The purpose of this article is to implement an identity theft prevention program as required by the Fair and Accurate Credit Transactions Act of 2003 (Pub. L. 108-159) and its implementing regulations, known as the Red Flags Rule.
(Ordinance 617-10 adopted 5/17/2010)
(a) 
The Federal Trade Commission (FTC) requires every creditor to implement an identify theft prevention program ("program") under section 114 of the Fair and Accurate Credit Transactions Act. The program requirements are published in 16 Code of Federal Regulations section 681.2.
(b) 
Identity theft is defined as a fraud committed or attempted using identifying information of another person without authority. The city adopts this program to comply with FTC rules and regulations.
(c) 
In drafting this program, the city considered: (i) the methods it provides to open its accounts, (ii) the methods it provides to access its accounts, and (iii) its previous experiences with identity theft. Based on these considerations, the city hereby determines that the city is a low to moderate risk entity and, as a result, develops and implements the streamlined identity theft prevention program set forth in this article.
(Ordinance 617-10 adopted 5/17/2010)
The FTC regulations identify numerous red flags that must be considered in adopting an identity theft prevention program. A red flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft. The city identifies the following red flags:
(1) 
Notifications from consumer reporting agencies.
The city does not request, receive, obtain or maintain information about its customer from any consumer reporting agency.
(2) 
Suspicious documents.
Possible red flags include:
(A) 
Presentation of documents appearing to be altered or forged;
(B) 
Presentation of photographs or physical descriptions that are not consistent with the appearance of the applicant or customer;
(C) 
Presentation of other documentation that is not consistent with the information provided when the account was opened or existing customer information;
(D) 
Presentation of information that is not consistent with the account application; or
(E) 
Presentation of an application that appears to have been altered, forged, destroyed, or reassembled.
(3) 
Suspicious personal identifying information.
Possible red flags include:
(A) 
Personal identifying information is being provided by the customer that is not consistent with other personal identifying information provided by the customer or is not consistent with the personal identifying information provided by the customer or is not consistent with the customer's account application;
(B) 
Personal identifying information is associated with known fraudulent activity;
(C) 
The social security number (if required or obtained) is the same as that submitted by another customer;
(D) 
The telephone number or address is the same as that submitted by another customer;
(E) 
The applicant failed to provide all personal identifying information requested on the application; or
(F) 
The applicant or customer cannot provide authenticating information beyond that which generally would be available.
(4) 
Unusual use of or suspicious activity related to an account.
Possible red flags include:
(A) 
A change of address for an account followed by a request to change the account holder's name;
(B) 
A change of address for an account followed by a request to add new or additional authorized users or representatives;
(C) 
An account is not being used in a way that is consistent with prior use (such as late or no payments when the account has been timely in the past);
(D) 
A new account is used in a manner commonly associated with known patterns of fraudulent activity (such as customer fails to make the first payment or makes the first payment but no subsequent payments);
(E) 
Mail sent to the account holder is repeatedly returned as undeliverable; or
(F) 
The city receives notice of unauthorized activity on the account.
(5) 
Notice regarding possible identify theft.
Possible red flags include: notice from a customer, an identity theft victim, law enforcement personnel or other reliable sources regarding possible identity theft or phishing related to covered accounts.
(Ordinance 617-10 adopted 5/17/2010)
Before changing a name and address of an existing covered account, the city requires proof of property ownership or rental such as documentation from escrow, copy of a real estate contract or deed of trust.
(Ordinance 617-10 adopted 5/17/2010)
All personal information, personal identifying information, account applications and account information collected and maintained by the city shall be a confidential record of the city and shall not be subject to disclosure unless otherwise required by state or federal law.
(Ordinance 617-10 adopted 5/17/2010)
Access to covered account information shall be limited to employees that provide customer service and technical support for city departments or offices offering covered accounts. Any computer that has access to customer account or personal identifying information shall be password protected and all computer screens shall lock after no more than fifteen (15) minutes of inactivity. All paper and non-electronic based account or customer personal identifying information shall be stored and maintained in a locked room or cabinet, and access shall only be granted by the city manager or his/her designee.
(Ordinance 617-10 adopted 5/17/2010)
All internet or telephone credit card payments shall only be processed through a third party service provider which certifies that it has an identity theft prevention program operating and in place. Credit card payments accepted in person shall require a reasonable connection between the person or entity billed for the services and the credit card owner.
(Ordinance 617-10 adopted 5/17/2010)
(a) 
Suspicious transactions include, but are not limited to, the presentation of incomplete applications, unsigned applications, payment by someone other than the person named on the covered account, or presentation of inconsistent signatures, addresses or identification.
(b) 
Suspicious transactions shall not be processed and shall be immediately referred to the city manager or his/her designee.
(Ordinance 617-10 adopted 5/17/2010)
The compliance officer or his/her designee shall use his/her discretion on whether to report suspicious transactions to appropriate law enforcement departments.
(Ordinance 617-10 adopted 5/17/2010)
All transactions processed through a third party service provider shall be permitted only if the service provider certifies that it has complied with the FTC regulations and has in place a consumer identity theft prevention program.
(Ordinance 617-10 adopted 5/17/2010)
The compliance officer for this identity theft prevention program shall be the city manager or his/her designee. The city manager shall conduct training of all city employees that transact business using covered accounts. The city manager shall periodically review this program and recommend any necessary updates to the city council.
(Ordinance 617-10 adopted 5/17/2010)
The city manager shall provide an annual report to the mayor. The contents of the annual report shall address and evaluate at least the following:
(1) 
The effectiveness of the policies and procedures of the city in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to access to existing covered accounts;
(2) 
Service provider arrangements;
(3) 
Incidents involving identity theft with covered accounts and the city's response;
(4) 
Changes in methods of identity theft and the prevention of identity theft; and
(5) 
Recommendations for changes to the city's identity theft prevention program.
(Ordinance 617-10 adopted 5/17/2010)