[Ord. No. 1618 §1, 10-20-2008; Ord. No. 1657 §1, 11-2-2009]
A. The
City of Oak Grove, Missouri (the "Utility") has developed this Identity
Theft Prevention Program ("Program") pursuant to the Federal Trade
Commission's ("FTC") Red Flag Rule, which implements Section 114 of
the Fair and Accurate Credit Transaction Act of 2003, pursuant to
16 C.F.R. Section 681.2. This Program is designed to detect, prevent
and mitigate identity theft in connection with the opening and maintenance
of certain utility accounts. For purposes of this Program, "identity theft" is considered to be "fraud committed using
the identifying information of another person". The accounts addressed
by the Program (the "accounts") are defined as:
1. A continuing relationship the Utility has with an individual through
an account the Utility offers or maintains primarily for personal,
family or household purposes, that involves multiple payments or transactions;
and
2. Any other account the Utility offers or maintains for which there
is a reasonable foreseeable risk to customers or to the safety and
soundness of the Utility from identity theft.
|
This Program was developed with oversight and approval of the
Board of Aldermen. After consideration of the size and complexity
of the Utility's operations and account systems, and the nature and
scope of the Utility's activities, the Board of Aldermen determined
that this Program was appropriate for the City of Oak Grove, Missouri
and therefore approved this Program on October 20, 2008.
|
[Ord. No. 1618 §1, 10-20-2008; Ord. No. 1657 §1, 11-2-2009]
As used in this Article, the following terms shall have these
prescribed meanings:
CREDIT
The right granted by a creditor to a debtor to defer payment
of debt or to incur debts and defer its payment or to purchase property
or services and defer payment thereof.
CREDITORS
Any person who regularly extends, renews, or continues credit;
any person who regularly arranges for the extension, renewal, or continuation
of credit; or any assignee of an original creditor who participates
in the decision to extend, renew, or continue credit.
CUSTOMER
A person that has a covered account with a financial institution
or creditor.
IDENTIFYING INFORMATION
Any name or number that may be used, alone or in conjunction
with any other information, to identify a specific person, including
any:
1.
Name, social security number, date of birth, official State
or government issued driver's license or identification number, alien
registration number, government passport number, employer or taxpayer
identification number;
2.
Unique biometric data, such as fingerprint, voice print, retina
or iris image, or other unique physical representation;
3.
Unique electronic identification number, address, or routing
code; or
4.
Telecommunication identifying information or access device (as
defined in 18 U.S.C. 1029(e)).
IDENTITY THEFT
Any fraud committed or attempted using the identifying information
of another person without authority.
RED FLAG
A pattern, practice, or specific activity that indicates
the possible existence of identity theft.
SERVICE PROVIDER
A person that provides a service directly to the financial
institution or creditor.
[Ord. No. 1618 §1, 10-20-2008; Ord. No. 1657 §1, 11-2-2009]
A. In
order to identify relevant red flags, the Utility considered risk
factors such as the types of accounts that it offers and maintains,
the methods it provides to open its accounts, the methods it provides
to access its accounts, and its previous experiences with identity
theft. Access to accounts and any identifying information is limited
to Utility personnel that will respond to the customer's request.
The Utility identified the following red flags in each of the listed
categories:
1. Suspicious documents. Possible red flags for this
category include:
a. Receiving documents that are provided for identification that appear
to be forged or altered;
b. Receiving documentation on which a person's photograph or physical
description is not consistent with the person presenting the documentation;
c. Receiving other documentation with information that is not consistent
with existing customer information (such as if a person's signature
on a check appears forged); and
d. Receiving an application for service that appears to have been altered
or forged.
2. Suspicious personal identifying information. Possible
red flags for this category include:
a. A person's identifying information is inconsistent with other sources
of information (such as an address not matching an address on a consumer
report or a social security number ("SSN") that was never issued);
b. A person's identifying information is inconsistent with other information
the customer provides (such as inconsistent SSNs or birth dates);
c. A person's identifying information is the same as shown on other
applications found to be fraudulent;
d. A person's identifying information is consistent with fraudulent
activity (such as an invalid phone number or fictitious billing address;
or phone number is associated with a pager or answering service);
e. A person's SSN is the same as another customer's SSN;
f. A person's address or phone number is the same as that of another
person;
g. A person fails to provide complete personal identifying information
on an application when reminded to do so; and
h. A person's identifying information is not consistent with the information
that is on file for the customer.
i. The use of challenge questions, the person opening the covered account
or the customer cannot provide authenticating information beyond that
which generally would be available from a wallet or consumer report.
3. Unusual use of or suspicious activity related to an account. Possible red flags for the category include:
a. A change of address for an account followed by a request to change
the account holder's name or add other parties;
b. A new account is used in a manner consistent with fraud (such as
the customer failing to make the first (1st) payment, or making the
initial payment and no other payments);
c. An account being used in away that is not consistent with prior use
(such as late or no payments when the account has been timely in the
past);
d. Mail sent to the account holder is repeatedly returned as undeliverable;
e. The Utility receives notice that a customer is not receiving his
paper statements; and
f. The Utility receives notice that an account has unauthorized activity.
g. The Utility receives notice that its computer system has unauthorized
activity.
h. The Utility's plan to take steps with certain data it maintains that
contains customer information is not being carried out in accordance
with established policy (such as destroying computer files).
4. Notice regarding possible identity theft. Possible
red flags for this category include: The Utility receives notices
from a customer, an identity theft victim, law enforcement or any
other person that it has opened or is maintaining a fraudulent account
for a person engaged in identity theft.
[Ord. No. 1618 §1, 10-20-2008; Ord. No. 1657 §1, 11-2-2009]
A. New Accounts. In order to detect any of the red flags identified
above with the opening of a new account, Utility personnel will take
the following steps to obtain and verify the identity of the person
opening the account:
1. Require certain identifying information such as name, date of birth,
residential or business address, principal place of business for an
entity, SSN, driver's license or other identification with each application
for service;
2. Verify the customer's identity, such as by copying and reviewing
a driver's license or other identification card;
3. Review documentation showing the existence of a business entity (such
as the Articles of Incorporation, Bylaws, Annual Report and/or verify
the business entity is authorized to do business in Missouri with
the Missouri Secretary of State); and
4. Follow-up phone and/or address contact with the customer (such as
sending a letter confirming the Utility service requested; or periodically
ask customer to verify all identifying information is correct).
5. Customers can use a major credit card to pay for utility services,
park fees, court fees and other utility fees and/or services. Credit
card payments must be made in person at City Hall. If a customer pays
for any service or fee by credit card and in-person at City Hall,
Utility personnel will verify the credit card of the customer by requiring
another form of identification (i.e., driver's license). Pursuant
to the City's Credit Card Policy, credit card payments shall not be
accepted from individuals who do not own the credit card being used
to make payment, with limited exceptions.
B. Existing Accounts. In order to detect any of the red flags
identified above for an existing account, Utility personnel will take
the following steps to monitor transactions with an account:
1. Verify the identification of customers if they request information
(in person, via telephone, via facsimile, via e-mail);
2. Verify the validity of requests to change billing addresses; and
3. Verify changes in banking information given for billing and payment
purposes.
4. If a customer pays for any service or fee by credit card and in-person
at City Hall, Utility personnel shall verify the identification of
customers by requiring a second (2nd) form of identification (i.e.,
driver's license). Credit card payments shall not be accepted if the
individual's name on the credit card is different than the customer
presenting payment, except pursuant to the City's Credit Card Policy.
[Ord. No. 1618 §1, 10-20-2008; Ord. No. 1657 §1, 11-2-2009]
A. In
the event Utility personnel detect any identified red flags, such
personnel shall take one (1) or more of the following steps, depending
on the degree of risk posed by the red flag:
1. Continue to monitor an account for evidence of identity theft;
3. Change any passwords or other security devices that permit access
to accounts;
4. Reopen an account with a new number;
5. Refuse to open a new account;
6. Close an existing account;
8. Determine that no response is warranted under the particular circumstances;
or
9. Notify the Program Administrator (as defined below) for determination
of the appropriate step(s) to take.
B. For
example:
1. If the Utility is notified that its computer system has been compromised
and that customer identifying information may have been released,
at a minimum the Utility will contact the customer to inform him/her
of the possible breach of information and change any passwords that
permit access to the accounts. In addition, the Utility may close
the existing account and reopen a new account;
2. If the Utility is notified that a person has provided inaccurate
identification information, the Utility may close the account and
contact law enforcement for further investigation;
3. If the Utility notices late payments on an account that has been
regularly paid and determined the resident has been incapacitated,
no action may be warranted.
C. In
order to further prevent the likelihood of identity theft occurring
with respect to Utility accounts, the Utility will take the following
steps with respect to its internal operating procedures:
1. Ensure that its website is secure or provide clear notice that a
website is not secure;
2. Ensure complete and secure destruction of paper documents and computer
files containing customer information, including documentation of
such destruction;
3. Ensure that office computers are password protected and that computer
screens lock after a set period of time;
4. Require only the last four (4) digits of SSNs on customer applications;
5. Limit access to accounts to only employees that require access;
6. Prohibit account information to be written on sticky pads or note
pads;
7. Ensure that computer screens are only visible to the employee accessing
the account; and
8. Require customers to authenticate addresses and personal information,
rather than account representatives asking if the information is correct.
[Ord. No. 1618 §1, 10-20-2008; Ord. No. 1657 §1, 11-2-2009]
This Program will be periodically reviewed and updated to reflect
changes in risks to customers and the soundness of the Utility from
identity theft. At least once per year, the Program Administrator
will consider the Utility's experiences with identity theft situation,
changes in identity theft methods, changes in identity theft detection
and prevention methods, changes in types of accounts the Utility maintains
and changes in the Utility's business arrangements with other entities.
After considering these factors, the Program Administrator will determine
whether changes to the Program, including the listing of red flags,
are warranted. The Program Administrator will present the Board of
Aldermen with his or her recommendations at the first (1st) Board
meeting in October each year and the Board of Aldermen will make a
determination of whether to accept, modify or reject those changes
to the Program. The Program Administrator is authorized to make changes
to the Program that are necessary for the day-to-day management of
the Program.
[Ord. No. 1618 §1, 10-20-2008; Ord. No. 1657 §1, 11-2-2009]
A. Oversight. The Utility's Program will be overseen by a
Program Administrator. The Program Administrator will be responsible
for the Program's administration, for ensuring appropriate training
of Utility staff on the Program, for reviewing any staff reports regarding
the detection of red flags and the steps for preventing and mitigating
identity theft, determining which steps of prevention and mitigation
should be taken in particular circumstances, reviewing and, if necessary,
approving changes to the Program.
B. Staff Training And Reports. Utility staff responsible for
implementing the Program shall be trained either by or under the direction
of the Program Administrator in the detection of red flags, and the
responsive steps to be taken when a red flag is detected. Such training
will be sufficient to effectively implement the Program.
C. Service Provider Arrangements. The Utility will take the
following steps to ensure the service provider performs its activity
in accordance with reasonable policies and procedures designed to
detect, prevent, and mitigate the risk of identity theft:
1. Require, by contract, that service providers have such policies and
procedures in place;
2. Require, by contract, that service providers review the Utility's
Program and report any red flags to the Program Administrator.