This article shall be known as the identity theft prevention
program.
(Ordinance 2020-29 adopted 10/20/20)
The purpose of this article is to comply with 16 CFR §
681.2 in order to detect, prevent and mitigate identity theft by identifying
and detecting identity theft red flags and by responding to such red
flags in a manner that will prevent identity theft.
(Ordinance 2020-29 adopted 10/20/20)
For purposes of this article, the following definitions apply:
Covered account.
(1)
An account that a financial institution or creditor offers or
maintains, primarily for personal, family, or household purposes,
that involves or is designed to permit multiple payments or transactions,
such as a credit card account, mortgage loan, automobile loan, margin
account, cell phone account, utility account, checking account, or
savings account; and
(2)
Any other account that the financial institution or creditor
offers or maintains for which there is a reasonably foreseeable risk
to customers or to the safety and soundness of the financial institution
or creditor from identity theft, including financial, operational,
compliance, reputation or litigation risks.
Credit.
The right granted by a creditor to a debtor to defer payment
of debt or to incur debts and defer its payment or to purchase property
or services and defer payment therefor.
Creditor.
Any person who regularly extends, renews, or continues credit;
any person who regularly arranges for the extension, renewal, or continuation
of credit; or any assignee of an original creditor who participates
in the decision to extend, renew, or continue credit and includes
utility companies and telecommunications companies.
Customer.
A person that has a covered account with a creditor.
Identity theft.
A fraud committed or attempted using identifying information
of another person without authority.
Person.
A natural person, a corporation, government or governmental
subdivision or agency, trust, estate, partnership, cooperative, or
association.
Personal identifying information.
A person’s credit card account information, debit card
information, bank account information, and driver’s license
information, and for a natural person includes their social security
number, mother’s birth name, place and date of birth.
Red flag.
A pattern, practice, or specific activity that indicates
the possible or actual existence of identity theft.
(Ordinance 2020-29 adopted 10/20/20)
(a) The city is a creditor pursuant to 16 CFR § 681.2 due to its
provisions or maintenance of covered accounts for which payments is
made in arrears.
(b) Covered accounts offered to customers for the provision of city services
include water, wastewater and trash service accounts.
(c) The city’s has no previous experience with identity theft related
to covered accounts.
(d) The processes of opening a new covered account, restoring an existing
covered account, and making payments on such accounts have been identified
as potential processes in which identity theft could occur.
(e) The city limits access to personal identifying information to those
employees responsible for or otherwise involved in opening or restoring
covered accounts or accepting payment for use of covered accounts.
Information provided to such employees is entered directly into the
city’s computer system and is not otherwise recorded.
(f) The city determines that there is a moderate risk of identity theft
occurring in the following ways:
(1) Use by an applicant of another person’s identifying information
to establish a new covered account;
(2) Use of a previous customer’s personal identifying information
by another person in an effort to have service restored in the previous
customer’s name;
(3) Use of another person’s credit card, bank account, or other
method of payment by a customer to pay such customer’s covered
account or accounts; and,
(4) Use by a customer desiring to restore such customer’s covered
account of another person’s credit card, bank account, or other
method of payment.
(Ordinance 2020-29 adopted 10/20/20)
(a) As a precondition to opening a covered account in the city, each
applicant shall provide the city with personal identifying information
of the customer in the form of a valid government issued identification
card containing a photograph of the customer or, for customers who
are not natural persons, a photograph of the customer’s agent
opening the account. Such information shall be entered directly into
the city’s computer system and shall not otherwise be recorded.
(b) Each account shall be assigned an account number and personal identification
number (PIN) and/or password which shall be unique to that account.
The city may utilize computer software to randomly generate assigned
PINs and/or passwords and to encrypt account numbers and PINs and/or
passwords.
(Ordinance 2020-29 adopted 10/20/20)
(a) Access to customer accounts shall be password protected and shall
be limited to authorized city personnel.
(b) Such password(s) shall be changed by the director of the department
providing the service or the director’s designee, on a regular
basis, shall be at least 8 characters in length and shall contain
letters, numbers and symbols.
(c) Any unauthorized access to or other breach of customer accounts is
to be reported immediately to the city manager and the password changed
immediately.
(d) Personal identifying information included in customer accounts is
considered confidential and any request or demand for such information
shall be immediately forwarded to the city manager and the city attorney.
(Ordinance 2020-29 adopted 10/20/20)
(a) In the event that credit card payments that are made over the Internet
are processed through a third party service provider, such third party
service provider shall certify that it has an adequate identity theft
prevention program in place that is applicable to such payments.
(b) All credit card payments made over the telephone or the city’s
website shall be entered directly into the customer’s account
information in the computer data base.
(c) Account statements and receipts for covered accounts shall include
only the last four digits of the credit card or debit card or the
bank account used for payment of the covered amount.
(Ordinance 2020-29 adopted 10/20/20)
All employees responsible for or involved in the process of
opening a covered account, restoring a covered account or accepting
payment for a covered account shall check for red flags as indicators
of possible identity theft and such red flags may include:
(1) Alerts from consumer reporting agencies, fraud detection agencies
or service providers.
Examples of alerts include but
are not limited to:
(A) A fraud or active duty alert that is included with a consumer report;
(B) A notice of credit freeze in response to a request for a consumer
report;
(C) A notice of address discrepancy provided by a consumer reporting
agency;
(D) Indications of a pattern of activity in a consumer report that is
inconsistent with the history and usual pattern of activity of an
applicant or customer, such as:
(i) A recent and significant increase in the volume of inquiries;
(ii)
An unusual number of recently established credit relationships;
(iii)
A material change in the use of credit, especially with respect
to recently established credit relationships; or
(iv)
An account that was closed for cause or identified for abuse
of account privileges by a financial institution or creditor.
(2) Suspicious documents.
Examples of suspicious documents
includes:
(A) Documents provided for identification that appear to be altered or
forged;
(B) Identification on which the photograph or physical description is
inconsistent with the appearance of the applicant or customer;
(C) Identification on which the information is inconsistent with information
provided by the applicant or customer;
(D) Identification on which the information is inconsistent with readily
accessible information that is on file with the financial institution
or creditor, such as a signature card or a recent check; or
(E) An application that appears to have been altered or forged, or appears
to have been destroyed and reassembled.
(3) Suspicious personal identification.
Examples of suspicious
identifying information include:
(A) Personal identifying information that is inconsistent with external
information sources used by financial institution or creditor. For
example:
(i) The address does not match any address in the consumer report; or
(ii)
The social security number (“SSN”) has not been
issued, or is listed on the social security administration’s
death master file.
(B) Personal identifying information provided by the customer is not
consistent with other personal identifying provided by the customer,
such as a lack of correlation between the SSN range and date of birth.
(C) Personal identifying information or a phone number or address, is
associated with known fraudulent applications or activities as indicated
by internal or third-party sources used by the financial institution
or creditor.
(D) Other information provided, such as fictitious mailing address, mail
drop addresses, jail addresses, invalid phone numbers, pager numbers
or answering services, is associated with fraudulent activity.
(E) The SSN provided is the same as that submitted by other applicants
or customers.
(F) The address or telephone number provided is the same as or similar
to the account number or telephone number submitted by an unusually
large number of applicants or customers.
(G) The applicant or customer fails to provide all required personal
identifying information on an application or in response to a notification
that the application is incomplete.
(H) Personal identifying information is not consistent with personal
identifying information that is on file with the financial institution
or creditor.
(I) The applicant or customer cannot provide authenticating information
beyond that which generally would be available from a wallet or consumer
report.
(4) Unusual use of or suspicious activity relating to a covered account.
Examples of suspicious activity include:
(A) Shortly following the notice of a change of address for an account,
the city receives a request for the addition of authorized users on
the account.
(B) A new revolving credit account is used in a manner commonly associated
with known patterns of fraud patterns. For example:
(i) The customer fails to make the first payment or makes an initial
payment but no subsequent payments.
(C) An account is used in a manner that is not consistent with the established
patterns of activity on the account. There is, for example:
(i) Nonpayment when there is no history of late or missed payments;
(ii)
A material change in purchasing or spending patterns.
(D) An account that has been inactive for a long period of time is used
(taking into account the type of account, the expected pattern of
usage and other relevant factors).
(E) Mail sent to the customer is returned repeatedly as undeliverable
although transactions continue to be conducted in connection with
the customer’s account.
(F) The city is notified that the customer is not receiving paper account
statements.
(G) The city is notified of unauthorized charges or transactions in connection
with a customer’s account.
(H) The city is notified by a customer, law enforcement or another person
that it has opened a fraudulent account for a person engaged in identity
theft.
(5) Notice from customer, law enforcement, victims or other reliable
sources regarding possible identity theft or phishing relating to
covered accounts.
(Ordinance 2020-29 adopted 10/20/20)
(a) In the event that any city employee responsible for or involved in
restoring an existing covered account or accepting payment for a covered
account becomes aware of red flags indicating possible identity theft
with respect to existing covered accounts, such employee shall use
his or her discretion to determine whether such red flag or combination
of red flags suggests a threat of identity theft. If, in his or her
discretion, such employee determines that identity theft or attempted
identity theft is likely or probable, such employee shall immediately
report such red flags to the director. If, in his or her discretion,
such employee deems that identity theft is unlikely or that reliable
information is available to reconcile red flags, the employee shall
convey this information to reconcile red flags, the employee shall
convey this information to the director, who may in his or her discretion
determine that further action is necessary. If the director in his
or her discretion determines that further action is necessary, a city
employee shall perform one or more of the following responses, as
determined to be appropriate by the director:
(2) Make the following changes to the account if, after contacting the
customer, it is apparent that someone other than the customer has
accessed the customer’s covered account:
(A) Change any account numbers, passwords, security codes, or other security
devices that permit access to an account; or
(3) Cease attempts to collect additional charges from the customer and
decline to sell the customer’s account to a debt collector in
the event that the customer’s account has been accessed without
authorization and such access has caused additional charges to accrue;
(4) Notify a debt collector within seventy-two (72) hours of the discovery
of likely or probable identity theft relating to a customer account
that has been sold to such debt collector in the event that a customer’s
account has been sold to a debt collector prior to the discovery of
the likelihood or probability of identity theft relating to such an
account;
(5) Notify law enforcement, in the event that someone other than the
customer has accessed the customer’s account causing additional
charges to accrue or accessing personal identifying information;
(b) In the event that any city employee responsible for or involved in
opening a new covered account becomes aware of red flags indicating
possible identity theft with respect to an application for a new account,
such employee shall use his or her discretion to determine whether
such red flag or combination of red flags suggests a threat of identity
theft. If, in his or her discretion, such employee determines that
identity theft or attempted identity theft is likely or probable,
such employee shall immediately report such red flags to the director.
If, in his or her discretion, such employee deems that identity theft
is unlikely or that reliable information is available to reconcile
red flags, the employee shall convey this information to the director,
who may in his or her discretion determine that no further action
is necessary. If the director in his or her discretion determines
that no further action is necessary, a city employee shall perform
one or more of the following responses, as determined to be appropriate
by the director:
(1) Request additional identifying information from the applicant;
(2) Deny the application for the new account;
(3) Notify law enforcement of possible identity theft; or
(4) Take other appropriate action to prevent or mitigate identity theft.
(Ordinance 2020-29 adopted 10/20/20)
The city council shall annually review and, as deemed necessary
by the city council, update the identity theft prevention program
along with any relevant red flags in order to reflect changes in risks
to customers or to the safety and soundness of the city and its covered
accounts from identity theft. In so doing, the city council shall
consider the following factors and exercise its discretion in amending
the program:
(1) The city’s experiences with identity theft;
(2) Updates in methods of identity theft;
(3) Updates in customary methods used to detect, prevent, and mitigate
identity theft;
(4) Updates in the types of accounts that the city offers or maintains;
and
(5) Updates in service provider arrangements.
(Ordinance 2020-29 adopted 10/20/20)
Senior level staff is responsible for oversight of the program
and for program implementation. The city manager is responsible for
reviewing reports prepared by staff regarding compliance with red
flag requirements and with recommending material changes to the program,
as necessary in the opinion of the city manager to address changing
identity theft risks and to identify new or discontinued types of
covered accounts. Any recommended material changes to the program
shall be submitted to the city council for consideration by the city
council.
(1) The senior level staff shall report to the city manager at least
annually, on compliance with the red flag requirements. The report
will address material matters related to the program and evaluate
issues such as:
(A) The effectiveness of the policies and procedures of the city in addressing
the risk of identity theft in connection with the opening a new covered
account and with respect to existing covered accounts;
(B) Service provider arrangements;
(C) Significant incidents involving identity theft and management’s
response; and
(D) Recommendations for material changes to the program.
(2) The senior level staff is responsible for providing training to all
employees responsible for or involved in opening a new covered account,
restoring an existing covered account or accepting payment for a covered
account with respect to the implementation and requirements of the
identity theft prevention program. The senior level staff shall exercise
his, her or their discretion in determining the amount and substance
of training necessary.
(Ordinance 2020-29 adopted 10/20/20)
In the event that the city engages a service provider to perform
an activity in connection with one or more covered accounts the senior
level staff shall exercise his, her or their discretion in reviewing
such arrangements in order to ensure, to the best of his, her or their
ability, that the service provider’s activities are conducted
in accordance with policies and procedures, agreed upon by contract,
that are designed to detect any red flags that may arise in the performance
of the service provider’s activities and take appropriate steps
to prevent or mitigate identity theft.
(Ordinance 2020-29 adopted 10/20/20)