Approved by the President
Jan. 21, 2014
Questions related to the daily operational interpretation of this policy should be directed to the Internal Control Analyst or Controller.
Questions related to PCI Compliance should be directed to the IT Security Administrator.
Business and Finance Policies
Collection of funds of any kind for SUNY Oneonta-related activities must be pre-approved by the Finance and Administration Office and appropriate procedures must be followed. All funds collected must be deposited into appropriate accounts before they can be used for any purpose. Specific accounts and procedures will be assigned by the Finance and Administration Office based on the source, use, and ownership of the funds to be collected.
SUNY Oneonta is required to maintain an effective system of internal controls in order to provide reasonable assurance that its assets are accounted for and protected and to minimize risk. Cash handling and payment collection are activities that naturally carry a considerable risk of errors, loss, mishandling, and fraudulent activity. Providing, requiring and testing adherence to clear, precise, control policies and procedures is the most effective way to protect employees and resources, and to minimize the risk inherent in cash handling and payment collection.
Applicability of the Policy:
This policy applies to all SUNY Oneonta departments, employees, and students who participate in the collection, transmission, deposit, and/or reconciliation of funds (i.e. currency, checks, money orders, Dragon Dollars, credit/debit card or other electronic transactions) in support of any SUNY Oneonta-related activity. It does NOT apply to the collection of funds for non-SUNY Oneonta or non-State purposes such as:
- Alumni Association activities
- Foundation activities
- Student Association activities
(Note: The above entities provide their own cash handling and payment collection policies)
- Voluntary collections from and for the benefit of employees (i.e. coffee, water, “sunshine” funds, etc.)
Authorization to Collect Cash or Other Payments
Before beginning payment collection, the Finance and Administration Office must review the proposed activity and will assist the individual or department in developing control procedures and identifying the proper accounts to be used. This will ensure that funds are directed to the correct IFR or Agency Account and that the appropriate internal controls are in place to manage collection, deposit, and expenditure of funds. Items to be considered include activity for which payments are collected; payment types accepted; provisions for providing receipts; and secure handling, transmission, deposit, and expenditure of funds.
The following collection and expenditure activities are prohibited:
- SUNY Oneonta employees are not permitted to collect or hold funds privately or to open accounts, as individuals or on behalf of the SUNY Oneonta, for collection or deposit of funds related to SUNY Oneonta activities. This includes cash boxes, bank accounts, electronic payment services, or any other form of storage of funds.
- SUNY Oneonta employees are not permitted to make direct expenditures from funds collected. All funds collected must be deposited into appropriate accounts. All expenditures must be requested through appropriate procedures.
Transmission of Funds to Central Payment Location
All funds collected must be transmitted to the appropriate central payment location. Student Accounts serves as the central payment location for most deposits. Funds to be deposited to certain OAS Agency Accounts may be delivered directly to OAS. The appropriate account and procedure will be determined when the payment collection activity is authorized by the Finance & Administration Office.
Payment Card Industry Compliance
All locations on campus that accept, handle, or process credit card payments are required to conform to Payment Card Industry (PCI) standards to ensure that processing, storage, and transmission of credit card information takes place in a secure environment. Further, vendors that provide card payment services on behalf of SUNY Oneonta departments must document that their services are PCI compliant. Assistance with PCI compliance is available through the Finance & Administration Office from the IT Security Administrator.
Records Retention and Review
All parties responsible for payment collection must retain records according to the timeframes established by the SUNY and New York State records retention schedules (typically six full fiscal years). Records must be available for audit and/or review at the direction of the Finance & Administration Office. Periodic reviews will be conducted by SUNY Oneonta's Internal Control Office to ensure compliance and to provide assistance in improving procedures. Audits may be also be conducted by external agencies as required.
Agency Account: an account held by Oneonta Ancillary Services (OAS) as the custodial agent for the benefit of students, faculty and staff members relative to SUNY Oneonta-related activities that are not supported by State funds. Examples include faculty-led off-campus course travel expenses, conference registration fees for campus-hosted conferences, and student activity fees.
Central Payment Location: the office responsible for depositing collected funds to the approved IFR or Agency Account.
IFR Account: a self-supporting state account that generates revenue to support its expenditures.
PCI Compliance: a set of data security standards required by the Payment Card Industry to ensure that processing, storage, and transmission of credit card information takes place in a secure environment.
Payment Collection Location: any office that has been approved to collect funds pertaining to SUNY Oneonta-related activity.