This article shall be known as the
identity theft prevention program.
(Ordinance
2020-29 adopted 10/20/20)
The purpose of this article is to
comply with 16 CFR § 681.2 in order to detect, prevent and mitigate
identity theft by identifying and detecting identity theft red flags
and by responding to such red flags in a manner that will prevent
identity theft.
(Ordinance
2020-29 adopted 10/20/20)
For purposes of this article, the
following definitions apply:
The City of Buda.
An account that a financial institution
or creditor offers or maintains, primarily for personal, family, or
household purposes, that involves or is designed to permit multiple
payments or transactions, such as a credit card account, mortgage
loan, automobile loan, margin account, cell phone account, utility
account, checking account, or savings account; and
Any other account that the financial
institution or creditor offers or maintains for which there is a reasonably
foreseeable risk to customers or to the safety and soundness of the
financial institution or creditor from identity theft, including financial,
operational, compliance, reputation or litigation risks.
The right granted by a creditor to a debtor to defer payment
of debt or to incur debts and defer its payment or to purchase property
or services and defer payment therefor.
Any person who regularly extends, renews, or continues credit;
any person who regularly arranges for the extension, renewal, or continuation
of credit; or any assignee of an original creditor who participates
in the decision to extend, renew, or continue credit and includes
utility companies and telecommunications companies.
A person that has a covered account with a creditor.
A fraud committed or attempted using identifying information
of another person without authority.
A natural person, a corporation, government or governmental
subdivision or agency, trust, estate, partnership, cooperative, or
association.
A person’s credit card account information, debit card
information, bank account information, and driver’s license
information, and for a natural person includes their social security
number, mother’s birth name, place and date of birth.
A pattern, practice, or specific activity that indicates
the possible or actual existence of identity theft.
A person that provides a service directly to the city.
(Ordinance
2020-29 adopted 10/20/20)
(a)
The city is a creditor pursuant to
16 CFR § 681.2 due to its provisions or maintenance of covered
accounts for which payments is made in arrears.
(b)
Covered accounts offered to customers
for the provision of city services include water, wastewater and trash
service accounts.
(c)
The city’s has no previous
experience with identity theft related to covered accounts.
(d)
The processes of opening a new covered
account, restoring an existing covered account, and making payments
on such accounts have been identified as potential processes in which
identity theft could occur.
(e)
The city limits access to personal
identifying information to those employees responsible for or otherwise
involved in opening or restoring covered accounts or accepting payment
for use of covered accounts. Information provided to such employees
is entered directly into the city’s computer system and is not
otherwise recorded.
(f)
The city determines that there is
a moderate risk of identity theft occurring in the following ways:
(1)
Use by an applicant of another person’s
identifying information to establish a new covered account;
(2)
Use of a previous customer’s
personal identifying information by another person in an effort to
have service restored in the previous customer’s name;
(3)
Use of another person’s credit
card, bank account, or other method of payment by a customer to pay
such customer’s covered account or accounts; and,
(4)
Use by a customer desiring to restore
such customer’s covered account of another person’s credit
card, bank account, or other method of payment.
(Ordinance
2020-29 adopted 10/20/20)
(a)
As a precondition to opening a covered
account in the city, each applicant shall provide the city with personal
identifying information of the customer in the form of a valid government
issued identification card containing a photograph of the customer
or, for customers who are not natural persons, a photograph of the
customer’s agent opening the account. Such information shall
be entered directly into the city’s computer system and shall
not otherwise be recorded.
(b)
Each account shall be assigned an
account number and personal identification number (PIN) and/or password
which shall be unique to that account. The city may utilize computer
software to randomly generate assigned PINs and/or passwords and to
encrypt account numbers and PINs and/or passwords.
(Ordinance
2020-29 adopted 10/20/20)
(a)
Access to customer accounts shall
be password protected and shall be limited to authorized city personnel.
(b)
Such password(s) shall be changed
by the director of the department providing the service or the director’s
designee, on a regular basis, shall be at least 8 characters in length
and shall contain letters, numbers and symbols.
(c)
Any unauthorized access to or other
breach of customer accounts is to be reported immediately to the city
manager and the password changed immediately.
(d)
Personal identifying information
included in customer accounts is considered confidential and any request
or demand for such information shall be immediately forwarded to the
city manager and the city attorney.
(Ordinance
2020-29 adopted 10/20/20)
(a)
In the event that credit card payments
that are made over the Internet are processed through a third party
service provider, such third party service provider shall certify
that it has an adequate identity theft prevention program in place
that is applicable to such payments.
(b)
All credit card payments made over
the telephone or the city’s website shall be entered directly
into the customer’s account information in the computer data
base.
(c)
Account statements and receipts for
covered accounts shall include only the last four digits of the credit
card or debit card or the bank account used for payment of the covered
amount.
(Ordinance
2020-29 adopted 10/20/20)
All employees responsible for or
involved in the process of opening a covered account, restoring a
covered account or accepting payment for a covered account shall check
for red flags as indicators of possible identity theft and such red
flags may include:
(1)
Alerts from consumer reporting
agencies, fraud detection agencies or service providers.
Examples of alerts include but are not
limited to:
(A)
A fraud or active duty alert that
is included with a consumer report;
(B)
A notice of credit freeze in response
to a request for a consumer report;
(C)
A notice of address discrepancy provided
by a consumer reporting agency;
(D)
Indications of a pattern of activity
in a consumer report that is inconsistent with the history and usual
pattern of activity of an applicant or customer, such as:
(i)
A recent and significant
increase in the volume of inquiries;
(ii)
An unusual number of
recently established credit relationships;
(iii)
A material change
in the use of credit, especially with respect to recently established
credit relationships; or
(iv)
An account that was
closed for cause or identified for abuse of account privileges by
a financial institution or creditor.
(2)
Suspicious documents.
Examples of suspicious documents includes:
(A)
Documents provided for identification
that appear to be altered or forged;
(B)
Identification on which the photograph
or physical description is inconsistent with the appearance of the
applicant or customer;
(C)
Identification on which the information
is inconsistent with information provided by the applicant or customer;
(D)
Identification on which the information
is inconsistent with readily accessible information that is on file
with the financial institution or creditor, such as a signature card
or a recent check; or
(E)
An application that appears to have
been altered or forged, or appears to have been destroyed and reassembled.
(3)
Suspicious personal identification.
Examples of suspicious identifying
information include:
(A)
Personal identifying information
that is inconsistent with external information sources used by financial
institution or creditor. For example:
(B)
Personal identifying information
provided by the customer is not consistent with other personal identifying
provided by the customer, such as a lack of correlation between the
SSN range and date of birth.
(C)
Personal identifying information
or a phone number or address, is associated with known fraudulent
applications or activities as indicated by internal or third-party
sources used by the financial institution or creditor.
(D)
Other information provided, such
as fictitious mailing address, mail drop addresses, jail addresses,
invalid phone numbers, pager numbers or answering services, is associated
with fraudulent activity.
(E)
The SSN provided is the same as that
submitted by other applicants or customers.
(F)
The address or telephone number provided
is the same as or similar to the account number or telephone number
submitted by an unusually large number of applicants or customers.
(G)
The applicant or customer fails to
provide all required personal identifying information on an application
or in response to a notification that the application is incomplete.
(H)
Personal identifying information
is not consistent with personal identifying information that is on
file with the financial institution or creditor.
(I)
The applicant or customer cannot
provide authenticating information beyond that which generally would
be available from a wallet or consumer report.
(4)
Unusual use of or suspicious
activity relating to a covered account.
Examples of suspicious activity include:
(A)
Shortly following the notice of a
change of address for an account, the city receives a request for
the addition of authorized users on the account.
(B)
A new revolving credit account is
used in a manner commonly associated with known patterns of fraud
patterns. For example:
(i)
The customer fails to
make the first payment or makes an initial payment but no subsequent
payments.
(D)
An account that has been inactive
for a long period of time is used (taking into account the type of
account, the expected pattern of usage and other relevant factors).
(E)
Mail sent to the customer is returned
repeatedly as undeliverable although transactions continue to be conducted
in connection with the customer’s account.
(F)
The city is notified that the customer
is not receiving paper account statements.
(G)
The city is notified of unauthorized
charges or transactions in connection with a customer’s account.
(H)
The city is notified by a customer,
law enforcement or another person that it has opened a fraudulent
account for a person engaged in identity theft.
(5)
Notice from customer, law enforcement,
victims or other reliable sources regarding possible identity theft
or phishing relating to covered accounts.
(Ordinance
2020-29 adopted 10/20/20)
(a)
In the event that any city employee
responsible for or involved in restoring an existing covered account
or accepting payment for a covered account becomes aware of red flags
indicating possible identity theft with respect to existing covered
accounts, such employee shall use his or her discretion to determine
whether such red flag or combination of red flags suggests a threat
of identity theft. If, in his or her discretion, such employee determines
that identity theft or attempted identity theft is likely or probable,
such employee shall immediately report such red flags to the director.
If, in his or her discretion, such employee deems that identity theft
is unlikely or that reliable information is available to reconcile
red flags, the employee shall convey this information to reconcile
red flags, the employee shall convey this information to the director,
who may in his or her discretion determine that further action is
necessary. If the director in his or her discretion determines that
further action is necessary, a city employee shall perform one or
more of the following responses, as determined to be appropriate by
the director:
(1)
Contact the customer;
(2)
Make the following changes to the
account if, after contacting the customer, it is apparent that someone
other than the customer has accessed the customer’s covered
account:
(3)
Cease attempts to collect additional
charges from the customer and decline to sell the customer’s
account to a debt collector in the event that the customer’s
account has been accessed without authorization and such access has
caused additional charges to accrue;
(4)
Notify a debt collector within seventy-two
(72) hours of the discovery of likely or probable identity theft relating
to a customer account that has been sold to such debt collector in
the event that a customer’s account has been sold to a debt
collector prior to the discovery of the likelihood or probability
of identity theft relating to such an account;
(5)
Notify law enforcement, in the event
that someone other than the customer has accessed the customer’s
account causing additional charges to accrue or accessing personal
identifying information;
(b)
In the event that any city employee
responsible for or involved in opening a new covered account becomes
aware of red flags indicating possible identity theft with respect
to an application for a new account, such employee shall use his or
her discretion to determine whether such red flag or combination of
red flags suggests a threat of identity theft. If, in his or her discretion,
such employee determines that identity theft or attempted identity
theft is likely or probable, such employee shall immediately report
such red flags to the director. If, in his or her discretion, such
employee deems that identity theft is unlikely or that reliable information
is available to reconcile red flags, the employee shall convey this
information to the director, who may in his or her discretion determine
that no further action is necessary. If the director in his or her
discretion determines that no further action is necessary, a city
employee shall perform one or more of the following responses, as
determined to be appropriate by the director:
(Ordinance
2020-29 adopted 10/20/20)
The city council shall annually review
and, as deemed necessary by the city council, update the identity
theft prevention program along with any relevant red flags in order
to reflect changes in risks to customers or to the safety and soundness
of the city and its covered accounts from identity theft. In so doing,
the city council shall consider the following factors and exercise
its discretion in amending the program:
(1)
The city’s experiences with
identity theft;
(2)
Updates in methods of identity theft;
(3)
Updates in customary methods used
to detect, prevent, and mitigate identity theft;
(4)
Updates in the types of accounts
that the city offers or maintains; and
(5)
Updates in service provider arrangements.
(Ordinance
2020-29 adopted 10/20/20)
Senior level staff is responsible
for oversight of the program and for program implementation. The city
manager is responsible for reviewing reports prepared by staff regarding
compliance with red flag requirements and with recommending material
changes to the program, as necessary in the opinion of the city manager
to address changing identity theft risks and to identify new or discontinued
types of covered accounts. Any recommended material changes to the
program shall be submitted to the city council for consideration by
the city council.
(1)
The senior level staff shall report
to the city manager at least annually, on compliance with the red
flag requirements. The report will address material matters related
to the program and evaluate issues such as:
(A)
The effectiveness of the policies
and procedures of the city in addressing the risk of identity theft
in connection with the opening a new covered account and with respect
to existing covered accounts;
(B)
Service provider arrangements;
(C)
Significant incidents involving identity
theft and management’s response; and
(D)
Recommendations for material changes
to the program.
(2)
The senior level staff is responsible
for providing training to all employees responsible for or involved
in opening a new covered account, restoring an existing covered account
or accepting payment for a covered account with respect to the implementation
and requirements of the identity theft prevention program. The senior
level staff shall exercise his, her or their discretion in determining
the amount and substance of training necessary.
(Ordinance
2020-29 adopted 10/20/20)
In the event that the city engages
a service provider to perform an activity in connection with one or
more covered accounts the senior level staff shall exercise his, her
or their discretion in reviewing such arrangements in order to ensure,
to the best of his, her or their ability, that the service provider’s
activities are conducted in accordance with policies and procedures,
agreed upon by contract, that are designed to detect any red flags
that may arise in the performance of the service provider’s
activities and take appropriate steps to prevent or mitigate identity
theft.
(Ordinance
2020-29 adopted 10/20/20)
