Resolution Number 09-04-21-03RESOLUTION NO. 09-04-21-03
A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF SAN JUAN
CAPISTRANO, CALIFORNIA ADOPTING AN IDENTITY THEFT
PREVENTION PROGRAM
WHEREAS, pursuant to federal law the Federal Trade Commission adopted
Identity Theft Rules requiring the creation of certain policies relating to the detection,
prevention and mitigation of identity theft; and
WHEREAS, the Federal Trade Commission regulations, adopted as 16 C.F.R.
§681.2, require creditors, as defined by 15 U.S.C. §1681 a(r)(5), to adopt red flag
policies to prevent and mitigate identity theft with respect to covered accounts; and
WHEREAS, 15 U.S.C. §1681a(r)(5) cites 15 U.S.C. §1691a, which defines a
creditor as a person that extends, renews or continues credit, and defines "credit" in part
as the right to purchase property or services and defer payment thereof; and
WHEREAS, the City of San Juan Capistrano is a creditor with respect to 16
G.F.R. §681.2 by virtue of providing retail water and sewer services to its customers;
and
WHEREAS, the Federal Trade Commission regulations define "covered account"
in part as an account that a creditor provides for personal, family or household purposes
that is designed to allow multiple payments or transactions and specifies that a utility
account is a covered account; and
WHEREAS, the Federal Trade Commission regulations require each creditor to
adopt an Identity Theft Prevention Program which will use red flags to detect, prevent
and mitigate identity theft related to information used in covered accounts; and
WHEREAS, the City provides retail wafter and sewer services for which payment
is made after the service is provided; and
WHEREAS, the City Council desires to take action to comply with the applicable
FTC regulations by adopting an Identity Theft Prevention Program;
NOW, THEREFORE, IT IS RESOLVED, that the City Council of the City of San
Juan Capistrano hereby adopts, and directs staff to implement, the Identity Theft
Prevention ;Program attached hereto as Exhibit "A".
BE IT FURTHER RESOLVED, that the Customer Service Supervisor, or his or
her designee, shall implement and administer the Identity Theft Prevention Program.
1 04-21-2009
BE IT FURTHER RESOLVED, that the Assistant Director of Administrative
Services shall annually review the Identity Theft Prevention Program to determine if any
revisions are needed, and is hereby authorized and directed to make any changes in
the Identity Theft Prevention Program that are found to be necessary.
PASSED AND ADOPTED at a regular meeting of the City Council of the City of
San Juan Capistrano on this 21$ day of April, 2009.
City of San Juan Capistrano
MAKKINIELSEN, MAYOR
STATE OF CALIFORNIA )
COUNTY OF ORANGE ) ss.
CITY OF SAN JUAN CAPISTRANO )
I, MARGARET R. MONAHAN, appointed City Clerk of the City of San Juan Capistrano,
do hereby certify that the foregoing Resolution No. 09-04-21-03 was duly adopted by
the City Council of the City of San Juan Capistrano at a Regular meeting thereof, held
the 21 st day of April 2009, by the following vote:
AYES: COUNCIL MEMBERS: Allevato, Freese, Hribar, Uso and Mayor Nielsen
NOES;' OUNCIL MEMBER: None
ABSEN :. bOUNCIL MEMBER: None
R. MOYAHAN, City Clerk
2
04-21-2009
jjmjF� I -It
Administrative services Department
Customer service Division
( MAN
Identity Theft Prevention Program
This program is in response to and in compliance with the
Fair and Accurate Credit Transaction (FACT) Act of 2003
and
The final rules and guidelines for the FACT Act issued by the
Federal Trade Commission and federal bank regulatory
agencies in November 2007
Adopted April XX, 2009
Exhibit A
Identity Theft Prevention Program
Purpose
This document was created in order to comply with. regulations issued by the
Federal Trade Commission (FTC) as part of the implementation of the Fair and
Accurate Credit Transaction (FACT) Act of 2001 The FACT Act requires that
financial institutions and creditors implement written programs which provide for
detection of and response to specific activities ("red flags") that could be related
to identity theft. These programs must be in place by May 1, 2009.
The FTC regulations require that the program must:
1. Identify relevant red flags and incorporate them into the program
2. Identify ways to detect red flags
3. Include appropriate responses to red flags
4. Address new and changing risks through periodic program updates
5. Include a process for administration and oversight of the program
2
Program Details
Relevant Red Flags
Red flags are warning signs or activities that alert a creditor to potentia[ identity
theft. The guidelines published by the FTC include 26 examples of red flags
which fall into the five categories below:
• Alerts, notifications, or other warnings received from consumer reporting
agencies or service providers
• Presentation of suspicious documents
• Presentation of suspicious personal identifying information
• Unusual use of, or other suspicious activity related to, a covered account
• Notice from customers, victims of identity theft, or law enforcement
authorities
After reviewing the FTC guidelines and examples, the Customer Service Division
determined that the following red flags are applicable to utility accounts. These
red flags, and the appropriate responses, are the focus of this program.
A consumer credit reporting agency reports the following in response to a
credit check request:
o Fraud or active duty alert
o Credit freeze
o The Social Security Number (SSN) is invalid or belongs to a
deceased person
o The age or gender on the credit report is clearly inconsistent with
information provided by the customer
• Suspicious Documents and Activities
o Documents provided for identification appear to have been altered
or forged.
o The photograph on the identification is not consistent with the
physical appearance of the customer.
o Other information on the identification is not consistent with
information provided by the customer.
a The SSN provided by the customer belongs to another customer in
the Customer Information System (CIS).
o The customer does- not provide required identification documents
when attempting to establish a utility account or make a payment.
o A customer refuses to provide proof of identity when discussing an
established utility account.
3
o A person other than the account holder or co -applicant requests
information or asks to make changes to an established utility
account.
• A customer notifies the Customer Service Division of any of the following
activities:
o Utility statements are not being received
a Unauthorized changes to a utility account
o Unauthorized charges ort a utility account
o Fraudulent activity on the customer's bank account or credit card
that is .used to pay utility charges
• The Customer Service Division is notified by a customer, a victim of
identity theft, or a member of law enforcement that a utilities account has
been opened for a person engaged in identity theft.
Detecting and Responding to Red Flags
Red flags will be detected as Customer Service Division employees interact with
customers and the City's credit. reporting agency. An employee will be alerted to
these red flags during the following processes:
+
Establishing a new utility account: When establishing a new account, a
customer is asked to provide a SSN so that the Customer Service
Representative (CSR) can run a credit check. Reports from the credit
reporting agency may contain red flags or the customer refuses to provide
their SSN.
Response: Do not establish the utility account. Ask the customer to
appear in person and provide a government -issued photo identification. If
one is not available, a copy of a utility bill in their name will need to be
provided. A deposit may also be required in order to establish service.
• Reviewing customer identification in order to establish an account
process a payment, or enroll the customer in the automatic bank draft
(ABD) program: The GSRs may be presented with documents that
appear altered or inconsistent with the information provided by the
customer.
Response: Do not establish the utility account or accept payment until
the customer's identity has been confirmed.
+
Answerinq customer in uiries on the phone, via email and at the counter:
Someone other than the. account holder or co -applicant may ask for
3
information about a utility account (including Online BiilPay accounts) or
may ask to make changes to the information on an account. A customer
may also refuse to verify their identity when asking about an account.
Response: Inform the customer that the account holder or the co -
applicant must give permission for. them to receive information about the
utility account. Do not make changes to or provide any information about
the account, with one exception: if the service on the account has been
interrupted for non-payment, the CSR may provide the payment amount
needed for reconnection of service.
•
Processing reguests from City of San Juan Capistrano employees:
Employees may submit requests for information in the CIS system to the
Customer Service Division.
Response: All requests for direct access to the CIS system are
approved by the Customer Service Supervisor, so the Information
Technology Department should reject requests that have not received
appropriate approval. All other requests for information from the CIS
system should be reviewed to ensure that they do not violate any part of
the customer's privacy. Requests that are in violation of customer's
privacy will be denied.
•
Receiving notification that there is unauthorized activity associated with a
utility account: Customers may call to alert the City about fraudulent
activity related to their utility account and/or the bank account or credit
card used to make payments on the account.
Response: Verify the customer's identity, and notify the Customer
Service Supervisor immediately. Take the appropriate actions to correct
the errors on the account, which may include:
a Issuing a service order to connect or disconnect services
o Assisting the customer with deactivation of their payment method
(ABD and Online BillPay)
o Updating personal information on the utility account
o Updating the mailing address on the utility account
o Updating account notes to document the fraudulent activity
o Adding a password to the account
o Notifying and working with law enforcement officials
•
Receiving notification that a utilities account has been established for a
person engaged in identity theft.
E
Response: These issues should be escalated to the Customer Service
Supervisor immediately. The claim will be investigated, and appropriate
action will be taken to resolve the issue asquickly as possible.
Additional procedures that help to protect against identity theft include:
• Address Confirmation
The Customer Service Division (CSD) shall furnish the consumer's
address that CSD has reasonably confirmed is accurate to consumer
reporting agencies as part of the information that CSD regularly furnishes
for the reporting period in which CSD establishes a relationship with the
consumer. 'in an effort to ensure that CSD maintains accurate address
information for its consumers and to ensure CSD provides accurate
address information of our consumers to reporting agencies, at least one
of the following steps must be taken prior to providing the consumer's
address to the consumer reporting agency:
o Verify the address on file with the consumer;
n Confirm the address being sent to the consumer reporting agency
matches the address CSD has on file for that particular consumer;
o Compare the address with information received from any third -party
source; or
o Verify by other means that are reasonably available at the time.
• Address Discrepancies
Because CSD is a user of consumer reports, at least one of the following
steps must be taken when CSD receives notice from any consumer
reporting agency that a substantial difference exists between the address
for the consumer that CSD provided and the address(es) in the consumer
reporting agency's file for that particular consumer:
o Compare the differing address with CSD's file, by either (1) confirming
that the address information provided by CSD to the consumer
reporting agency is the same information CSD obtains and uses to
verify the consumer's identity in accordance with the requirements of
the Customer Information Program (CIP) rules (31 USC 5318(1) (31
CPR 103.121); or (2) comparing the differing addresses with CSD
records and files, including applications, change of address
notifications, other customer account records, or retained CIP
documentation; or (3) comparing the differing addresses with
information CSD may have received from a third -party source; or
6
o Verify the information in the consumer report provided by the
consumer reporting agency with the consumer.
• CIS system access is based on the role of the user. Only certain job
classifications have access to the entire system.
• Customers may access limited information about their utility account
online and via the automated phone system. In order to access
information online, customers must enroll using their utility account
number and service address, and they must create a unique user
identification and password.
7
Administration and Oversight of the Program
Pro-gramand Update
Review ,
Administrative Services Department staff is required to prepare an annual report
which addresses the effectiveness of the program, documents significant
incidents involving identity theft and related responses, provides updates related
to external service providers, and includes recommendations for material
changes to the program.
The program will be reviewed at least annually and updated as needed based on
the following events:
• Experience with identity theft
• Changes to the types of accounts and/or programs offered
• Implementation of new systems and/or new vendor contracts
Specific roles are as follows:
The Customer Service Supervisor will submit an annual report to the Assistant
Director of Administrative ' Services. The Customer Service Supervisor will also
oversee the daily activities related to identity theft detection and prevention, and
ensure that all members of the Customer Service Division staff are trained to
detect and respond to red flags.
The Assistant Director of Administrative Services will provide ongoing oversight
to ensure that the program is effective.
The Assistant Director of Administrative Services will review the annual report
and approve recommended changes to the program, both annually and on an as -
needed basis.
The City Council must approve the initial program.
Staff Training
Any employee with the ability to open a new account, or access/manage/close an
existing account will receive training on identifying and detecting Red Flags. They
will also be trained in the appropriate response actions in the event that an
instance of identity theft is suspected. Key management personnel in appropriate
departments will also receive training on the contents of this Program. As
necessary, employees will be re-trained annually if the Program is updated to
include new methods of identifying and detecting Red Flags, or if new response
actions are implemented.
5.]2930.1