Loading...
HomeMy WebLinkAboutCC RES 09-58RESOLUTION NO. 09-58 RESOLUTION OF THE CITY COUNCIL OF THE CITY OF PALM DESERT, CALIFORNIA, ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM WHEREAS, the City of Palm Desert is a municipal corporation organized and existing pursuant to the California Constitution; and WHEREAS, the Fair and Accurate Credit Transaction Act of 2003 ("FACTA") Section 114, as implemented by the Red Flag Rules, 16 C.F.R. § 681.2, issued by the Federal Trade Commission along with other federal agencies, requires creditors of customer accounts to implement an Identity Theft Prevention Program; and WHEREAS, the City of Palm Desert is a creditor because it provides services to customers prior to receipt of payment through customer accounts, including utility service accounts, which are maintained primarily for personal, family or household purposes and involve multiple payments or transactions, and for which there is a reasonably foreseeable risk of identity theft; and WHEREAS, the City of Palm Desert is therefore required to implement an Identity Theft Prevention Program; and WHEREAS, the purpose of the Identity Theft Prevention Program is to detect, prevent and mitigate identity theft in connection with all customer accounts, taking into consideration the level of risk for identity theft given the City of Palm Desert's scope of services provided and the types of accounts; and WHEREAS, the Identity Theft Prevention Program is created to identify patterns, practices and specific activities that indicate the possible existence of identity theft, referred to as "Red Flags," and sets forth the procedures for detecting Red Flags and responding to Red Flags when discovered; and WHEREAS, the City Council of the City of Palm Desert desires to adopt and implement an Identity Theft Prevention Program as required under the Federal Law; NOW, THEREFORE, BE IT RESOLVED by the City Council of the City of Palm Desert as follows: Section 1. Adoption of Identity Theft Prevention Program. The City of Palm Desert hereby adopts the "Identity Theft Prevention Program" attached hereto as Exhibit "A". Section 2. Designation of Authority. The City Council of the City of Palm Desert authorizes the Audit, Investment & Finance Committee to act on the City Council's behalf to oversee the implementation and administration of the Identity Theft Prevention Program in accordance with Federal Law. Section 3. Amending the Identity Theft Prevention Program. The Identity Theft Prevention Program may be amended from time to time by resolution of the City Council. G:IFinanceWiamh OrtegalIDENTITY THEFT PREVENTION PROGRAM.Docx Resolution No. 09-58 2008. Section 4. Effective Date. This Resolution shall be effective as of November 1, ADOPTED this 9th day of July , 2009, by the following vote to wit: AYES: BENSON, FERGUSON, KELLY, and FINERTY NOES: NONE ABSENT: SPIEGEL ABSTAIN: NONE ATTEST: RAGHELLE D. KLASSEN,'City Clerk City of Palm Desert, California CINDY FINE1'Y, 'MAYOR PRO ORE Resolution No. 09-58 EXHIBIT A IDENTITY THEFT PREVENTION PROGRAM I. PURPOSE The Fair and Accurate Credit Transaction Act of 2003 ("FACTA"), section 114, as implemented by the Red Flag Rules, 16 C.F.R. § 681.2, issued by the Federal Trade Commission along with other federal agencies requires creditors of customer accounts to implement an Identity Theft Prevention Program. Pursuant to the regulations, the City of Palm Desert ("City") is a creditor because it provides services to customers prior to receipt of payment through customer accounts, including utility service accounts, which are maintained primarily for personal, family or household purposes and involve multiple payments or transactions, and for which there is a reasonably foreseeable risk of identity theft. Therefore, the City is required to implement an Identity Theft Prevention Program. The purpose of this Identity Theft Prevention Program ("Program") is to detect, prevent and mitigate identity theft in connection with all customer accounts, taking into consideration the level of risk for identity theft given the City's scope of services provided and the types of accounts. This Program is created to identify patterns, practices and specific activities that indicate the possible existence of identity theft, hereinafter referred to as "Red Flags". The Program sets forth the procedures for detecting Red Flags and responding to Red Flags when discovered. II. DEFINITIONS "Red Flag" shall mean a pattern, practice or specific activity that indicates the possible existence of identity theft as defined in the Red Flag Rules, and as specifically enumerated in Section V. 16 C.F.R. § 681.2. "Identity theft" shall mean a fraud committed or attempted using the personal identifying information of another person without his/her authority. 16 C.F.R. § 603.2 (a). "Customer account" shall mean a utility service account or other account provided by the City that constitutes a "covered account" under the Red Flag Rules. "Personal identifying information" shall mean information that may be used to identify a specific person, including, but not limited to, a social security number, date of birth, government issued driver's license or identification number, government passport number, unique biometric data such as fingerprints or physical appearance, any unique electronic identification number, telephone number or address. "City" shall include all entities operating under the umbrella of the City of Palm Desert including the Palm Desert Redevelopment Agency, Palm Desert Housing Authority, Palm Desert Financing Authority, and Palm Desert Recreational Facilities Corporation. III. DESIGNATION OF AUTHORITY The Palm Desert City Council ("Council") designates the authority to develop, oversee, implement and administer the Program to the Audit, Investment and Finance Committee. G: IFinanceWiamh Ortega\IDENTITY THEFT PREVENTION PROGRAM. Docx IDENTITY THEFT PREVENTION PROGRAM Page 2 of 9 EXHIBIT A Resolution No. 09-58 As part of the Audit, Investment and Finance Committee's oversight responsibilities for the Program, the Audit, Investment and Finance Committee is required to review and approve all material changes to the Program as necessary to address changing identity theft risks. the Audit, Investment and Finance Committee is also responsible for reviewing reports prepared by City staff regarding the City's compliance with FACTA and the Red Flag Rules requiring the implementation of an Identity Theft Prevention Program. IV. COMPLIANCE REPORTS TO BE PREPARED BY CITY STAFF The Audit, Investment and Finance Committee will designate City staff involved with the implementation of the Program to prepare reports regarding the City's compliance with FACTA and the Red Flag Rules requiring the implementation of an Identity Theft Prevention Program. The reports should address material matters related to the Program, such as the following: (a) The effectiveness of the City's policies and procedures to address the risk of identity theft in connection with opening customer accounts, as well as with existing accounts. This includes identifying any issues related to identifying, detecting and responding to Red Flags; (b) Third -party service provider arrangements; (c) Significant incidents of identity theft or Red Flag detection, and the City's responses to those incidents; (d) Recommendations for material changes to the program to ensure that customer accounts are adequately protected from the risk of identity theft. The reports should be prepared at least annually for review by the Audit, Investment and Finance Committee and/or the Council. V. RED FLAGS IDENTIFIED BY THE CITY In identifying the Red Flags applicable to the City's customer accounts, the City considered the following risk factors: (a) The types of accounts the City maintains; (b) The methods the City provides to open customer accounts; (c) The methods the City provides to access customers' accounts; (d) The City's previous experiences with identity theft in connection with the customer accounts. IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Resolution No. 09-58 Page 3 of 9 The Red Flags identified in this Program have been incorporated from sources which include supervisory guidance, past incidents of identity theft, and changes in methods of identity theft risk. The City's Identified Red Flags are as follows: Alerts, notifications or other warnings received from consumer reporting agencies or service providers providing fraud protection services: • Fraud or active duty alerts from consumer reports. • Notice of a credit freeze from a consumer reporting agency in response to request for a consumer report. • Notice of address discrepancy provided by a consumer reporting agency. • A consumer report indicates a pattern of activity that is inconsistent with the history or usual pattern of activity of a customer or applicant. • Recent significant increase in the volume of inquiries of the customer's credit. • Unusual number of recently established credit relationships. • A material change in the use of credit, especially in regards to credit relationships recently established. • A customer had an account with the City or any other creditor that was closed for cause or identified for abuse of account privileges. Suspicious Documents: • Documents used for identification purposes appear to have been altered or forged. • The photograph or physical description on the identification documents does not match the appearance of the person presenting the identification. • Other information in identification documents does not match the information provided by the individual presenting the identification documents. • Other information in the identification documents does not match the information on file with the City. • The application to open the account appears to have been forged, altered, or gives the appearance of having been destroyed and reassembled. IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Resolution No. U9-58 Page 4 of 9 Suspicious Personal Identifying Information: • Personal information provided is inconsistent with information provided by an external source, for example where the address provided does not match the address contained in a consumer report. • Personal identifying information is inconsistent with other personal identifying information provided by the customer such as a date of birth and the social security number range that do not correlate. • Personal identifying information provided is associated with known fraudulent activity, as indicated by internal or third -party sources, such as the address or phone number on an application was previously provided on another fraudulent application. • Personal identifying information is of a type commonly associated with fraudulent activity, as indicated by internal or third -party sources, such as a fictitious address, or an invalid phone number. • The social security number provided is the same as the social security number of another applicant attempting to open an account or an existing customer. • The address or telephone number provided is the same as other individuals attempting to open an account or existing customers. • The individual opening the account cannot provide all of the required personal identifying information for an application. • Personal identifying information is inconsistent with the information provided by the customer on file with the City. • Where challenge questions are used by the City to verify the identity of an individual, the individual claiming to be the customer cannot answer challenge questions correctly. Unusual Use of or Other Suspicious Activity Related to a Customer Account: • Shortly after receiving a notice of change of address for the account, the City receives a request to add another name to the account. • A new account is used in a manner commonly associated with known patterns of fraud, such as a first payment is made, and then no subsequent payments are made. • An account is used in a manner inconsistent with the established pattern of activity for the account, such as a nonpayment where there has never been a late or missed payment. IDENTITY THEFT PREVENTION PROGRAM Page 5 of 9 EXHIBIT A Resolution No. 09-58 • An inactive account becomes active. • Mail sent to the customer is returned repeatedly. • The City is notified that a customer is not receiving his/her paper account statements. • The City is notified of unauthorized transactions on a customer's account. Notice of Possible Identity Theft: • The City is notified by a customer of possible identity theft in connection with his/her account. • The City is notified by a victim of identity theft of possible identity theft in connection with a customer account. • The City is notified by law enforcement of possible identity theft in connection with a customer account. • The City is notified by others of possible identity theft in connection with a customer account. VI. PROCEDURES FOR DETECTING RED FLAGS The following procedures are being implemented by the City to detect the Red Flags identified with opening of accounts and existing accounts identified above: (a) Obtain personal identifying information of an individual to verify his/her identity prior to opening an account. (b) Authenticate the identity of customers when they are requesting information about their accounts. (c) Authenticate the identity of customers when they are requesting to make any changes to their accounts. (d) Verify the validity of all billing address change requests. (e) Conduct a credit check when opening a new account. (f) Monitor transactions. (g) Verify all requests to change banking information used for payment purposes. Members of the City's staff will be assigned and trained to detect Red Flags. In addition, the City may employ the services of a third party services provider and/or utilize computer software programs to assist in detecting Red Flags. IDENTITY THEFT PREVENTION PROGRAM Page 6 of 9 EXHIBIT A Resolution No. 09-58 [THIS SECTION VII. ONLY APPLIES TO ENTITIES THAT USE AND/OR REQUEST CONSUMER REPORTS] VII. ADDRESS DISCREPANCIES IN CONSUMER REPORTS Title 15 of the Code of Federal Regulations, section 1681 c, requires consumer reporting agencies to notify a requestor in writing, such as the City, where the address provided by the City for a consumer substantially differs from the address the consumer reporting agency has on file for that consumer. Upon receipt of a notice of an address discrepancy for a consumer, the Red Flag Rules, 16 C.F.R. § 681.1, require the City to verify the identity of the consumer for whom the consumer report was obtained in order to form a reasonable belief that the City knows the identity of the consumer through one or more of the following methods: (a) Verify the information in the consumer report with the consumer. (b) Verify the consumer's address through the records of applications, address change notifications, and other account records for the consumer maintained by the City, or retained CIP documentation. (c) Verify the consumer's address through information from third parties. (d) Use any other reasonable means. Newly Established Accounts For newly established accounts for which a notice of address discrepancy was received, the City must provide to the consumer reporting agency that furnished the notice of address discrepancy the address that the City has reasonably confirmed to be accurate under the following circumstances: (a) The City can form a reasonable belief that the consumer report relates to the consumer for whom the report was requested; (b) The City establishes a continuing relationship with the consumer; and (c) The City regularly in the ordinary course of business provides information to the consumer reporting agency from which the notice of address discrepancy was obtained. The consumer's address can be confirmed through the following methods: (a) Verify the information in the consumer report with the consumer. (b) Verify the consumer's address through the records of applications, address change notifications, and other account records for the consumer maintained by the City. (c) Verify the consumer's address through information from third parties. (d) Use any other reasonable means. IDENTITY THEFT PREVENTION PROGRAM Page 7 of 9 EXHIBIT A Resolution No. 09-58 The City must provide the consumer reporting agency the address that the City has reasonable confirmed to be accurate as part of the information the City regularly furnishes for the reporting period in which the City establishes a relationship with the consumer. Red Flags A notice of address discrepancy constitutes a Red Flag, and the City will take the necessary action to respond appropriately. VIII. PROCEDURES FOR RESPONDING TO RED FLAGS In order to prevent and mitigate identity theft, and after taking into consideration the risks of identity theft applicable to the customer accounts, the City implements the following procedures to respond to all Red Flags that are discovered. One or more of these procedures will be used each time a Red Flag is detected: (a) Monitor accounts for evidence of identity theft. (b) Contact the Customer. (c) Change or add a password, security code or other device that provides access to the account. (d) Reopen an account with a new account number. (e) Close an existing account. (f) Not open a new account. (g) Not selling an account to a debt collector. (h) Not attempting to collect on an account. (I) Notify law enforcement. (j) Determine that no response is warranted given the particular circumstances. (k) Ask the customer to appear in person with government issued identification. (I) Require a deposit to be paid before providing service. (m) Do not provide account information to anyone other than the account holder, or other individual authorized by the account holder. (n) Update all account information. (o) Deactivate payment method, such as a credit card registered for online payment. (p) Connect or disconnect service. IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Page 8 of 9 (q) Initiate an investigation. Resolution No. 09-58 In addition to any of the actions above, the Finance Director will be notified of any Red Flags discovered. IX. TRAINING OF STAFF City staff that will be directly involved with opening customers' accounts or servicing customer accounts in a manner that would place them in a position to detect Red Flags, or allow them access to customers' private information shall be trained to detect Red Flags and appropriately respond when Red Flags are discovered. The City's staff participation is crucial to the effective implementation of this Program. The Finance Director will oversee all staff training to ensure that training is adequate to ensure effective implementation of the Program. X. OVERSIGHT OF THIRD -PARTY SERVICE PROVIDER INVOLVED WITH CUSTOMER ACCOUNTS If the City employs a third -party service provider to perform any activity in connection with a customer account, the Finance Director is responsible for ensuring that the activity is conducted in compliance with reasonable policies and procedures to detect, prevent and mitigate the risk of identity theft. This may be achieved by requiring that a third -party service provider has policies and procedures to detect the Red Flags identified by the City, and also requiring the third -party service provider to review the City's Program and agree to report any Red Flags to the Finance Director. XI. USE OF A THIRD -PARTY SERVICE PROVIDER TO ASSIST IN THE IMPLEMENTATION OF THE PROGRAM The City may hire a third -party service provider in order to implement this Program. The third -party service provider may provide services such as the implementation and administration of computer software programs that detect Red Flags. If a third -party service provider is used to assist in the detection of Red Flags, the third -party service provider is required to immediately notify the Finance Director if any Red Flags are discovered. The Finance Director is responsible for overseeing any third -party service provider in an appropriate and effective manner. The Finance Director's oversight shall include periodic meetings and/or receipt and review of periodic reports from the third -party service provider regarding what services are being provided, any Red Flags that have been detected, and any possible modifications to the services provided to increase the effectiveness. XII. PERIODIC IDENTIFICATION OF CUSTOMER ACCOUNTS The Finance Director will periodically review the types of accounts it maintains for customers to determine which are "covered accounts" under the Red Flag Rules, and therefore are subject to this Program. IDENTITY THEFT PREVENTION PROGRAM Page 9of9 XIII. PERIODIC UPDATE OF THE PROGRAM EXHIBIT A Resolution No. 09-58 This Program shall be updated periodically to ensure that the identified Red Flags, the procedures to detect Red Flags, and the responses to the Red Flags when discovered adequately protect customers from identity theft. The updating of the Program should take into consideration any changes in the customers' level of risk of identity theft by looking at the following factors: (a) The City's recent experiences with identity theft in connection with the customer accounts. (b) Changes in methods of identity theft. (c) Changes in methods of detecting, preventing and mitigating identity theft. (d) Changes in the types of customer accounts offered. (e) Changes in arrangements with any third -party service providers involved in the implementation of the Program. City staff may recommend modifications to the Program. However, any modification to the Program may not be implemented unless first approved by the Council.