HomeMy WebLinkAboutCC RES 09-58RESOLUTION NO. 09-58
RESOLUTION OF THE CITY COUNCIL OF THE CITY OF PALM DESERT,
CALIFORNIA, ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM
WHEREAS, the City of Palm Desert is a municipal corporation organized and existing
pursuant to the California Constitution; and
WHEREAS, the Fair and Accurate Credit Transaction Act of 2003 ("FACTA") Section
114, as implemented by the Red Flag Rules, 16 C.F.R. § 681.2, issued by the Federal Trade
Commission along with other federal agencies, requires creditors of customer accounts to
implement an Identity Theft Prevention Program; and
WHEREAS, the City of Palm Desert is a creditor because it provides services to
customers prior to receipt of payment through customer accounts, including utility service
accounts, which are maintained primarily for personal, family or household purposes and
involve multiple payments or transactions, and for which there is a reasonably foreseeable risk
of identity theft; and
WHEREAS, the City of Palm Desert is therefore required to implement an Identity Theft
Prevention Program; and
WHEREAS, the purpose of the Identity Theft Prevention Program is to detect, prevent
and mitigate identity theft in connection with all customer accounts, taking into consideration
the level of risk for identity theft given the City of Palm Desert's scope of services provided and
the types of accounts; and
WHEREAS, the Identity Theft Prevention Program is created to identify patterns,
practices and specific activities that indicate the possible existence of identity theft, referred to
as "Red Flags," and sets forth the procedures for detecting Red Flags and responding to Red
Flags when discovered; and
WHEREAS, the City Council of the City of Palm Desert desires to adopt and implement
an Identity Theft Prevention Program as required under the Federal Law;
NOW, THEREFORE, BE IT RESOLVED by the City Council of the City of Palm Desert
as follows:
Section 1. Adoption of Identity Theft Prevention Program. The City of Palm Desert
hereby adopts the "Identity Theft Prevention Program" attached hereto as Exhibit "A".
Section 2. Designation of Authority. The City Council of the City of Palm Desert
authorizes the Audit, Investment & Finance Committee to act on the City Council's behalf to
oversee the implementation and administration of the Identity Theft Prevention Program in
accordance with Federal Law.
Section 3. Amending the Identity Theft Prevention Program. The Identity Theft
Prevention Program may be amended from time to time by resolution of the City Council.
G:IFinanceWiamh OrtegalIDENTITY THEFT PREVENTION PROGRAM.Docx
Resolution No. 09-58
2008.
Section 4. Effective Date. This Resolution shall be effective as of November 1,
ADOPTED this 9th day of
July
, 2009, by the following vote to wit:
AYES: BENSON, FERGUSON, KELLY, and FINERTY
NOES: NONE
ABSENT: SPIEGEL
ABSTAIN: NONE
ATTEST:
RAGHELLE D. KLASSEN,'City Clerk
City of Palm Desert, California
CINDY FINE1'Y, 'MAYOR PRO ORE
Resolution No. 09-58
EXHIBIT A
IDENTITY THEFT PREVENTION PROGRAM
I. PURPOSE
The Fair and Accurate Credit Transaction Act of 2003 ("FACTA"), section 114, as
implemented by the Red Flag Rules, 16 C.F.R. § 681.2, issued by the Federal Trade
Commission along with other federal agencies requires creditors of customer accounts to
implement an Identity Theft Prevention Program. Pursuant to the regulations, the City of Palm
Desert ("City") is a creditor because it provides services to customers prior to receipt of
payment through customer accounts, including utility service accounts, which are maintained
primarily for personal, family or household purposes and involve multiple payments or
transactions, and for which there is a reasonably foreseeable risk of identity theft. Therefore,
the City is required to implement an Identity Theft Prevention Program.
The purpose of this Identity Theft Prevention Program ("Program") is to detect, prevent
and mitigate identity theft in connection with all customer accounts, taking into consideration
the level of risk for identity theft given the City's scope of services provided and the types of
accounts. This Program is created to identify patterns, practices and specific activities that
indicate the possible existence of identity theft, hereinafter referred to as "Red Flags". The
Program sets forth the procedures for detecting Red Flags and responding to Red Flags when
discovered.
II. DEFINITIONS
"Red Flag" shall mean a pattern, practice or specific activity that indicates the possible
existence of identity theft as defined in the Red Flag Rules, and as specifically enumerated in
Section V. 16 C.F.R. § 681.2.
"Identity theft" shall mean a fraud committed or attempted using the personal identifying
information of another person without his/her authority. 16 C.F.R. § 603.2 (a).
"Customer account" shall mean a utility service account or other account provided by
the City that constitutes a "covered account" under the Red Flag Rules.
"Personal identifying information" shall mean information that may be used to identify a
specific person, including, but not limited to, a social security number, date of birth, government
issued driver's license or identification number, government passport number, unique biometric
data such as fingerprints or physical appearance, any unique electronic identification number,
telephone number or address.
"City" shall include all entities operating under the umbrella of the City of Palm Desert
including the Palm Desert Redevelopment Agency, Palm Desert Housing Authority, Palm
Desert Financing Authority, and Palm Desert Recreational Facilities Corporation.
III. DESIGNATION OF AUTHORITY
The Palm Desert City Council ("Council") designates the authority to develop, oversee,
implement and administer the Program to the Audit, Investment and Finance Committee.
G: IFinanceWiamh Ortega\IDENTITY THEFT PREVENTION PROGRAM. Docx
IDENTITY THEFT PREVENTION PROGRAM
Page 2 of 9
EXHIBIT A
Resolution No. 09-58
As part of the Audit, Investment and Finance Committee's oversight responsibilities for
the Program, the Audit, Investment and Finance Committee is required to review and approve
all material changes to the Program as necessary to address changing identity theft risks. the
Audit, Investment and Finance Committee is also responsible for reviewing reports prepared by
City staff regarding the City's compliance with FACTA and the Red Flag Rules requiring the
implementation of an Identity Theft Prevention Program.
IV. COMPLIANCE REPORTS TO BE PREPARED BY CITY STAFF
The Audit, Investment and Finance Committee will designate City staff involved with the
implementation of the Program to prepare reports regarding the City's compliance with FACTA
and the Red Flag Rules requiring the implementation of an Identity Theft Prevention Program.
The reports should address material matters related to the Program, such as the following:
(a) The effectiveness of the City's policies and procedures to address the risk of
identity theft in connection with opening customer accounts, as well as with
existing accounts. This includes identifying any issues related to identifying,
detecting and responding to Red Flags;
(b) Third -party service provider arrangements;
(c) Significant incidents of identity theft or Red Flag detection, and the City's
responses to those incidents;
(d) Recommendations for material changes to the program to ensure that customer
accounts are adequately protected from the risk of identity theft.
The reports should be prepared at least annually for review by the Audit, Investment
and Finance Committee and/or the Council.
V. RED FLAGS IDENTIFIED BY THE CITY
In identifying the Red Flags applicable to the City's customer accounts, the City
considered the following risk factors:
(a) The types of accounts the City maintains;
(b) The methods the City provides to open customer accounts;
(c) The methods the City provides to access customers' accounts;
(d) The City's previous experiences with identity theft in connection with the
customer accounts.
IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Resolution No. 09-58
Page 3 of 9
The Red Flags identified in this Program have been incorporated from sources which
include supervisory guidance, past incidents of identity theft, and changes in methods of
identity theft risk.
The City's Identified Red Flags are as follows:
Alerts, notifications or other warnings received from consumer reporting
agencies or service providers providing fraud protection services:
• Fraud or active duty alerts from consumer reports.
• Notice of a credit freeze from a consumer reporting agency in response
to request for a consumer report.
• Notice of address discrepancy provided by a consumer reporting
agency.
• A consumer report indicates a pattern of activity that is inconsistent with
the history or usual pattern of activity of a customer or applicant.
• Recent significant increase in the volume of inquiries of the customer's
credit.
• Unusual number of recently established credit relationships.
• A material change in the use of credit, especially in regards to credit
relationships recently established.
• A customer had an account with the City or any other creditor that was
closed for cause or identified for abuse of account privileges.
Suspicious Documents:
• Documents used for identification purposes appear to have been altered
or forged.
• The photograph or physical description on the identification documents
does not match the appearance of the person presenting the
identification.
• Other information in identification documents does not match the
information provided by the individual presenting the identification
documents.
• Other information in the identification documents does not match the
information on file with the City.
• The application to open the account appears to have been forged,
altered, or gives the appearance of having been destroyed and
reassembled.
IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Resolution No. U9-58
Page 4 of 9
Suspicious Personal Identifying Information:
• Personal information provided is inconsistent with information provided
by an external source, for example where the address provided does not
match the address contained in a consumer report.
• Personal identifying information is inconsistent with other personal
identifying information provided by the customer such as a date of birth
and the social security number range that do not correlate.
• Personal identifying information provided is associated with known
fraudulent activity, as indicated by internal or third -party sources, such as
the address or phone number on an application was previously provided
on another fraudulent application.
• Personal identifying information is of a type commonly associated with
fraudulent activity, as indicated by internal or third -party sources, such as
a fictitious address, or an invalid phone number.
• The social security number provided is the same as the social security
number of another applicant attempting to open an account or an
existing customer.
• The address or telephone number provided is the same as other
individuals attempting to open an account or existing customers.
• The individual opening the account cannot provide all of the required
personal identifying information for an application.
• Personal identifying information is inconsistent with the information
provided by the customer on file with the City.
• Where challenge questions are used by the City to verify the identity of
an individual, the individual claiming to be the customer cannot answer
challenge questions correctly.
Unusual Use of or Other Suspicious Activity Related to a Customer Account:
• Shortly after receiving a notice of change of address for the account, the
City receives a request to add another name to the account.
• A new account is used in a manner commonly associated with known
patterns of fraud, such as a first payment is made, and then no
subsequent payments are made.
• An account is used in a manner inconsistent with the established pattern
of activity for the account, such as a nonpayment where there has never
been a late or missed payment.
IDENTITY THEFT PREVENTION PROGRAM
Page 5 of 9
EXHIBIT A
Resolution No. 09-58
• An inactive account becomes active.
• Mail sent to the customer is returned repeatedly.
• The City is notified that a customer is not receiving his/her paper account
statements.
• The City is notified of unauthorized transactions on a customer's
account.
Notice of Possible Identity Theft:
• The City is notified by a customer of possible identity theft in connection
with his/her account.
• The City is notified by a victim of identity theft of possible identity theft in
connection with a customer account.
• The City is notified by law enforcement of possible identity theft in
connection with a customer account.
• The City is notified by others of possible identity theft in connection with
a customer account.
VI. PROCEDURES FOR DETECTING RED FLAGS
The following procedures are being implemented by the City to detect the Red Flags
identified with opening of accounts and existing accounts identified above:
(a) Obtain personal identifying information of an individual to verify his/her identity
prior to opening an account.
(b) Authenticate the identity of customers when they are requesting information
about their accounts.
(c) Authenticate the identity of customers when they are requesting to make any
changes to their accounts.
(d) Verify the validity of all billing address change requests.
(e) Conduct a credit check when opening a new account.
(f) Monitor transactions.
(g) Verify all requests to change banking information used for payment purposes.
Members of the City's staff will be assigned and trained to detect Red Flags.
In addition, the City may employ the services of a third party services provider and/or
utilize computer software programs to assist in detecting Red Flags.
IDENTITY THEFT PREVENTION PROGRAM
Page 6 of 9
EXHIBIT A Resolution No. 09-58
[THIS SECTION VII. ONLY APPLIES TO ENTITIES THAT USE AND/OR
REQUEST CONSUMER REPORTS]
VII. ADDRESS DISCREPANCIES IN CONSUMER REPORTS
Title 15 of the Code of Federal Regulations, section 1681 c, requires consumer reporting
agencies to notify a requestor in writing, such as the City, where the address provided by the
City for a consumer substantially differs from the address the consumer reporting agency has
on file for that consumer. Upon receipt of a notice of an address discrepancy for a consumer,
the Red Flag Rules, 16 C.F.R. § 681.1, require the City to verify the identity of the consumer for
whom the consumer report was obtained in order to form a reasonable belief that the City
knows the identity of the consumer through one or more of the following methods:
(a) Verify the information in the consumer report with the consumer.
(b) Verify the consumer's address through the records of applications, address
change notifications, and other account records for the consumer maintained by
the City, or retained CIP documentation.
(c) Verify the consumer's address through information from third parties.
(d) Use any other reasonable means.
Newly Established Accounts
For newly established accounts for which a notice of address discrepancy was
received, the City must provide to the consumer reporting agency that furnished the notice of
address discrepancy the address that the City has reasonably confirmed to be accurate under
the following circumstances:
(a) The City can form a reasonable belief that the consumer report relates to the
consumer for whom the report was requested;
(b) The City establishes a continuing relationship with the consumer; and
(c) The City regularly in the ordinary course of business provides information to the
consumer reporting agency from which the notice of address discrepancy was
obtained.
The consumer's address can be confirmed through the following methods:
(a) Verify the information in the consumer report with the consumer.
(b) Verify the consumer's address through the records of applications, address
change notifications, and other account records for the consumer maintained by
the City.
(c) Verify the consumer's address through information from third parties.
(d) Use any other reasonable means.
IDENTITY THEFT PREVENTION PROGRAM
Page 7 of 9
EXHIBIT A
Resolution No. 09-58
The City must provide the consumer reporting agency the address that the City has
reasonable confirmed to be accurate as part of the information the City regularly furnishes for
the reporting period in which the City establishes a relationship with the consumer.
Red Flags
A notice of address discrepancy constitutes a Red Flag, and the City will take the
necessary action to respond appropriately.
VIII. PROCEDURES FOR RESPONDING TO RED FLAGS
In order to prevent and mitigate identity theft, and after taking into consideration the
risks of identity theft applicable to the customer accounts, the City implements the following
procedures to respond to all Red Flags that are discovered. One or more of these procedures
will be used each time a Red Flag is detected:
(a) Monitor accounts for evidence of identity theft.
(b) Contact the Customer.
(c) Change or add a password, security code or other device that provides access
to the account.
(d) Reopen an account with a new account number.
(e) Close an existing account.
(f) Not open a new account.
(g) Not selling an account to a debt collector.
(h) Not attempting to collect on an account.
(I) Notify law enforcement.
(j) Determine that no response is warranted given the particular circumstances.
(k) Ask the customer to appear in person with government issued identification.
(I) Require a deposit to be paid before providing service.
(m) Do not provide account information to anyone other than the account holder, or
other individual authorized by the account holder.
(n) Update all account information.
(o) Deactivate payment method, such as a credit card registered for online
payment.
(p) Connect or disconnect service.
IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A
Page 8 of 9
(q) Initiate an investigation.
Resolution No. 09-58
In addition to any of the actions above, the Finance Director will be notified of any Red
Flags discovered.
IX. TRAINING OF STAFF
City staff that will be directly involved with opening customers' accounts or servicing
customer accounts in a manner that would place them in a position to detect Red Flags, or
allow them access to customers' private information shall be trained to detect Red Flags and
appropriately respond when Red Flags are discovered. The City's staff participation is crucial to
the effective implementation of this Program.
The Finance Director will oversee all staff training to ensure that training is adequate to
ensure effective implementation of the Program.
X. OVERSIGHT OF THIRD -PARTY SERVICE PROVIDER INVOLVED WITH
CUSTOMER ACCOUNTS
If the City employs a third -party service provider to perform any activity in connection
with a customer account, the Finance Director is responsible for ensuring that the activity is
conducted in compliance with reasonable policies and procedures to detect, prevent and
mitigate the risk of identity theft. This may be achieved by requiring that a third -party service
provider has policies and procedures to detect the Red Flags identified by the City, and also
requiring the third -party service provider to review the City's Program and agree to report any
Red Flags to the Finance Director.
XI. USE OF A THIRD -PARTY SERVICE PROVIDER TO ASSIST IN THE
IMPLEMENTATION OF THE PROGRAM
The City may hire a third -party service provider in order to implement this Program. The
third -party service provider may provide services such as the implementation and
administration of computer software programs that detect Red Flags. If a third -party service
provider is used to assist in the detection of Red Flags, the third -party service provider is
required to immediately notify the Finance Director if any Red Flags are discovered.
The Finance Director is responsible for overseeing any third -party service provider in an
appropriate and effective manner. The Finance Director's oversight shall include periodic
meetings and/or receipt and review of periodic reports from the third -party service provider
regarding what services are being provided, any Red Flags that have been detected, and any
possible modifications to the services provided to increase the effectiveness.
XII. PERIODIC IDENTIFICATION OF CUSTOMER ACCOUNTS
The Finance Director will periodically review the types of accounts it maintains for
customers to determine which are "covered accounts" under the Red Flag Rules, and therefore
are subject to this Program.
IDENTITY THEFT PREVENTION PROGRAM
Page 9of9
XIII. PERIODIC UPDATE OF THE PROGRAM
EXHIBIT A Resolution No. 09-58
This Program shall be updated periodically to ensure that the identified Red Flags, the
procedures to detect Red Flags, and the responses to the Red Flags when discovered
adequately protect customers from identity theft. The updating of the Program should take into
consideration any changes in the customers' level of risk of identity theft by looking at the
following factors:
(a) The City's recent experiences with identity theft in connection with the customer
accounts.
(b) Changes in methods of identity theft.
(c) Changes in methods of detecting, preventing and mitigating identity theft.
(d) Changes in the types of customer accounts offered.
(e) Changes in arrangements with any third -party service providers involved in the
implementation of the Program.
City staff may recommend modifications to the Program. However, any modification to
the Program may not be implemented unless first approved by the Council.