This article shall be known as the "Identity Theft Prevention
Program."
For purposes of this article, the following definitions apply.
[NOTE: Other than "City" and "personal identifying information," definitions
provided in this section are based on the definitions provided in
16 CFR § 681.2.]:
CITY
The City of Rockwood.
COVERED ACCOUNT
A.
An account that a financial institution or creditor offered
or maintains, primarily for personal, family, or household purposes,
that involves or is designed to permit multiple payments or transactions,
such as a credit card account, mortgage loan, automobile loan, margin
account, cell phone account, utility account, checking account, or
savings account; and
B.
Any other account that the financial institution or creditor
offers or maintains for which there is a reasonably foreseeable risk
to customers or to the safety and soundness of the financial institution
or creditor from identity theft, including financial, operational,
compliance, reputation, or litigation risks.
CREDIT
The right granted by a creditor to a debtor to defer payment
of debt or to incur debts and defer its payment or to purchase property
or services and defer payment therefor.
CREDITOR
Any person who regularly extends, renews, or continues credit;
any person who regularly arranges for the extension, renewal, or continuation
of credit; or any assignee of an original creditor who participates
in the decision to extend, renew, or continue credit and includes
utility companies and telecommunications companies.
CUSTOMER
A person that has a covered account with a creditor.
IDENTITY THEFT
A fraud committed or attempted using identifying information
of another person without authority.
PERSON
A natural person, a corporation, government or governmental
subdivision or agency, trust, estate, partnership, cooperative, or
association.
PERSONAL IDENTIFYING INFORMATION
A person's credit card account information, debit card
information, bank account information and driver's license information
and for a natural person includes his or her social security number,
mother's birth name, and date of birth.
RED FLAG
A pattern, practice, or specific activity that indicates
the possible existence of identity theft.
All employees responsible for or involved in the process of
opening a covered account, restoring a covered account or accepting
payment for a covered account shall check for red flags as indicators
of possible identity theft and such red flags may include:
A. Alerts from consumer reporting agencies, fraud detection agencies
or service providers. Examples of alerts include but are not limited
to:
(1) A fraud or active duty alert that is included with a consumer report;
(2) A notice of credit freezes in response to a request for a consumer
report;
(3) A notice of address discrepancy provided by a consumer reporting
agency;
(4) Indications of a pattern of activity in a consumer report that is
inconsistent with the history and usual pattern of activity of an
applicant or customer, such as:
(a)
A recent and significant increase in the volume of inquiries;
(b)
An unusual number of recently established credit relationships;
(c)
A material change in the use of credit, especially with respect
to recently established credit relationships; or
(d)
An account that was closed for cause or identified for abuse
of account privileges by a financial institution or creditor.
B. Suspicious documents. Examples of suspicious documents include:
(1) Documents provided for identification that appears to be altered
or forged;
(2) Identification on which the photograph or physical description is
inconsistent with the appearance of the applicant or customer;
(3) Identification on which the information is inconsistent with information
provided by the applicant or customer;
(4) Identification on which the information is inconsistent with a readily
accessible information that is on file with the financial institution
or creditor, such as a signature card or a recent check; or
(5) An application that appears to have been altered or forged, or appears
to have been destroyed and reassembled.
C. Suspicious personal identification, such as suspicious address change.
Examples of suspicious identifying information include:
(1) Personal identifying information that is inconsistent with external
information sources used by the financial institution or creditor.
For example:
(a)
The address does not match any address in the consumer report;
or
(b)
The social security number (SSN) has not been issued, or is
listed on the Social Security Administration's Death Master File.
(2) Personal identifying information provided by the customer is not
consistent with other personal identifying information provided by
the customer, such as a lack of correlation between the SSN range
and date of birth.
(3) Personal identifying information or a phone number or address is
associated with known fraudulent applications or activities as indicated
by internal or third-party sources used by the financial institution
or creditor.
(4) Other information provided, such as fictitious mailing address, mail
drop addresses, jail addresses, invalid phone numbers, pager numbers
or answering services, is associated with fraudulent activity.
(5) The SSN provided is the same as that submitted by other applicants
or customers.
(6) The address or telephone number provided is the same as or similar
to the account number or telephone number submitted by an unusually
large number of applicants or customers.
(7) The applicant or customer fails to provide all required personal
identifying information on an application or in response to notification
that the application is incomplete.
(8) Personal identifying information is not consistent with personal
identifying information that is on file with the financial institution
or creditor.
(9) The applicant or customer cannot provide authenticating information
beyond that which generally would be available from a wallet or consumer
report.
D. Unusual use of or suspicious activity relating to a covered account.
Examples of suspicious activity include:
(1) Shortly following the notice of a change of address for an account,
the City receives a request for the addition of authorized users on
the account.
(2) A new revolving credit account is used in a manner commonly associated
with known patterns of fraud patterns. For example:
(a)
The customer fails to make the first payment or makes an initial
payment but no subsequent payments.
(3) An account is used in a manner that is not consistent with established
patterns of activity on the account. There is, for example:
(a)
Nonpayment when there is no history of late or missed payments;
(b)
A material change in purchasing or spending patterns.
(4) An account that has been inactive for a long period of time is used
(taking into consideration the type of account, the expected pattern
of usage and other relevant factors).
(5) Mail sent to the customer is returned repeatedly as undeliverable
although transactions continue to be conducted in connection with
the customer's account.
(6) The City is notified that the customer is not receiving paper account
statements.
(7) The City is notified of unauthorized charges or transactions in connection
with a customer's account.
(8) The City is notified by a customer, law enforcement or another person
that it has opened a fraudulent account for a person engaged in identity
theft.
E. Notice from customers, law enforcement, victims or other reliable
sources regarding possible identity theft or phishing relating to
covered accounts.
The City Council shall annually review and, as deemed necessary
by the Council, update the Identity Theft Prevention Program along
with any relevant red flags in order to reflect changes in risks to
customers or to the safety and soundness of the City and its covered
accounts from identity theft. In so doing, the City Council shall
consider the following factors and exercise its discretion in amending
the program:
A. The City's experiences with identity theft;
B. Updates in methods of identity theft;
C. Updates in customary methods used to detect, prevent, and mitigate
identity theft;
D. Updates in the types of accounts that the City offers or maintains;
and
E. Updates in service provider arrangements.
The City Administrator is responsible for oversight of the program
and for program implementation. The City Administrator is responsible
for reviewing reports prepared by staff regarding compliance with
red flag requirements and with recommending material changes to the
program, as necessary in the opinion of the City Administrator, to
address changing identity theft risks and to identify new or discontinued
types of covered accounts. Any recommended material changes to the
program shall be submitted to the City Council for consideration by
the Council.
A. The City Administrator will retain an annual report on compliance
with the red flag requirements. The report will address material matters
related to the program and evaluate issues such as:
(1) The effectiveness of the policies and procedures of the City in addressing
the risk of identity theft in connection with the opening of covered
accounts and with respect to existing covered accounts;
(2) Service provider arrangements;
(3) Significant incidents involving identity theft and management's
response; and
(4) Recommendations for material changes to the program.
B. The City Administrator is responsible for providing training to all
employees responsible for or involved in opening a new covered account,
restoring an existing covered account or accepting payment for a covered
account with respect to the implementation and requirements of the
Identity Theft Prevention Program. The City Administrator shall exercise
his or her discretion in determining the amount and substance of training
necessary.
In the event that the City engages a service provider to perform
an activity in connection with one or more covered accounts, the City
Administrator shall exercise his or her discretion in reviewing such
arrangements in order to ensure, to the best of his or her ability,
that the service provider's activities are conducted in accordance
with policies and procedures, agreed upon by contract, that are designed
to detect any red flags that may arise in the performance of the service
provider's activities and take appropriate steps to prevent or
mitigate identity theft.