HomeMy WebLinkAbout05 ADOPT IDENTITY THEFT PGM 04-21-09-~ •
- - AGENDA REPORT Ree ewed. m ~-
{
City Manager
Finance Director N/A
MEETING DATE: APRIL 21, 2009
TO: WILLIAM A. HUSTON, CITY MANAGER
FROM: PAMELA ARENDS-KING, FINANCE DIRECTOR
SUBJECT: ADOPTION OF IDENTITY THEFT PREVENTION PROGRAM
SUMMARY:
The Federal Trade commission requires the adoption of an identity theft prevention
program as part of the Fair and Accurate Credit Transactions Act (FACT) of 2003 before
May 1, 2009.
RECOMMENDATION:
It is recommended that the City Council approve resolution 09-22 that adopts the City's
Identity Theft Prevention Program.
FISCAL IMPACT:
There are no known relevant costs associated with this program.
BACKGROUND:
The Federal Trade Commission (FTC) established the "Red Flag Rules", that are federal
regulations enacted as part of the Fair and Accurate Credit Transactions Act of 2003.
The FACT Act requires that financial institutions and creditors implement written programs to
detect, prevent, and mitigate identity theft through identification of and response to "red flags".
A red flag is "a pattern, practice, or specific activity that indicates the possible existence of
identity theft". The City is required to implement a written identity theft prevention program
under the FTC regulations because it provides water services to its customers prior to
receiving payment.
The City's Finance Department reviewed the FTC guidelines and examples and identified the
red flags that were applicable to utility accounts. The red flags and the appropriate
responses if staff detects a red flag are outlined in the Identity Theft Prevention Program to
be adopted.
Respectfully submitted,
~G~~Gw
Pamela Arends-King
Finance Director
Attachments
Attachment A
CITY OF TUSTIN
IDENTITY THEFT PREVENTION PROGRAM
Purpose
This program was created in order to comply with regulations issued by the Federal
Trade Commission (FTC) as part of the implementation of the Fair and Accurate Credit
Transaction (FACT) Act of 2003. The FACT Act requires that financial institutions and
creditors implement written programs which provide for detection of and response to
specific activities ("red flags") that could be related to identity theft.
The FTC regulations require that the program:
1. Identify relevant red flags and incorporate them into the program
2. Identify ways to detect red flags
3. Include appropriate responses to red flags
4. Address new and changing risks through periodic program updates
5. Include a process for administration and oversight of the program
605744.1
Program Details
Relevant Red Flags
Red flags are warning signs or activities that alert a creditor to potential identity theft.
The guidelines published by the FTC include 26 examples of red flags which fall into the
following five categories:
1. Alerts, notifications, or other warnings received from consumer reporting
agencies or service providers
2. Presentation of suspicious documents
3. Presentation of suspicious personal identifying information
4. Unusual use of, or other suspicious activity related to, a covered account
5. Notice from customers, victims of identity theft, or law enforcement authorities
After reviewing the FTC guidelines and examples, the City's Finance Department
determined that the following red flags are applicable to utility accounts. These red
flags, and the appropriate responses, are the focus of this program.
• Suspicious Documents and Activities
o Documents provided for identification appear to have been altered or
forged.
o The photograph or physical description on the identification is not
consistent with the appearance of the applicant or customer presenting
the identification.
o Other information on the identification is not consistent with information
provided by the customer.
o A customer refuses to provide proof of identity when discussing an
established utility account.
o A person other than the account holder or co-applicant requests
information or asks to make changes to an established utility account.
605744.1
• A customer notifies the City of any of the following activities:
o Account statements are not being received
o Unauthorized changes have been made to an account
o Unauthorized charges on an account
o Fraudulent activity on the customer's bank account or credit card that is
used to pay account charges
• The City is notified by a customer, a victim of identity theft, or a member of law
enforcement that an account has been opened for a person engaged in identity
theft.
Detecting and Responding to Red Flags
Red flags will be detected as City employees interact with customers. An employee will
be alerted to these red flags during the following processes:
• Reviewing customer identification in order to establish an account or process a
payment: Documents are presented that appear altered or inconsistent with the
information provided by the customer.
Response: Do not establish the account or accept payment until the customer's
identity has been confirmed.
• Answering customer inquiries on the phone via email and at the counter:
Someone other than the account holder or co-applicant may ask for information
about an account or may ask to make changes to the information on an account.
A customer may also refuse to verify their identity when asking about an account.
Response: Inform the customer that the account holder or the co-applicant must
give permission for them to receive information about the account. Do not make
changes to or provide any information about the account, with one exception: if
the service on the account has been interrupted for non-payment, payment may
be accepted in the amount needed for connection of service.
Receiving notification that there is unauthorized activity associated with an
account: Customers may call to alert the City about fraudulent activity related to
their account and/or the bank account or credit card used to make payments on
the account.
605744.]
Response: Verify the customer's identity and notify the Finance Director or his
or her designee immediately. Take appropriate actions to correct the errors on
the account, which may include:
o Issuing a service order to connect or disconnect services
o Updating personal information on the account
o Updating the mailing address on the account
o Updating account notes to document the fraudulent activity
o Adding a password to the account
o Notifying and working with law enforcement officials
• Receiving notification that an account has been established fora person
engaged in identity theft.
Response: Notify the Finance Director or his or her designee immediately. The
claim will be investigated, and appropriate action will be taken to resolve the
issue as quickly as possible.
605744.1
Administration and Oversight of the Program
The Finance Director or his or her designee shall review this program at least annually
and provide recommendations to the City Manager to update the program as needed
based on the following events:
• Experience with identity theft
• Changes to the types of accounts and/or programs offered
• Implementation of new systems and/or vendor contracts
Specific roles are as follows:
The Finance Director will oversee the daily activities related to identity theft detection
and prevention, and ensure that all members of the utility billing staff are trained to
detect and respond to red flags.
The Finance Director will provide ongoing oversight to ensure that the program is
effective.
The City Manager will review and approve recommended changes to the program, both
annually and on an as-needed basis.
The City Council must approve the initial program.
65744.1
RESOLUTION NO. 09-22
A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF TUSTIN
ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM
WHEREAS, pursuant to federal law the Federal Trade Commission adopted Identity
Theft Rules requiring the creation of certain policies relating to the detection, prevention and
mitigation of identity theft; and
WHEREAS, the Federal Trade Commission regulations, adopted as 16 C.F.R. §681.2,
require creditors, as defined by 15 U.S.C. § 1681 a(r)(5), to adopt red flag policies to prevent and
mitigate identity theft with respect to covered accounts; and
WHEREAS, 15 U.S.C. §1681a(r)(5) cites 15 U.S.C. §1691a, which defines a creditor as
a person that extends, renews or continues credit, and defines "credit" in part as the right to
purchase property or services and defer payment thereof; and
WHEREAS, the City of Tustin is a creditor with respect to 16 C.F.R. §681.2 by virtue of
providing retail water service to its customers; and
WHEREAS, the Federal Trade Commission regulations define "covered account" in part
as an account that a creditor provides for personal, family or household purposes that is designed
to allow multiple payments or transactions and specifies that a utility account is a covered
account; and
WHEREAS, the Federal Trade Commission regulations require each creditor to adopt an
Identity Theft Prevention Program which will use red flags to detect, prevent and mitigate
identity theft related to information used in covered accounts; and
WHEREAS, the City provides retail water services for which payment is made after the
product is consumed; and
WHEREAS, the City Council desires to take action to comply with the applicable FTC
regulations by adopting an Identity Theft Prevention Program;
NOW, THEREFORE, IT IS RESOLVED, that the City Council of the City of Tustin
hereby adopts, and directs staff to implement, the Identity Theft Prevention Program attached
hereto as Exhibit "A".
BE IT FURTHER RESOLVED, that the City Finance Director, or his or her designee,
shall implement and administer the Identity Theft Prevention Program.
BE IT FURTHER RESOLVED, that the City Finance Director shall annually review
the Identity Theft Prevention Program to determine if any revisions are needed, and is hereby
authorized and directed to make any changes in the Identity Theft Prevention Program that are
found to be necessary.
606472.1
PASSED AND ADOPTED at a regular meeting of the City Council of the City of Tustin
on this day of , 2009.
Doug Davert, Mayor
ATTEST:
Pamela Stoker, City Clerk
606472.1