The URL can be used to link to this page

Home My WebLink About10/21/2008, C5 - IDENTITY THEFT PREVENTION PROGRAM n council M.6wD° 10-7-08 j AQen0A uEpoat '�"uA. �s C I TY O F SAN LU I S O B I S P O FROM: Bill Statler, Director of Finance& Information Technology Jennifer Thompson, Revenue Supervisor SUBJECT: IDENTITY THEFT PREVENTION PROGRAM CAO RECOMMENDATION Adopt a resolution establishing an identity theft prevention program in compliance with the Fair and Accurate Credit Transaction (FACT) Act. DISCUSSION Background In accordance with the FACT Act adopted by the federal government, the Federal Trade Commission (FTC) has set "red flag" rules requiring that every creditor establish a written program providing for the detection of"specific activators" (`red flags") that could be related to identity theft. Any private or public entity that extends credit to customers by first providing goods or services and then billing for them later is subject to these requirements. As a municipal utility provider, the City is subject to this requirement, since it provides water and sewer service and bills for this after service has been received. In short, the City extends credit to its customers from the time it provides service to them and then subsequently bill and collect payment for this. Along with all other municipal utility providers in the nation, the City is required to formally adopt an identity theft prevention program by November 1, 2008. The proposed program will comply with FTC requirements and provide greater security for our utility billing customers. Key Program Provisions The proposed program in Attachment 1, Exhibit A largely sets forth in writing the identity protection practices the City has followed for many years. Key features of the proposed program include: Program Goals 1. Identify relevant patterns, practices and specific activities (referred to in the program as "red flags") that signal possible identity theft relating to information maintained in the City's customer accounts, both those currently existing and those accounts established in the future. 2. Detect"red flags"after the program has been implemented. C5- Identity Theft Protection Program Page 2 3. Respond promptly and appropriately to detected red flags to prevent or mitigate identity theft relating to the City's customer account information. 4. Ensure that the program is updated periodically to reflect any necessary changes. Key Program Features 1. Describes suspicious documents and activities. 2. Provides direction to utility billing staff in how to detect and respond to "Red Flags." 3. Establishes procedures to protect against identity theft. 4. Assigns responsibility for program administration and oversight. CONCURRENCES The Utilities Department concurs with the recommended program. FISCAL IMPACT Implementing the proposed "Red Flag" program will not have any significant fiscal impacts as none of the policies are different or inconsistent with our current utility billing policies or practices. ATTACHMENT Resolution establishing an identity theft prevention program GAFTC Red flag rules\RED FLAG CAR,10-21-08.doc AttachMOnt .— RESOLUTION NO. (2008 Series) A RESOLUTION OF THE COUNCIL OF THE CITY OF SAN LUIS OBISPO ESTABLISHING AN IDENTITY THEFT PREVENTION PROGRAM WHEREAS, the Federal Trade Commission ("FTC") has adopted regulations that require "creditors" holding consumer or other "covered accounts" (which are defined to mean any account where customer payment information is collected in order to bill for services rendered) to develop and implement by November 1, 2008 an identity theft prevention program that complies with those regulations; and WHEREAS, because the City of San Luis Obispo ("City") provides retail water service to its customers, it is a "creditor" under the applicable FTC regulations and must therefore comply with those regulations by adopting and implementing an identity theft prevention program, and WHEREAS, the Council desires to take action to comply with the applicable FTC regulations by adopting an identity theft prevention program. NOW, THEREFORE, BE IT RESOLVED that the Council of the City of San Luis Obispo hereby adopts, and directs staff to implement, the following identity theft prevention program. SECTION 1. Program Goals. The City's Identity Theft Prevention Program (the "Program") shall endeavor to achieve the following goals: a. Identify relevant patterns, practices and specific activities (referred to in this Program as "Red Flags") that signal possible identity theft relating to information maintained in the City's customers' accounts, both those currently existing and those accounts to be established in the future; b. Detect Red Flags after the Program has been implemented; C. Respond promptly and appropriately to detected Red Flags to prevent or mitigate identity theft relating to City customer account information; and d. Ensure the Program is updated periodically to reflect any necessary changes. SECTION 2. The Program. Program implementation and detailed information is attached in Exhibit A. C j—3 R n Resolution No. (2008 Series) 1�l�iENY i HM Page 2 Upon motion of , seconded by and on the following vote: AYES: NOES: ABSENT: The foregoing resolution was adopted on October 21, 2008. Mayor David F. Romero ATTEST: Audrey Hooper City Clerk APPROVED AS TO FORM: Jon than well City Attorney Exhibit A city of M MMW�"-A� san lues ompo City of San Luis Obispo, California Finance & Information Technology Department Identity Theft Prevention Program This program is in response to and in compliance with the Fair and Accurate Credit Transaction (FACT) Act of 2003 and The final rules and guidelines for the FACT Act issued by the Federal Trade Commission and federal bank regulatory agencies in November 2007 Adopted October 21, 2008 — Resolution # XX C5-S LAHIBIT "Aly Identity Theft Prevention Program Purpose This document was created in order to comply with regulations issued by the Federal Trade Commission (FTC) as part of the implementation of the Fair and Accurate Credit Transaction (FACT) Act of 2003. The FACT Act requires that financial institutions and creditors implement written programs which provide for detection of and response to specific activities ("red flags") that could be related to identity theft. These programs must be in place by November 1, 2008. The FTC regulations require that the program must: 1. Identify relevant red flags and incorporate them into the program 2. _Identify ways to detect red flags 3. Include appropriate responses to red flags 4. Address new and changing risks through periodic program updates 5. Include a process for administration and oversight of the program e Identity Theft Prevention Program page 2 "A" Program Details Relevant Red Flags Red flags are warning signs or activities that alert a creditor to potential identity theft. The guidelines published by the FTC include 26 examples of red flags which fall into the five categories below: • Alerts, notifications, or other warnings received from consumer reporting agencies or service providers • Presentation of suspicious documents • Presentation of suspicious personal identifying information • Unusual use of, or other suspicious activity related to, a covered account • Notice from customers, victims of identity theft, or law enforcement authorities After reviewing the FTC guidelines and examples, the Finance & Information Technology Department determined that the following red flags are applicable to utility accounts. These red' flags, and the appropriate responses,-are the focus of this.program. 1. Suspicious Documents and Activities a. Documents provided for identification appear,to have been altered or forged. b. The photograph on the identification is not,consistent with the physical appearance of the customer. c. Other information on the identification is not consistent with information provided by the customer. d. The customer does not provide required identification documents when attempting to establish a utility account or make a payment. e. A customer refuses to provide proof of identity when discussing an established utility account. f. A person other than the account holder or co-applicant requests information or asks to make changes to an established utility account. g. An employee requests access to the billing system or information about a utility account, and the request is inconsistent with the employee's role in the City. 2. A customer notifies the Finance & Information Technology Department of any of the following activities: a. Utility statements are not being received several months in a row. b. Unauthorized changes to a utility account. c. Unauthorized charges on a utility account. d. Fraudulent activity on the customer's bank account or credit card that is used to pay utility charges. Identity Theft Prevention Program page 3 � � T "A„ 3. The Finance & IT Department is notified by a customer, a victim of identity theft, or a member of law enforcement that a utilities account has been opened for a person engaged in identity theft. Detecting and Responding to Red Flags Red flags will be detected as utility billing employees interact with customers. An employee will be alerted to these red flags during the following processes: 1. Establishinq a new utility account: When establishing a new account, a customer is asked to provide a name, social security number and service address. The utility billing employee may be presented with information that appears inconsistent. Response: Do not establish the utility account until the customer's identity has been confirmed. 2. Reviewinq customer identification in order to process a payment or enroll the customer in the automatic-clearing house (ACH) program: The utility billing employee may be presented with documents that appear altered or inconsistent with the information provided by the customer. Response: Do not accept payment until the customer's identity has been confirmed. 3. Answering customer inquiries on the phone, via email, and at the counter. Someone other than the account holder may ask for information about a utility account (including utility web accounts) or may ask to make changes to the information on an account. A customer may also refuse to verify their identity when asking about an account. Response: Inform the customer that only the account holder may receive information about the utility account. Do not make changes to or provide any information about the account, with one exception: if the service on the account has been interrupted for non- payment, the utility billing employee may provide the payment amount needed for reconnection of service. 4. Processing requests from City-of San Luis Obispo employees: Employees may submit requests for information from the billing system that is inconsistent with the role that they play at the City. Response: All requests for direct access to the billing system are approved by the Revenue Supervisor, so the.Information Technology Department should reject requests that have not received appropriate approval. All other requests for information from the billing system should be reviewed to ensure that they do not violate any part of the policy. Requests that are inconsistent with the policy will be denied. Identity Theft Prevention Program page 4 OT "A' 5. Receiving notification that there is unauthorized activity associated with a utility account: Customers may call to alert the City about fraudulent activity related to their utility account and/or the bank account or credit card used to make payments on the account. Response: Verify the customer's identity, and notify the Revenue Supervisor immediately. Take the appropriate actions to correct the errors on the account, which may include: a. Issuing a service order to connect or disconnect services b. Assisting the customer with deactivation of their payment method (ACH and Online BillPay) c. Updating personal information on the utility account d. Updating the mailing address on the utility account e. Updating account notes to document the fraudulent activity f. Notifying and working with law enforcement officials 6. Receiving notification that a utilities account has been established for a person engaged in identity theft. _ Response: These issues should be escalated to the Revenue Supervisor immediately. The claim will be investigated, and appropriate action will be taken to resolve the issue as quickly as possible. Additional procedures that help to-protect against identity theft include: " 1. Utility billing system access is based on the role of the user. Only certain job classifications have access to the entire system. `- 2. Customers may access limited information about their utility account online. In order to access information online, customers must enroll using their utility account number and service address, and they must create a unique useridentification and password. 3.The Finance& IT Department will investigate ways to reduce the number of paper receipts generated during credit card payment processing. 4. The Finance& IT Department will ensure that service providers that receive and process utility billing information have programs in place to detect and prevent identity theft. Identity Theft Prevention Program page 5 I MT "All Administration and Oversight.of the Program Finance & IT Department staff are required to prepare an annual report which addresses the effectiveness of the program, documents significant incidents involving identity theft and related responses, provides updates related to external service providers, and includes recommendations for material changes to the program. The program will be reviewed at least annually and updated as needed based on the following events:. 1. Experience with identity theft 2. Changes to the types of accounts and/or programs offered 3. Implementation of new systems and/or new vendor contracts Specific roles are as follows: The Revenue Supervisor will submit an annual report to the Finance and Information Technology Director and the City Administrative Officer. The Revenue Supervisor will also oversee the daily activities related to identity theft detection and prevention, and ensure that all members of the Finance Division staff are trained to detect and respond to red flags. The Finance and Information Technology Director will provide ongoing oversight to ensure that the program is effective. The City Administrative Officer will review the annual report and approve recommended changes to the program, both annually and on an as-needed basis. The Council must approve the initial program. Identity Theft Prevention Program page 6