3034Adopted by the City Council on February 10, 2009.
ATTEST:
Ro raid R. Cone, Finance Director
Ronald C. Covey, mayor
RESOLUTION NO. 3034
A RESOLUTION ADOPTING AN IDENTITY THEFT PREVENTION PROGRAM
PURSUANT TO THE FAIR AND ACCURATE CREDIT TRANSACTION ACT OF 2003.
RECITALS:
1.The municipal utilities of the City of Moses Lake are considered "creditors" under the Fair and
Accurate Credit Transaction Act of 2003 (Act).
2.The municipal utilities of the City of Moses Lake extend "credit" as defined in the Act by
deferring payment for services rendered.
3.The municipal utilities of the City of Moses Lake maintain "covered accounts" as defined in the
Act.
4.The City of Moses Lake desires to adopt a policy establishing an Identity Theft Prevention
Program pursuant to the Act.
RESOLVED:
1. Adoption of the Identity Theft Prevention Program. The City of Moses Lake's policy and
procedures for identifying, detecting, and responding to identity theft, attached hereto as
Attachment A and adopted by this reference as if set forth in full, are hereby adopted for use
by the City of Moses Lake municipal utilities to the fullest extent consistent with state law.
•
Subject:
IDENTITY THEFT PREVENTION
PROGRAM
Index:
UTILITIES
CITY OF MOSES LAKE
POLICY AND PROCEDURE
Number:
2009- 01
Effective Date:Approved by:Supersedes:Page 1 of 4
February 10, 2009 Council N/A
1.0 PURPOSE:
The Federal Trade Commission ("FTC") requires every utility, including public water,
sewer and solid waste collection systems, to implement an Identity Theft Prevention
Program ("ITPP").
2.0 OPERATIONS AFFECTED:
All utilities.
3.0 REFERENCES:
Pub. L. 108-159, 117 Stat. 1952 (2003)
16 C.F.R. § 681.2
4.0 POLICY:
4.1 Findings. The Federal Trade Commission ("FTC") requires every utility,
including public water, sewer and solid waste collection systems, to
implement an Identity Theft Prevention Program ("ITPP"). The FTC
requirement and regulation is necessary because of Section 114 of the Fair
and Accurate Credit Transactions Act ("FACT Act"). The FTC has set forth
the ITPP requirement in 16 C.F.R. § 681.2. Identify theft is defined as a
fraud committed or attempted using identifying information of another person
without authority. The City of Moses Lake ("City") adopts the program set
forth in this policy to comply with FTC rules and regulations. In drafting its
ITPP, the City has considered: (1) the methods it provides to open its
accounts; (2) the methods it provides to access its accounts; and (3) its
previous experiences with identity theft. Based on these considerations, the
governing authority of the City hereby determines that the City is a low to
moderate risk entity and as a result develops and implements the
streamlined ITPP set forth in this Policy and Procedure. Further, the City
determines that the only covered accounts offered by the City are those
under its utilities (water, sewer and solid waste collection.).
Attachment A
•
•
•
IDENTIFY THEFT PREVENTION
NUMBER 2009 - 01
Page 2 of 4 •4.2 Red Flags. The FTC regulations identify numerous red flags that must be
considered in adopting an ITPP. The FTC has defined a red flag as a
pattern, practice, or specific activity that indicates the possible existence of
identity theft. The City identifies the following red flags from the examples
provided in the regulations of the FTC:
A. Notifications from Consumer Reporting Agencies. The City does not
request, receive, obtain or maintain information about its utility
customers from any Consumer Reporting Agency.
B Suspicious documents. Possible red flags include:
1.presentation of documents appearing to be altered or forged;
2.presentation of photographs or physical descriptions that are
not consistent with the appearance of the applicant or
customer;
3.presentation of other documentation that is not consistent with
the information provided when the account was opened or
existing customer information;
4.presentation of information that is not consistent with the
account application; or
•
5. presentation of an application that appears to have been
altered, forged, destroyed, or reassembled.
C. Suspicious personal identifying information. Possible red flags include:
1.personal identifying information is being provided by the
customer that is not consistent with other personal identifying
information provided by the customer or is not consistent with
the customer's account application;
2.personal identifying information is associated with known
fraudulent activity;
3.the social security number (if required or obtained) is the same
as that submitted by another customer;
4.the telephone number or address is the same as that
submitted by another customer;
5.the applicant failed to provide all personal identifying information requested on the application; or
6.the applicant or customer cannot provide authenticating
information beyond that which generally would be available
from a wallet or consumer report. •
IDENTIFY THEFT PREVENTION NUMBER 2009 - 01
Page 3 of 4
D.
Unusual use of or suspicious activity related to an account. Possible
red flags include:
1.a change of address for an account followed by a request to
change the account holder's name;
2.a change of address for an account followed by a request to
add new or additional authorized users or representatives;
3.an account is not being used in a way that is consistent with
prior use (such as late or no payments when the account has
been timely in the past);
4.a new account is used in a manner commonly associated with
known patterns of fraudulent activity (such as customer fails to
make the first payment or makes the first payment but no
subsequent payments);
5.mail sent to the account holder is repeatedly returned as
undeliverable;
6.the City receives notice that a customer is not receiving his
paper statements; or
7.the City receives notice of unauthorized activity on the account.
E. Notice regarding possible identity theft. Possible red flags include
notice from a customer, an identity theft victim, law enforcement
personnel or other reliable sources regarding possible identity theft or
phishing related to utility accounts.
4.3 Proof of Identity. Any person or entity opening a utility account shall provide
a complete application and provide satisfactory evidence of their identity
and/or address. Said proof may include but not be limited to: a valid driver's
license; passport; state, federal, employer, or school issued identification
card; or military identification card. The required application must be
completed in its entirety and must be signed in order to establish a utility
account.
4.4 Confidentiality of Applications and Account Information. All personal
information, personal identifying information, account applications and
account information collected and maintained by the City shall be a
confidential record of the City and shall not be subject to disclosure unless
otherwise required by State or Federal Law. Additionally, any employee with
access to utility customers' personal information, account applications or
account information shall be required to execute and abide by the
Confidentiality and Nondisclosure Policy of the City.
4.5 Access to utility account information. Access to utility account information
shall be limited to employees that provide customer service and technical
support to them City's utilities. Any computer that has access to utility
customer account or personal identifying information shall be password
protected and all computer screens shall lock after no more than fifteen (15)•
•
•
•
IDENTIFY THEFT PREVENTION
NUMBER 2009 - 01
Page 4 of 4
minutes of inactivity. All paper and non-electronic based utility account or
customer personal identifying information shall be stored and maintained in
a locked room or cabinet and access shall only be granted by the
Compliance Officer or his/her designee.
4.6 Credit Card Transactions. All internet or telephone credit card payments shall
only be processed through a third party service provider which certifies that
it has an identity theft prevention program operating and in place. Credit card
payments accepted in person shall require a reasonable connection between
the person or entity billed for the utility services and the credit card owner.
4.7 Suspicious Transactions. Suspicious transactions include but are not limited
to the presentation of incomplete applications; unsigned applications;
payment by someone other than the person named on the utility account;
presentation of inconsistent signatures, addresses or identification.
Suspicious transactions shall not be processed and shall be immediately
referred to the Compliance Officer.
4.8 Notification of Law Enforcement. The Compliance Officer shall use his/her
discretion on whether to report suspicious transactions to the police
department or other appropriate law enforcement.
4.9 Third Party Service Providers. All transactions processed through a third
party service provider shall be permitted only if the service provider certifies
that it has complied with the FTC regulations and has in place a consumer
identity theft prevention program.
4.10 Compliance Officer and Training. The Compliance Officer for this ITPP and
Section shall be the Finance Director or his/her designee. The Compliance
Officer shall conduct training of all city employees that transact business with
customers of the City's utilities. The Compliance Officer shall periodically
review this program and recommend any necessary updates to the City
Council.
4.11 Annual Report. An annual report, as required by FTC regulations, shall be
provided by the Compliance Officer to the City Manager. The contents of the
annual report shall address and/or evaluate at least the following:
A.the effectiveness of the policies and procedures of the City in
addressing the risk of identity theft in connection with the opening of
utility accounts and with respect to access to existing utility accounts;
B.service provider arrangements;
C.incidents involving identity theft with utility accounts and the City's
response;
D.changes in methods of identity theft and the prevention of identity
theft; and
E.recommendations for changes to the City's ITPP.
•
•
•