Chapter 2.75
IDENTITY THEFT PROTECTION PROGRAM
Sections:
2.75.010 Adoption of identity theft prevention program.
2.75.020 Designation of authority.
2.75.030 Amending the identity theft prevention program.
2.75.060 Designation of authority.
2.75.070 Compliance reports to be prepared by district staff.
2.75.080 Red flags identified by the district.
2.75.090 Procedures for detecting red flags.
2.75.100 Address discrepancies in consumer reports.
2.75.110 Procedures for responding to red flags.
2.75.130 Oversight of third party service provider involved with customer accounts.
2.75.140 Use of a third party service provider to assist in the implementation of the program.
2.75.150 Periodic identification of customer accounts.
2.75.160 Periodic update of the program.
2.75.010 Adoption of identity theft prevention program.
The district hereby adopts the identity theft prevention program attached to the ordinance codified in this chapter as Exhibit “A.” (Res. 2565 § 1, 2008)
2.75.020 Designation of authority.
The board of directors of the district authorizes the general manager or his designee to act on the board of directors’ behalf to oversee the implementation and administration of the identity theft prevention program in accordance with federal law. (Res. 2565 § 2, 2008)
2.75.030 Amending the identity theft prevention program.
Substantive changes to the identity theft prevention program may be made from time to time by resolution of the board of directors. Nonsubstantive changes will be made from time to time under the authority of the general manager. (Res. 2565 § 3, 2008)
2.75.040 Purpose.
The Fair and Accurate Credit Transaction Act of 2003 (“FACTA”), Section 114, as implemented by the Red Flag Rules, 16 CFR Section 681.2, issued by the Federal Trade Commission along with other federal agencies, requires creditors of customer accounts to implement an identity theft prevention program. Pursuant to the regulations, Western Municipal Water District (“district”) is a creditor because it provides services to customers prior to receipt of payment through customer accounts, including utility service accounts, which are maintained primarily for personal, family or household purposes and involve multiple payments or transactions, and for which there is a reasonably foreseeable risk of identity theft. Therefore, the district is required to implement an identity theft prevention program.
The purpose of this identify theft prevention program (“program”) is to detect, prevent and mitigate identity theft in connection with all customer accounts, taking into consideration the level of risk for identity theft given the district’s scope of services provided and the types of accounts. This program is created to identify patterns, practices and specific activities that indicate the possible existence of identity theft, hereinafter referred to as “red flags.” The program sets forth the procedures for detecting red flags and responding to red flags when discovered. (Res. 2565 § 1 (Exh. A(I)), 2008)
2.75.050 Definitions.
“Customer account” shall mean a utility service account or other account provided by the district that constitutes a covered account under the Red Flag Rules.
“Identity theft” shall mean a fraud committed or attempted using the personal identifying information of another person without his/her authority. 16 CFR 603.2(a).
“Personal identifying information” shall mean information that may be used to identify a specific person, including, but not limited to, a Social Security number, date of birth, government-issued driver’s license or identification number, government passport number, unique biometric data such as fingerprints or physical appearance, any unique electronic identification number, telephone number or address.
“Red flag” shall mean a pattern, practice or specific activity that indicates the possible existence of identity theft as defined in the Red Flag Rules, and as specifically enumerated in Section V, 16 CFR Section 681.2. (Res. 2565 § 1 (Exh. A(II)), 2008)
2.75.060 Designation of authority.
The board of directors of the district designates the authority to develop, oversee, implement and administer the program to the general manager or his designee.
As part of the general manager’s oversight responsibilities for the program, the general manager or his designee is required to review and approve all material changes to the program as necessary to address changing identity theft risks. The general manager or his designee is also responsible for reviewing reports prepared by the district’s staff regarding the district’s compliance with FACTA and the Red Flag Rules requiring the implementation of an identity theft prevention program. (Res. 2565 § 1 (Exh. A(III)), 2008)
2.75.070 Compliance reports to be prepared by district staff.
The general manager will designate district staff involved with the implementation of the program to prepare reports regarding the district’s compliance with FACTA and the Red Flag Rules requiring the implementation of an identity theft prevention program. The reports should address material matters related to the program, such as the following:
A. The effectiveness of the district’s policies and procedures to address the risk of identity theft in connection with opening customer accounts, as well as with existing accounts. This includes identifying any issues related to identifying, detecting and responding to red flags;
B. Third party service provider arrangements;
C. Significant incidents of identity theft or red flag detection, and the district’s responses to those incidents;
D. Recommendations for material changes to the program to ensure that customer accounts are adequately protected from the risk of identity theft.
The reports should be prepared at least annually for review by the general manager and/or the board of directors. (Res. 2565 § 1 (Exh. A(IV)), 2008)
2.75.080 Red flags identified by the district.
A. In identifying the red flags applicable to the district’s customer accounts, the district considered the following risk factors:
1. The types of accounts the district maintains;
2. The methods the district provides to open customer accounts;
3. The methods the district provides to access customers’ accounts;
4. The district’s previous experiences with identity theft in connection with the customer accounts.
The red flags identified in this program have been incorporated from sources which include supervisory guidance, past incidents of identity theft, and changes in methods of identity theft risk.
B. The district’s identified red flags are as follows:
1. Alerts, notifications or other warnings received from consumer reporting agencies or service providers providing fraud protection services:
a. Fraud or active duty alerts from consumer reports.
b. Notice of a credit freeze from a consumer reporting agency in response to a request for a consumer report.
c. Notice of address discrepancy provided by a consumer reporting agency.
d. A consumer report indicates a pattern of activity that is inconsistent with the history or usual pattern of activity of a customer or applicant.
e. Recent significant increase in the volume of inquiries of the customer’s credit.
f. Unusual number of recently established credit relationships.
g. A material change in the use of credit, especially in regards to credit relationships recently established.
h. A customer had an account with the district or any other creditor that was closed for cause or identified for abuse of account privileges.
2. Suspicious documents:
a. Documents used for identification purposes appear to have been altered or forged.
b. The photograph or physical description on the identification documents do not match the appearance of the person presenting the identification.
c. Other information in identification documents does not match the information provided by the individual presenting the identification documents.
d. Other information in the identification documents does not match the information on file with the district.
e. The application to open the account appears to have been forged, altered, or gives the appearance of having been destroyed and reassembled.
3. Suspicious personal identifying information:
a. Personal information provided is inconsistent with information provided by an external source; for example, where the address provided does not match the address contained in a consumer report.
b. Personal identifying information is inconsistent with other personal identifying information provided by the customer, such as a date of birth and the Social Security number range that do not correlate.
c. Personal identifying information provided is associated with known fraudulent activity, as indicated by internal or third party sources, such as the address or phone number on an application was previously provided on another fraudulent application.
d. Personal identifying information is of a type commonly associated with fraudulent activity, as indicated by internal or third party sources, such as a fictitious address, or an invalid phone number.
e. The Social Security number provided is the same as the Social Security number of another applicant attempting to open an account or an existing customer.
f. The address or telephone number provided is the same as other individuals attempting to open an account or existing customers.
g. The individual opening the account cannot provide all of the required personal identifying information for an application.
h. Personal identifying information is inconsistent with the information provided by the customer on file with the district.
i. Where challenge questions are used by the district to verify the identity of an individual, the individual claiming to be the customer cannot answer challenge questions correctly.
4. Unusual use of or other suspicious activity related to a customer account:
a. Shortly after receiving a notice of change of address for the account, the district receives a request to add another name to the account.
b. A new account is used in a manner commonly associated with known patterns of fraud, such as a first payment is made, and then no subsequent payments are made.
c. An account is used in a manner inconsistent with the established pattern of activity for the account, such as a nonpayment where there has never been a late or missed payment.
d. An inactive account becomes active.
e. Mail sent to the customer is returned repeatedly.
f. The district is notified that a customer is not receiving his/her paper account statements.
g. The district is notified of unauthorized transactions on a customer’s account.
5. Notice of possible identity theft:
a. The district is notified by a customer of possible identity theft in connection with his/her account.
b. The district is notified by a victim of identity theft of possible identity theft in connection with a customer account.
c. The district is notified by law enforcement of possible identity theft in connection with a customer account.
d. The district is notified by others of possible identity theft in connection with a customer account. (Res. 2565 § 1 (Exh. A(V)), 2008)
2.75.090 Procedures for detecting red flags.
A. The following procedures are being implemented by the district to detect the red flags identified with opening of accounts and existing accounts identified above:
1. Obtain personal identifying information of an individual to verify his/her identity prior to opening an account.
2. Authenticate the identity of customers when they are requesting information about their accounts.
3. Authenticate the identity of customers when they are requesting to make any changes to their accounts.
4. Verify the validity of all billing address change requests.
5. Conduct a credit check when opening a new account.
6. Monitor transactions.
7. Verify all requests to change banking information used for payment purposes.
B. Members of the district’s staff will be assigned and trained to detect red flags.
C. In addition, the district may employ the services of a third party service provider and/or utilize computer software programs to assist in detecting red flags. (Res. 2565 § 1 (Exh. A(VI)), 2008)
2.75.100 Address discrepancies in consumer reports.
A. Title 15 of the Code of Federal Regulations, Section 1681c, requires consumer reporting agencies to notify a requestor in writing, such as the district, where the address provided by the district for a consumer substantially differs from the address the consumer reporting agency has on file for that consumer. Upon receipt of a notice of an address discrepancy for a consumer, the Red Flag Rules, 16 CFR Section 681.1, require the district to verify the identity of the consumer for whom the consumer report was obtained in order to form a reasonable belief that the district knows the identity of the consumer through one or more of the following methods:
1. Verify the information in the consumer report with the consumer.
2. Verify the consumer’s address through the records of applications, address change notifications, and other account records for the consumer maintained by the district, or retained CIP documentation.
3. Verify the consumer’s address through information from third parties.
4. Use any other reasonable means.
B. Newly Established Accounts. For newly established accounts for which a notice of address discrepancy was received, the district must provide to the consumer reporting agency that furnished the notice of address discrepancy the address that the district has reasonably confirmed to be accurate under the following circumstances:
1. The district can form a reasonable belief that the consumer report relates to the consumer for whom the report was requested;
2. The district establishes a continuing relationship with the consumer; and
3. The district regularly in the ordinary course of business provides information to the consumer reporting agency from which the notice of address discrepancy was obtained.
C. The consumer’s address can be confirmed through the following methods:
1. Verify the information in the consumer report with the consumer.
2. Verify the consumer’s address through the records of applications, address change notifications, and other account records for the consumer maintained by the district.
3. Verify the consumer’s address through information from third parties.
4. Use any other reasonable means.
The district must provide the consumer reporting agency the address that the district has reasonably confirmed to be accurate as part of the information the district regularly furnishes for the reporting period in which the district establishes a relationship with the consumer.
D. Red Flags. A notice of address discrepancy constitutes a red flag, and the district will take the necessary action to respond appropriately. (Res. 2565 § 1 (Exh. A(VII)), 2008)
2.75.110 Procedures for responding to red flags.
In order to prevent and mitigate identity theft, and after taking into consideration the risks of identity theft applicable to the customer accounts, the district implements the following procedures to respond to all red flags that are discovered. One or more of these procedures will be used each time a red flag is detected:
A. Monitor accounts for evidence of identity theft.
B. Contact the customer.
C. Change or add a password, security code or other device that provides access to the account.
D. Reopen an account with a new account number.
E. Close an existing account.
F. Not open a new account.
G. Not sell an account to a debt collector.
H. Not attempt to collect on an account.
I. Notify law enforcement.
J. Determine that no response is warranted given the particular circumstances.
K. Ask the customer to appear in person with government-issued identification.
L. Require a deposit to be paid before providing service.
M. Do not provide account information to anyone other than the account holder, or other individual authorized by the account holder.
N. Update all account information.
O. Deactivate payment method, such as a credit card registered for online payment.
P. Connect or disconnect service.
Q. Initiate an investigation.
In addition to any of the actions above, the general manager or his designee will be notified of any red flags discovered. (Res. 2565 § 1 (Exh. A(VIII)), 2008)
2.75.120 Training of staff.
District staff that will be directly involved with opening customer accounts or servicing customer accounts in a manner that would place them in a position to detect red flags or allow them access to customers’ private information shall be trained to detect red flags and appropriately respond when red flags are discovered. The district’s staff participation is crucial to the effective implementation of this program.
The general manager or his designee will oversee all staff training to ensure that training is adequate to ensure effective implementation of the program. (Res. 2565 § 1 (Exh. A(IX)), 2008)
2.75.130 Oversight of third party service provider involved with customer accounts.
If the district employs a third party service provider to perform any activity in connection with a customer account, the general manager is responsible for ensuring that the activity is conducted in compliance with reasonable policies and procedures to detect, prevent and mitigate the risk of identity theft. This may be achieved by requiring that a third party service provider has policies and procedures to detect the red flags identified by the district, and also requiring the third party service provider to review the district’s program and agree to report any red flags to the general manager or his designee. (Res. 2565 § 1 (Exh. A(X)), 2008)
2.75.140 Use of a third party service provider to assist in the implementation of the program.
The district may hire a third party service provider in order to implement this program. The third party service provider may provide services such as the implementation and administration of computer software programs that detect red flags. If a third party service provider is used to assist in the detection of red flags, the third party service provider is required to immediately notify the general manager or his designee if any red flags are discovered.
The general manager or his designee is responsible for overseeing any third party service provider in an appropriate and effective manner. The general manager’s oversight shall include periodic meetings and/or receipt and review of periodic reports from the third party service provider regarding what services are being provided, any red flags that have been detected, and any possible modifications to the services provided to increase their effectiveness. (Res. 2565 § 1 (Exh. A(XI)), 2008)
2.75.150 Periodic identification of customer accounts.
The general manager or his designee will periodically review the types of accounts it maintains for customers to determine which are covered accounts under the Red Flag Rules, and therefore are subject to this program. (Res. 2565 § 1 (Exh. A(XII)), 2008)
2.75.160 Periodic update of the program.
A. This program shall be updated periodically to ensure that the identified red flags, the procedures to detect red flags, and the responses to the red flags when discovered adequately protect customers from identity theft. The updating of the program should take into consideration any changes in the customers’ level of risk of identity theft by looking at the following factors:
1. The district’s recent experiences with identity theft in connection with the customer accounts.
2. Changes in methods of identity theft.
3. Changes in methods of detecting, preventing and mitigating identity theft.
4. Changes in the types of customer accounts offered.
5. Changes in arrangements with any third party service providers involved in the implementation of the program.
B. District staff may recommend modifications to the program. However, any substantive modification to the program may not be implemented unless first approved by the board of directors. Nonsubstantive modifications to the program will be made under the authority of the general manager. (Res. 2565 § 1 (Exh. A(XIII)), 2008)