Loading...
HomeMy WebLinkAboutRes Nos 09-58, 561, HA-41 & FA64 - Identity Theft Prevention Pgrm Res. No. 09-58 Res. No. 561 Res No. HA-41 Res. No. FA-64 CITY OF PALM DESERT FINANCE DEPARTMENT Staff Report REQUEST: APPROVE THE RESOLUTIONS ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM FOR THE CITY OF PALM DESERT, PALM DESERT REDEVELOPMENT AGENCY, PALM DESERT HOUSING AUTHORITY, AND PALM DESERT FINANCING AUTHORITY SUBMITTED BY: PAUL S. GIBSON, FINANCE DIRECTOR DATE: JULY 9, 2009 CONTENTS: MEMORANDUM FROM BEST BEST & KRIEGER LLP RESOLUTIONS IDENTITY THEFT PREVENTION PROGRAM Recommendation: By Minute motion, that the City Council approve the resolutions adopting an Identity Theft Prevention Program for the City of Palm Desert, Palm Desert Redevelopment Agency, Palm Desert Housing Authority and Palm Desert Financing Authority. Backqround: In May 2009, Best, Best & Krieger issued a memorandum to the City of Palm Desert relative to the implementation of an Identity Theft Prevention Program for utility accounts under the Red Flag Rules. While the City does not administer any utility accounts, as a public entity, the City is considered a creditor due to its involvement in programs such as the Energy Independence Program and the Home Improvement Program. It is therefore considered appropriate for the City to adopt such guidelines as advised by the City Attorney. Attached is a copy of the proposed guidelines for the City of Palm Desert and its entities. Also attached is the memorandum received from Best, Best & Krieger and the draft resolutions to be adopted by City Council at an upcoming meeting. The guidelines were presented and approved at the Audit, Investment and Finance Committee meeting of June 23, 2009, and the Committee recommends that the City Council approve the resolutions adopting an identity Theft Prevention Program for the City of Palm Desert, Palm Desert Redevelopment Agency, Palm Desert Housing Authority and Palm Desert Financing Authority. Sub 'tted y� P I S. Gibson, Finance Director Jo n . Wohlmuth, City Manager/Exec. Dir. G:\Finance\Niamh Ortega\Staff ReportsWudit, Investment&Finance Co ttee\SR-Identity Theft Prevention Program To Council 061609.Docx REGULAR PALM DESERT CITY COUNCIL MEETING JULY 9, 2009 XIV. NEW BUSINESS A. REQUEST FOR ADOPTION OF RESOLUTIONS, ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM FOR THE CITY OF PALM DESERT, PALM DESERT REDEVELOPMENT AGENCY, PALM DESERT HOUSING AUTHORITY,AND PALM DESERT FINANCING AUTHORITY (JOINT CONSIDERATION WITH THE PALM DESERT REDEVELOPMENT AGENCY, PALM DESERT HOUSING AUTHORITY, AND PALM DESERT FINANCING AUTHORITY). Rec: Waive further reading and adopt the following Resolutions, relative to an Identity Theft Prevention Program for each entity, respectively: 1) City Council Resolution No. 09-58; 2) Redevelopment Agency Resolution No. 561; 3) Housing Authority Resolution No. HA-41; 4) Financing Authority Resolution No. FA-64. CITY COUNCILAC�dN APPROVED Y" $� ECEIVF OTHER „ , �,.,�,,,,� �"� e�.,, �Y RCDA �-O MEE G DA - ��---�--�-� AYE5•� ' � �, e . . if��l�l�l� BY U`�(�C/� NOES: ABSENI�: �r��inal on fil� wifih City ClPrk's �Jffir,c� ABSTAINs VERIFIED BY: Originat on File witk C�ty rk's Oftic� E3Y f-i��lSG d/���� �� CC���r.r_7—�'�C] — 1,/�F��1�=1Efi) BY���� _ G C3€•i�ir;�i ar; f69e wi�� City Cde�rk`a OfficE � r G BY FIN AUTH �-� otv �7- �'- a Q VERlFIED BY: ��� ��� Origina! on file with City Cierk's Office BEST BEST & KRIEGER ATTORNEYS AT LAW May 18, 2009 MEMORANDUM To: PUBLIC AGENCY CLIENTS FROM: BEST BEST & KRIEGER LLP RE: FTC EXTENDS DEADLINE FOR PUBLIC AGENCIES TO IUIPLEMENT IDENTITY THEFT PROTECTION PROGRAMS FOR UTILITY ACCOUNTS UNDER THE RED FLAG RULES UNTIL AUGUST 1, 2009 The Fair and Accurate Credit Transactions Act of 2003 ("FACTA") directs the federal bank regulatory agencies and the Federal Trade Commission (the "Agencies") to issue joint regulations and guidelines regarding the implementation of programs to detect, prevent, and m�tigate identity theft. In November 2007, the Agencies jointly issued final rules and guidelines (the "Rules") implementing Section 114 of FACTA. The Rules require each financial institution or creditor to develop and implement a written Identity Theft Prevention Program ("Program") to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts. The Program must be able to detect patterns, practices and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the Program. The Agencies issued guideline� to assist financial institutions and creditors in the development and continuation of a Program that satisfies the requirements of the Rules. The Rules became effective January 1, 2008. However, the enforcement deadline of May 1, 2009 has now been extended an additional 3 months until August 1, 2009 to provide creditors with additional time to adopt a Program. Public Agencies Are Creditors A Program is required where a creditor maintains one or more "covered accounts." The definition of "creditor" includes a government agency that arranges for the extension, renewal, or continuation of credit.' The Rules define a "creditor" to include lenders such as utility companies.2 According to the Rules, a "covered account" is (1) an account primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions, such as a utility account, or (2) any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.3 ' Under the Fair and Accurate Credit Transactions Act("FACTA"), the term "creditor" retains the same meaning under Section 702 of the Equal Credit Opportunity Act (ECOA)o�as in 15 U.S.C. 1681 a(r)(5). Under 15 U.S.C. 1681 a, "person" is defined as a natural person, corporation, government or �overnmental subdivision or agency, trust, estate, partnership, cooperative, or association. 16 C.F.R. 681.2. 3 16 C.F.R. 681.2. SDPUB\NELEM EN\380956.1 RESOLUTION NO. 09-58 RESOLUTION OF THE CITY COUNCIL OF THE CITY OF PALM DESERT, CALIFORNIA, ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM WHEREAS, the City of Palm Desert is a municipal corporation organized and existing pursuant to the California Constitution; and WHEREAS, the Fair and Accurate Credit Transaction Act of 2003 ("FACTA") Section 114, as implemented by the Red Flag Rules, 16 C.F.R. § 681.2, issued by the Federal Trade Commission along with other federal agencies, requires creditors of customer accounts to implement an Identity Theft Prevention Program; and WHEREAS, the City of Palm Desert is a creditor because it provides services to customers prior to receipt of payment through customer accounts, including utility service accounts, which are maintained primarily for personal, family or household purposes and involve multiple payments or transactions, and for which there is a reasonably foreseeable risk of identity theft; and WHEREAS, the City of Palm Desert is therefore required to implement an Identity Theft Prevention Program; and WHEREAS, the purpose of the Identity Theft Prevention Program is to detect, prevent and mitigate identity theft in connection with all customer accounts, taking into consideration the level of risk for identity theft given the City of Palm Desert's scope of services provided and the types of accounts; and WHEREAS, the Identity Theft Prevention Program is created to identify patterns, practices and specific activities that indicate the possible existence of identity theft, referred to as "Red Flags," and sets forth the procedures for detecting Red Flags and responding to Red Flags when discovered; and WHEREAS, the City Council of the City of Palm Desert desires to adopt and implement an Identity Theft Prevention Program as required under the Federal Law; NOW, THEREFORE, BE IT RESOLVED by the City Council of the City of Palm Desert as follows: Section 1. Adoption of Identitv Theft Prevention Proqram. The City of Palm Desert hereby adopts the "Identity Theft Prevention Program" attached hereto as Exhibit "A". Section 2. Desiqnation of Authority. The City Council of the City of Palm Desert authorizes the Audit, Investment & Finance Committee to act on the City Council's behalf to oversee the implementation and administration of the Identity Theft Prevention Program in accordance with Federal Law. Section 3. Amendinq the Identity Theft Prevention Proqram. The Identity Theft Prevention Program may be amended from time to time by resolution of the City Council. G:IFinancelNiamh OrtegallDENTITY THEFT PREVENTION PROGRAM.Docx Resolution No. 09-58 Section 4. Effective Date. This Resolution shall be effective as of November 1, 2008. ADOPTED this day of , 2009, by the following vote to wit: AYES: NOES: ABSENT: ABSTAIN: ROBERT A. SPIEGEL, Mayor ATTEST: RACHELLE D. KLASSEN, City Clerk City of Palm Desert, California RESOLUTION NO. 561 RESOLUTION OF THE PALM DESERT REDEVELOPMENT AGENCY ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM WHEREAS, the Fair and Accurate Credit Transaction Act of 2003 ("FACTA") Section 114, as implemented by the Red Flag Rules, 16 C.F.R. § 681.2, issued by the Federal Trade Commission along with other federal agencies, requires creditors of customer accounts to implement an Identity Theft Prevention Program; and WHEREAS, the Palm Desert Redevelopment Agency is a creditor because it provides services to customers prior to receipt of payment through customer accounts, including utility service accounts, which are maintained primarily for personal, family or household purposes and involve multiple payments or transactions, and for which there is a reasonably foreseeable risk of identity theft; and WHEREAS, the Palm Desert Redevelopment Agency is therefore required to implement an Identity Theft Prevention Program; and WHEREAS, the purpose of the Identity Theft Prevention Program is to detect, prevent and mitigate identity theft in connection with all customer accounts, taking into consideration the level of risk for identity theft given the Palm Desert Redevelopment Agency's scope of services provided and the types of accounts; and WHEREAS, the Identity Theft Prevention Program is created to identify patterns, practices and specific activities that indicate the possible existence of identity theft, referred to as "Red Flags," and sets forth the procedures for detecting Red Flags and responding to Red Flags when discovered; and WHEREAS, the Agency Board of the Palm Desert Redevelopment Agency desires to adopt and implement an Identity Theft Prevention Program as required under the Federal Law; NOW, THEREFORE, BE IT RESOLVED by the Agency Board of the Palm Desert Redevelopment Agency as follows: Section 1. Adoption of Identity Theft Prevention Proqram. The Palm Desert Redevelopment Agency hereby adopts the "Identity Theft Prevention Program" attached hereto as Exhibit "A". Section 2. Desiqnation of Authoritv. The Agency Board of the Palm Desert Redevelopment Agency authorizes the Audit, Investment & Finance Committee to act on the Agency Board's behalf to oversee the implementation and administration of the Identity Theft Prevention Program in accordance with Federal Law. Section 3. Amendinq the Identitv Theft Prevention Proqram. The Identity Theft Prevention Program may be amended from time to time by resolution of the Palm Desert Redevelopment Agency. Resolution No. 561 Section 4. Effective Date. This Resolution shall be effective as of November 1, 2008. ADOPTED this day of , 2009, by the following vote to wit: AYES: NOES: ABSENT: ABSTAIN: ROBERT A. SPIEGEL, Chairman ATTEST: RACHELLE D. KLASSEN, Secretary Palm Desert Redevelopment Agency, California RESOLUTION NO. �-41 RESOLUTION OF THE PALM DESERT HOUSING AUTHORITY ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM WHEREAS, the Fair and Accurate Credit Transaction Act of 2003 ("FACTA") Section 114, as implemented by the Red Flag Rules, 16 C.F.R. § 681.2, issued by the Federal Trade Commission along with other federal agencies, requires creditors of customer accounts to implement an Identity Theft Prevention Program; and WHEREAS, the Palm Desert Housing Authority is a creditor because it provides services to customers prior to receipt of payment through customer accounts, including utility service accounts, which are maintained primarily for personal, family or household purposes and involve multiple payments or transactions, and for which there is a reasonably foreseeable risk of identity theft; and WHEREAS, the Palm Desert Housing Authority is therefore required to implement an Identity Theft Prevention Program; and WHEREAS, the purpose of the Identity Theft Prevention Program is to detect, prevent and mitigate identity theft in connection with all customer accounts, taking into consideration the level of risk for identity theft given the Palm Desert Housing Authority's scope of services provided and the types of accounts; and WHEREAS, the Identity Theft Prevention Program is created to identify patterns, practices and specific activities that indicate the possible existence of identity theft, referred to as "Red Flags," and sets forth the procedures for detecting Red Flags and responding to Red Flags when discovered; and WHEREAS, the Agency Board of the Palm Desert Housing Authority desires to adopt and implement an Identity Theft Prevention Program as required under the Federal Law; NOW, THEREFORE, BE IT RESOLVED by the Agency Board of the Palm Desert Housing Authority as follows: Section 1. Adoption of Identity Theft Prevention Proqram. The Palm Desert Housing Authority hereby adopts the "Identity Theft Prevention Program" attached hereto as Exhibit "A". Section 2. Designation of Authority. The Agency Board of the Palm Desert Housing Authority authorizes the Audit, Investment & Finance Committee to act on the Agency Board's behalf to oversee the implementation and administration of the Identity Theft Prevention Program in accordance with Federal Law. Section 3. Amendinq the Identitv Theft Prevention Proqram. The Identity Theft Prevention Program may be amended from time to time by resolution of the Palm Desert Housing Authority. Resolution No. HA-41 Section 4. Effective Date. This Resolution shall be effective as of November 1, 2008. ADOPTED this day of , 2009, by the following vote to wit: AYES: NOES: ABSENT: ABSTAIN: ROBERT A. SPIEGEL, Chairman ATTEST: RACHELLE D. KLASSEN, Secretary Palm Desert Housing Authority, California RESOLUTION NO. FA-64 RESOLUTION OF THE PALM DESERT FINANCING AUTHORITY ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM WHEREAS, the Fair and Accurate Credit Transaction Act of 2003 ("FACTA") Section 114, as implemented by the Red Flag Rules, 16 C.F.R. § 681.2, issued by the Federal Trade Commission along with other federal agencies, requires creditors of customer accounts to implement an Identity Theft Prevention Program; and WHEREAS, the Palm Desert Financing Authority is a creditor because it provides services to customers prior to receipt of payment through customer accounts, including utility service accounts, which are maintained primarily for personal, family or household purposes and involve multiple payments or transactions, and for which there is a reasonably foreseeable risk of identity theft; and WHEREAS, the Palm Desert Financing Authority is therefore required to implement an Identity Theft Prevention Program; and WHEREAS, the purpose of the Identity Theft Prevention Program is to detect, prevent and mitigate identity theft in connection with all customer accounts, taking into consideration the level of risk for identity theft given the Palm Desert Financing Authority's scope of services provided and the types of accounts; and WHEREAS, the Identity Theft Prevention Program is created to identify patterns, practices and specific activities that indicate the possible existence of identity theft, referred to as "Red Flags," and sets forth the procedures for detecting Red Flags and responding to Red Flags when discovered; and WHEREAS, the Agency Board of the Palm Desert Financing Authority desires to adopt and implement an Identity Theft Prevention Program as required under the Federal Law; NOW, THEREFORE, BE IT RESOLVED by the Agency Board of the Palm Desert Financing Authority as follows: Section 1. Adoption of Identitv Theft Prevention Proqram. The Palm Desert Financing Authority hereby adopts the "Identity Theft Prevention Program" attached hereto as Exhibit "A". Section 2. Desiqnation of Authority. The Agency Board of the Palm Desert Financing Authority authorizes the Audit, Investment & Finance Committee to act on the Agency Board's behalf to oversee the implementation and administration of the Identity Theft Prevention Program in accordance with Federal Law. Section 3. Amendinq the Identitv Theft Prevention Proclram. The Identity Theft Prevention Program may be amended from time to time by resolution of the Palm Desert Financing Authority. Resolution No. FA-64 Section 4. Effective Date. This Resolution shall be effective as of November 1, 2008. ADOPTED this day of , 2009, by the following vote to wit: AYES: NOES: ABSENT: ABSTAIN: ROBERT A. SPIEGEL, Chairman ATTEST: RACHELLE D. KLASSEN, Secretary Palm Desert Financing Authority, California R�solution No. EXHYBIT A IDENTITY THEFT PREVENTION PROGRAM I. PURPOSE The Fair and Accurate Credit Transaction Act of 2003 ("FACTA"), section 114, as implemented by the Red Flag Rules, 16 C.F.R. § 681.2, issued by the Federal Trade Commission along with other federal agencies requires creditors of customer accounts to implement an Identity Theft Prevention Program. Pursuant to the regulations, the City of Palm Desert ("City") is a creditor because it provides services to customers prior to receipt of payment through customer accounts, including utility service accounts, which are maintained primarily for personal, family or household purposes and involve multiple payments or transactions, and for which there is a reasonably foreseeable risk of identity theft. Therefore, the City is required to implement an Identity Theft Prevention Program. The purpose of this Identity Theft Prevention Program ("Program") is to detect, prevent and mitigate identity theft in connection with all customer accounts, taking into consideration the level of risk for identity theft given the City's scope of services provided and the types of accounts. This Program is created to identify patterns, practices and specific activities that indicate the possible existence of identity theft, hereinafter referred to as "Red Flags". The Program sets forth the procedures for detecting Red Flags and responding to Red Flags when discovered. II. DEFINITIONS "Red Flag" shall mean a pattern, practice or specific activity that indicates the possible existence of identity theft as defined in the Red Flag Rules, and as specifically enumerated in Section V. 16 C.F.R. § 681.2. "Identity theft" shall mean a fraud committed or attempted using the personal identifying information of another person without his/her authority. 16 C.F.R. § 603.2 (a). "Customer accounY' shall mean a utility service account or other account provided by the City that constitutes a "covered account" under the Red Flag Rules. "Personal identifying information" shall mean information that may be used to identify a specific person, including, but not limited to, a social security number, date of birth, government issued driver's license or identification number, government passport number, unique biometric data such as fingerprints or physical appearance, any unique electronic identification number, telephone number or address. "City" shall include all entities operating under the umbrella of the City of Palm Desert including the Palm Desert Redevelopment Agency, Palm Desert Housing Authority, Palm Desert Financing Authority, and Palm Desert Recreational Facilities Corporation. III. DESIGNATION OF AUTHORITY The Palm Desert City Council ("Council") designates the authority to develop, oversee, implement and administer the Program to the Audit, Investment and Finance Committee. G:IFinancelNiamh OrtegallDENTITY THEFT PREVENTION PROGRAM.Docx IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Resolution No. Page 2 of 9 As part of the Audit, Investment and Finance Committee's oversight responsibilities for the Program, the Audit, Investment and Finance Committee is required to review and approve all material changes to the Program as necessary to address changing identity theft risks. the Audit, Investment and Finance Committee is also responsible for reviewing reports prepared by City staff regarding the City's compliance with FACTA and the Red Flag Rules requiring the implementation of an Identity Theft Prevention Program. IV. COMPLIANCE REPORTS TO BE PREPARED BY CITY STAFF The Audit, Investment and Finance Committee will designate City staff involved with the implementation of the Program to prepare reports regarding the City's compliance with FACTA and the Red Flag Rules requiring the implementation of an Identity Theft Prevention Program. The reports should address material matters related to the Program, such as the following: (a) The effectiveness of the City's policies and procedures to address the risk of identity theft in connection with opening customer accounts, as well as with existing accounts. This includes identifying any issues related to identifying, detecting and responding to Red Flags; (b) Third-party service provider arrangements; (c) Significant incidents of identity theft or Red Flag detection, and the City's responses to those incidents; (d) Recommendations for material changes to the program to ensure that customer accounts are adequately protected from the risk of identity theft. The reports should be prepared at least annually for review by the Audit, Investment and Finance Committee and/or the Council. V. RED FLAGS IDENTIFIED BY THE CITY In identifying the Red Flags applicable to the City's customer accounts, the City considered the following risk factors: (a) The types of accounts the City maintains; (b) The methods the City provides to open customer accounts; (c) The methods the City provides to access customers' accounts; (d) The City's previous experiences with identity theft in connection with the customer accounts. IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Resolution No. Page 3 of 9 The Red Flags identified in this Program have been incorporated from sources which include supervisory guidance, past incidents of identity theft, and changes in methods of identity theft risk. The City's/dentified Red Flags are as follows: Alerts, notifications or other warnings received from consumer reporting agencies or service providers providing fraud protection services: • Fraud or active duty alerts from consumer reports. • Notice of a credit freeze from a consumer reporting agency in response to request for a consumer report. • Notice of address discrepancy provided by a consumer reporting agency. • A consumer report indicates a pattern of activity that is inconsistent with the history or usual pattern of activity of a customer or applicant. • Recent significant increase in the volume of inquiries of the customer's credit. • Unusual number of recently established credit relationships. • A material change in the use of credit, especially in regards to credit relationships recently established. • A customer had an account with the City or any other creditor that was closed for cause or identified for abuse of account privileges. Suspicious Documents: • Documents used for identification purposes appear to have been altered or forged. • The photograph or physical description on the identification documents does not match the appearance of the person presenting the identification. • Other information in identification documents does not match the information provided by the individual presenting the identification documents. • Other information in the identification documents does not match the information on file with the City. • The application to open the account appears to have been forged, altered, or gives the appearance of having been destroyed and reassembled. IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Resolution No. Page 4 of 9 Suspicious Personal Identifying Information: • Personal information provided is inconsistent with information provided by an external source, for example where the address provided does not match the address contained in a consumer report. • Personal identifying information is inconsistent with other personal identifying information provided by the customer such as a date of birth and the social security number range that do not correlate. • Personal identifying information provided is associated with known fraudulent activity, as indicated by internal or third-party sources, such as the address or phone number on an application was previously provided on another fraudulent application. • Personal identifying information is of a type commonly associated with fraudulent activity, as indicated by internal or third-party sources, such as a fictitious address, or an invalid phone number. • The social security number provided is the same as the social security number of another applicant attempting to open an account or an existing customer. • The address or telephone number provided is the same as other individuals attempting to open an account or existing customers. • The individual opening the account cannot provide all of the required personal identifying information for an application. • Personal identifying information is inconsistent with the information provided by the customer on file with the City. • Where challenge questions are used by the City to verify the identity of an individual, the individual claiming to be the customer cannot answer challenge questions correctly. Unusual Use of or Other Suspicious Activity Related to a Customer Account: • Shortly after receiving a notice of change of address for the account, the City receives a request to add another name to the account. • A new account is used in a manner commonly associated with known patterns of fraud, such as a first payment is made, and then no subsequent payments are made. • An account is used in a manner inconsistent with the established pattern of activity for the account, such as a nonpayment where there has never been a late or missed payment. IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Resolution No. Page 5 of 9 • An inactive account becomes active. • Mail sent to the customer is returned repeatedly. • The City is notified that a customer is not receiving his/her paper account statements. • The City is notified of unauthorized transactions on a customer's account. Notice of Possible Identity Theft: • The City is notified by a customer of possible identity theft in connection with his/her account. • The City is notified by a victim of identity theft of possible identity theft in connection with a customer account. • The City is notified by law enforcement of possible identity theft in connection with a customer account. • The City is notified by others of possible identity theft in connection with a customer account. VI. PROCEDURES FOR DETECTING RED FLAGS The following procedures are being implemented by the City to detect the Red Flags identified with opening of accounts and existing accounts identified above: (a) Obtain personal identifying information of an individual to verify his/her identity prior to opening an account. (b) Authenticate the identity of customers when they are requesting information about their accounts. (c) Authenticate the identity of customers when they are requesting to make any changes to their accounts. (d) Verify the validity of all billing address change requests. (e) Conduct a credit check when opening a new account. (f) Monitor transactions. (g) Verify all requests to change banking information used for payment purposes. Members of the City's staff will be assigned and trained to detect Red Flags. In addition, the City may employ the services of a third party services provider and/or utilize computer software programs to assist in detecting Red Flags. IDENTITYTHEFTPREVENTIONPROGRAM EXHIBIT A Resolution No. Page 6 of 9 [THIS SECTION VII. ONLY APPLIES TO ENTITIES THAT USE AND/OR REQUEST CONSUMER REPORTS] VII. ADDRESS DISCREPANCIES IN CONSUMER REPORTS Title 15 of the Code of Federal Regulations, section 1681 c, requires consumer reporting agencies to notify a requestor in writing, such as the City, where the address provided by the City for a consumer substantially differs from the address the consumer reporting agency has on file for that consumer. Upon receipt of a notice of an address discrepancy for a consumer, the Red Flag Rules, 16 C.F.R. § 681.1, require the City to verify the identity of the consumer for whom the consumer report was obtained in order to form a reasonable belief that the City knows the identity of the consumer through one or more of the following methods: (a) Verify the information in the consumer report with the consumer. (b) Verify the consumer's address through the records of applications, address change notifications, and other account records for the consumer maintained by the City, or retained CIP documentation. (c) Verify the consumer's address through information from third parties. (d) Use any other reasonable means. Newly Established Accounts For newly established accounts for which a notice of address discrepancy was received, the City must provide to the consumer reporting agency that furnished the notice of address discrepancy the address that the City has reasonably confirmed to be accurate under the following circumstances: (a) The City can form a reasonable belief that the consumer report relates to the consumer for whom the report was requested; (b) The City establishes a continuing relationship with the consumer; and (c) The City regularly in the ordinary course of business provides information to the consumer reporting agency from which the notice of address discrepancy was obtained. The consumer's address can be confirmed through the following methods: (a) Verify the information in the consumer report with the consumer. (b) Verify the consumer's address through the records of applications, address change notifications, and other account records for the consumer maintained by the City. (c) Verify the consumer's address through information from third parties. (d) Use any other reasonable means. IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Resolution No. Page 7 of 9 The City must provide the consumer reporting agency the address that the City has reasonable confirmed to be accurate as part of the information the City regularly furnishes for the reporting period in which the City establishes a relationship with the consumer. Red Flags A notice of address discrepancy constitutes a Red Flag, and the City will take the necessary action to respond appropriately. VIII. PROCEDURES FOR RESPONDING TO RED FLAGS In order to prevent and mitigate identity theft, and after taking into consideration the risks of identity theft applicable to the customer accounts, the City implements the following procedures to respond to all Red Flags that are discovered. One or more of these procedures will be used each time a Red Flag is detected: (a) Monitor accounts for evidence of identity theft. (b) Contact the Customer. (c) Change or add a password, security code or other device that provides access to the account. (d) Reopen an account with a new account number. (e) Close an existing account. (f) Not open a new account. (g) Not selling an account to a debt collector. (h) Not attempting to collect on an account. (i) Notify law enforcement. (j) Determine that no response is warranted given the particular circumstances. (k) Ask the customer to appear in person with government issued identification. (I) Require a deposit to be paid before providing service. (m) Do not provide account information to anyone other than the account holder, or other individual authorized by the account holder. (n) Update all account information. (o) Deactivate payment method, such as a credit card registered for online payment. (p) Connect or disconnect service. IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Resolution No. Page 8 of 9 (q) Initiate an investigation. in addition to any of the actions above, the Finance Director will be notified of any Red Flags discovered. IX. TRAINING OF STAFF City staff that will be directly involved with opening customers' accounts or servicing customer accounts in a manner that would place them in a position to detect Red Flags, or allow them access to customers' private information shall be trained to detect Red Flags and appropriately respond when Red Flags are discovered. The City's staff participation is crucial to the effective implementation of this Program. The Finance Director will oversee all staff training to ensure that training is adequate to ensure effective implementation of the Program. X. OVERSIGHT OF THIRD-PARTY SERVICE PROVIDER INVOLVED WITH CUSTOMER ACCOUNTS If the City employs a third-party service provider to perform any activity in connection with a customer account, the Finance Director is responsible for ensuring that the activity is conducted in compliance with reasonable policies and procedures to detect, prevent and mitigate the risk of identity theft. This may be achieved by requiring that a third-party service provider has policies and procedures to detect the Red Flags identified by the City, and also requiring the third-party service provider to review the City's Program and agree to report any Red Flags to the Finance Director. XI. USE OF A THIRD-PARTY SERVICE PROVIDER TO ASSIST IN THE IMPLEMENTATION OF THE PROGRAM The City may hire a third-party service provider in order to implement this Program. The third-party service provider may provide services such as the implementation and administration of computer software programs that detect Red Flags. If a third-party service provider is used to assist in the detection of Red Flags, the third-party service provider is required to immediately notify the Finance Director if any Red Flags are discovered. The Finance Director is responsible for overseeing any third-party service provider in an appropriate and effective manner. The Finance Director's oversight shall include periodic meetings and/or receipt and review of periodic reports from the third-party service provider regarding what services are being provided, any Red Flags that have been detected, and any possible modifications to the services provided to increase the effectiveness. XII. PERIODIC IDENTIFICATION OF CUSTOMER ACCOUNTS The Finance Director will periodically review the types of accounts it maintains for customers to determine which are "covered accounts" under the Red Flag Rules, and therefore are subject to this Program. IDENTITY THEFT PREVENTION PROGRAM EXHIBIT A Resolution No. Page 9 of 9 XIII. PERIODIC UPDATE OF THE PROGRAM This Program shall be updated periodically to ensure that the identified Red Flags, the procedures to detect Red Flags, and the responses to the Red Flags when discovered adequately protect customers from identity theft. The updating of the Program should take into consideration any changes in the customers' level of risk of identity theft by looking at the following factors: (a) The City's recent experiences with identity theft in connection with the customer accounts. (b) Changes in methods of identity theft. (c) Changes in methods of detecting, preventing and mitigating identity theft. (d) Changes in the types of customer accounts offered. (e) Changes in arrangements with any third-party service providers involved in the implementation of the Program. City staff may recommend modifications to the Program. However, any modification to the Program may not be implemented unless first approved by the Council.