to be verified in compliance with UW System Administrative Policy 363, Change Requests of Bank and Contact Information.
While due care must be exercised whenever changes are made to an employee’s bank account or contact information, the specific procedures outlined below are not intended for the following circumstances:
• Changes initiated by previously approved systems or partners following regular operational processes, such as changes requested by a bank through a regular pre-note process.
• Changes initiated by the institution, such as updating information due to a returned mailing or a rejected ACH payment.
• Contact information changes for terminated employees where there is no longer a risk of fraudulent payments tied to the contact information changes.
2. Responsible UW System Officer
Vice President for Administration
Contact Information: Mailing/postal address, phone numbers, and e-mail addresses for UW System students, employees, and suppliers.
Out-of-Band Verification: A process where validation of changes requires a secondary verification method through a separate communication channel or network.
Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction. These types of credentials typically fall into three categories: something you know, such as a PIN or password; something you have, such as a one-time passcode generator, token, or smart card; or something you are, such as a fingerprint or other biometric.
When UW System staff receive requests to change bank (direct deposit) or contact information for an employee, they must verify the requestor’s identity matches the employee’s identity or the identity of someone otherwise authorized to make changes to the employee record. These controls are intended to ensure inappropriate changes are not made and to help prevent fraudulent payments.
Where possible, UW System institutions should first encourage employees to make all direct deposit and contact information changes through employee self-service. MFA present on the human resource system application provides effective protection for self-service changes.
For requests received in person, staff must check at least one form of valid picture identification. Valid identification documents include the UW System institution issued identity card or any document containing a photo that is on List A or List B of the U.S. Citizenship and Immigration Services form I-9.
For requests received through fax or email staff must conduct an out-of-band verification of the requestor’s identity. This means the verification steps must be independent of the change request received.
Examples of valid out-of-band verification:
- Call the employee using the campus issued phone number.
- Email the employee at their MFA protected email address.
- Conduct a video chat with the employee to review their valid picture identification documents.
Examples of actions which do not qualify as out-of-band verification:
- Call the number listed in an email received to request change of direct deposit or contact information without verifying the number elsewhere.
- Reply back to the e-mail received to request change of direct deposit or contact information.
- Email the employee at their campus email address if the institutional email is not protected to MFA.
- Call the employee using the personal contact information stored within the human resources system when that information has been updated within the last 6 months.
- Any contact over person email.
In all staff facilitated changes to direct deposit or contact information, the steps taken to verify the requestor’s identity must be documented. The verification documentation must indicate what actions were performed, who performed the verification, date of verification, who was contacted, and an indication of verification outcome. If the verification is positive, this documentation along with copies of all forms and correspondence must be stored in the employee’s payroll file. If the verification is negative, this documentation along with copies of all forms and correspondence should be provided to the campus police. Additionally, UW System Shared Services Affinity Group should be notified of the fraud attempt.
If an e-mail is received requesting contact information or direct deposit changes, an electronic copy must be saved at the institution level to preserve the meta-data in the event that the email is later deemed to be a fraudulent request.
5. Related Documents
First approved: November 27, 2019