The Fair and Accurate Credit Transaction Act of 2003 (“FACTA”),
Section 114, as implemented by the Red Flag Rules, 16 C.F.R. Section
681.2, issued by the Federal Trade Commission, along with other federal
agencies, requires creditors of customer accounts to implement an
Identity Theft Prevention Policy. Pursuant to the regulations, the
District is a creditor because it provides services to customers prior
to receipt of payment through customer accounts, including utility
service accounts, which are maintained primarily for personal, family,
or household purposes and involve multiple payments or transactions,
and for which there is a reasonably foreseeable risk of identity theft.
Therefore, the District is required to implement an Identity Theft
Prevention Policy.
The purpose of this Identify Theft Prevention Policy (“Policy”)
is to detect, prevent, and mitigate identity theft in connection with
all customer accounts, taking into consideration the level of risk
for identity theft given the District’s scope of services provided
and the types of accounts. This Policy is created to identify patterns,
practices, and specific activities that indicate the possible existence
of identity theft, hereinafter referred to as “Red Flags.”
The Policy sets forth the procedures for detecting Red Flags and responding
to Red Flags when discovered.
(Res. No. 2020-02, adopted 5/20/20)
The following definitions apply to this Article:
“Customer account”
shall mean a utility service account or other account provided
by the District that constitutes a “covered account” under
the Red Flag Rules.
“Identity theft”
shall mean a fraud committed or attempted using the personal
identifying information of another person without his/her authority.
“Personal identifying information”
shall mean information that may be used to identify a specific
person, including, but not limited to, a social security number, date
of birth, government issued driver’s license or identification
number, government passport number, unique biometric data such as
fingerprints or physical appearance, any unique electronic identification
number, telephone number or address.
“Red Flag”
shall mean a pattern, practice or specific activity that
indicates the possible existence of identity theft as defined in the
Red Flag Rules, and as specifically enumerated in this Article.
(Res. No. 2020-02, adopted 5/20/20)
The Board of Directors of the District designates to the General
Manager or his or her designee the authority to develop, oversee,
implement, and administer the Policy.
As part of the General Manager or designee’s oversight
responsibilities for the Policy, the General Manager or designee is
required to review and approve all material changes to the Policy
as necessary to address changing identity theft risks. The General
Manager or designee is also responsible for reviewing reports prepared
by the District’s staff regarding the District’s compliance
with FACTA and the Red Flag Rules requiring the implementation of
an Identity Theft Prevention Policy.
Section 23.3.1. Compliance Reports to Be Prepared
by District Staff. The General Manager or designee will designate
the District staff involved with the implementation of the Program
to prepare reports regarding the District’s compliance with
FACTA and the Red Flag Rules requiring the implementation of an Identity
Theft Prevention Policy. The reports should address material matters
related to the Program, such as the following:
(a) The effectiveness of the District’s policies and procedures
to address the risk of identity theft in connection with opening customer
accounts, as well as with existing accounts. This includes identifying
any issues related to identifying, detecting to the General Manager
or his or her designee and responding to Red Flags;
(b) Third-party service provider arrangements;
(c) Significant incidents of identity theft or Red Flag detection, and
the District’s responses to those incidents;
(d) Recommendations for material changes to the program to ensure that
customer accounts are adequately protected from the risk of identity
theft.
The reports should be prepared at least annually for review
by the General Manager or his or her designee and/or the Board of
Directors of the District.
|
Section 23.3.2. Red Flags Identified by the District.
In identifying the Red Flags applicable to the District’s customer
accounts, the District considered the following risk factors:
(a)
|
The types of accounts the District maintains;
|
(b)
|
The methods the District provides to open customer accounts;
|
(c)
|
The methods the District provides to access to customers’
accounts;
|
(d)
|
The District’s previous experiences with identity theft
in connection with the customer accounts.
|
The Red Flags identified in this Policy have been incorporated
from sources, which include supervisory guidance, past incidents of
identity theft, and changes in methods of identity theft risk.
The District’s Identified Red Flags are, as follows:
(a) Suspicious Documents.
(1) Documents used for identification purposes appear to have been altered
or forged.
(2) The photograph or physical description on the identification documents
do not match the appearance of the person presenting the identification.
(3) Other information in identification documents does not match the
information provided by the individual presenting the identification
documents.
(4) Other information in the identification documents does not match
the information on file with the District.
(5) The application to open the account appears to have been forged,
altered, or gives the appearance of having been destroyed and reassembled.
(b) Suspicious Personal Identifying Information.
(1) Personal identifying information is inconsistent with other personal
identifying information provided by the customer, such as a date of
birth that does not correlate.
(2) Personal identifying information provided is associated with known
fraudulent activity, as indicated by internal or third-party sources,
such as the address or phone number on an application was previously
provided on another fraudulent application.
(3) Personal identifying information is of a type commonly associated
with fraudulent activity, as indicated by internal or third-party
sources, such as a fictitious address, or an invalid phone number.
(4) The address or telephone number provided is the same as other individuals
attempting to open an account or existing customers.
(5) The individual opening the account cannot provide all of the required
personal identifying information for an application.
(6) Personal identifying information is inconsistent with the information
provided by the customer on file with the District.
(c) Unusual Use of or Other Suspicious Activity Related to
a Customer Account.
(1) Shortly after receiving a notice of change of address for the account,
the District receives a request to add another name to the account.
(2) A new account is used in a manner commonly associated with known
patterns of fraud, such as a first payment is made, and then no subsequent
payments are made.
(3) An inactive account becomes active.
(4) Mail sent to the customer is returned repeatedly.
(5) The District is notified that a customer is not receiving his/her
paper account statements.
(6) The District is notified of unauthorized transactions on a customer’s
account.
(d) Notice of Possible Identity Theft.
(1) The District is notified by a customer of possible identity theft
in connection with his/her account.
(2) The District is notified by a victim of identity theft of possible
identity theft in connection with a customer account.
(3) The District is notified by law enforcement of possible identity
theft in connection with a customer account.
(4) The District is notified by others of possible identity theft in
connection with a customer account.
Section 23.3.3. Procedures for Detecting Red Flags.
The following procedures are being implemented by the District to
detect the Red Flags identified with opening of accounts and existing
accounts identified above:
(a) Obtain personal identifying information of an individual to verify
his/her identity prior to opening an account.
(b) Authenticate the identity of customers when they are requesting information
about their accounts.
(c) Authenticate the identity of customers when they are requesting to
make any changes to their accounts.
(d) Members of the District’s staff will be assigned and trained
to detect Red Flags.
(e) In addition, the District may employ the services of a third party
service provider and/or utilize computer software programs to assist
in detecting Red Flags.
Section 23.3.4. Procedures for Responding to Red
Flags. In order to prevent and mitigate identity theft, and after
taking into consideration the risks of identity theft applicable to
the customer accounts, the District implements the following procedures
to respond to all Red Flags that are discovered. One or more of these
procedures will be used each time a Red Flag is detected:
(a) Monitor accounts for evidence of identity theft.
(b) Change or add a password, security code, or other device that provides
access to the account.
(c) Reopen an account with a new account number
(d) Close an existing account.
(Res. No. 2020-02, adopted 5/20/20)