The URL can be used to link to this page

Home My WebLink AboutAgenda Report - October 15, 2008 K-04AGENDA ITEM 1460 q &1& CITY OF LODI %W COUNCIL COMMUNICATION TM AGENDA TITLE: Adopt Resolution Approving Policies and Procedures for Customer Credit Security Program In Accordance with the Fair& Accurate Credit Transactions Act of 2003 MEETING DATE: October 15,2008 SUBMITTED BY: Financial Services Division RECOMMENDED ACTION: Adopt Resolution Approving Policies and Procedures for Customer Credit Security Program In Accordance With the Fair & Accurate Credit TransactionsAct of 2003 BACKGROUND INFORMATION: Congress enacted the Fair& Accurate Credit Transactions ("FACT") Act of 2003 to curtail the effects of identity theft. Recently the Act was amended to require all creditors, including local governmental agencies that defer paymentsfor goods or services (such as utility payments) to implement an identity theft prevention program utilizing warning signs, so called "red flags", as indicators of identity theft, e.g, altered identification documents or inconsistent personal identifying information. In accordance with the FACT Act, creditors must determine whether covered accounts are subject to a risk of identity theft and, if necessary, implement a consumer credit protection program designed to detect, prevent, and mitigate identity theft in customer accounts. The program also should incorporatethe creditor's existing policies and procedures where applicable, and provide for continued administration of consumer credit protections. The Act requires that such a program be approved and implemented by November 1, 2008. To meet the mandates of the FACTAct, City staff performed a needs assessment taking into account the existing business practices, policies and procedures currently in place to safeguard customer identity, account information and financial transactions associated with customers' utilities accounts. Some policies and procedures, when appropriate, were modified to incorporate the four basic elements for detecting, preventing, and mitigating identity theft by enabling City's Financial Services Division to: (i) identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those "red flags" into the program; (ii) detect "red' flags" that have been incorporated into the identity theft prevention program; (iii) respond appropriately to any "red flags" that are detected to prevent and mitigate identity theft; and (iv) ensure the identity theft prevention program is updated periodically to reflect changes in risks from identity theft. To ensure compliance under the FACT Act, federal government regulators will be required to evaluate public agencies and their adherence to their identity theft prevention programs and, when necessary, impose fines where the disregard of "red flags" has resulted in losses to consumers. The proposed Policies and Procedures for Customer Credit Security Program in Accordance with the Fair & Accurate Credit Transactions Act of 2003 attached for Council's consideration was drafted taking into APPROVED: ing, City Manager account the results of the needs assessment and analysis of the "red flag rules" issued by the Federal Trade Commission. As indicated in the proposed Polices and Procedures, a subcommittee comprised of a designated Privacy Officer and Internal Services staff will be created to implement and administer the proposed program and will create, at least annually, a report on its compliance with the FACT Act for consideration by the Council. In addition, the subcommittee will identify necessary changes, which, when implemented, will increase data security, automate manual processing, establish electronic audit trails by tracking history for all activities, and improve reporting capability, all of which serve to protect the credit information of City's utility customers. COSTS: Operating costs to implement the program, if any, are unknown at this time FUNDING: Current Budget Ruby P ' to Financial Services Manager PREPARED BY: Kevin Bell, Utility Rate Analyst (EUD) Janice D. Magdich, Deputy City Attorney RESOLUTION NO. 2008-206 A RESOLUTION OF THE LODI CITY COUNCIL APPROVING POLICIESAND PROCEDURES FOR CUSTOMER CREDIT SECURITY PROGRAM IN ACCORDANCE WITH THE FAIR& ACCURATE CREDIT TRANSACTIONS ACT OF 2003 WHEREAS, the Fair & Accurate Credit Transactions ("FACT') Act of 2003 was enacted by Congress to curtail the effects of identitytheft; and WHEREAS, the FACT Act was recently amended to require all creditors (including local governmental agencies that defer payments for goods or services) to implement an identity theft prevention program by establishing policies and procedures utilizing warning signs, so called "red flags," as indicators of identitytheft; and WHEREAS, in accordance with the FACT Act, creditors must determine whether covered accounts are subject to a risk of identity theft, and, if necessary, implement a consumer credit protection program designed to detect, prevent, and mitigate identity theft in customer accounts. The program also should incorporate the creditor's existing policies and procedures where applicable and provide for continued administration of consumer credit protections. The Act requires that such a program be approved and implemented by November 1,2008; and WHEREAS, in order to meet the mandates of the FACT Act, City staff performed a needs assessment taking into account the existing business practices, policies, and procedures currently in place to safeguard customer identity, account information, and financial transactions associated with customers' utilities accounts and when appropriate modified or enhanced these policies and procedures to incorporate the four basic elements for detecting, preventing, and mitigating identity theft by enabling City's Financial Services Division to: (i) identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those "red flags" into the program; detect "red flags" that have been incorporated into the identity theft prevention program; (iii) respond appropriately to any "red flags" that are detected to prevent and mitigate identity theft; and (iv) ensure the identity theft prevention program is updated periodically to reflect changes in risks from identity theft; and WHEREAS, to ensure compliance under the FACT Act, federal government regulators will be required to evaluate public agencies and their adherence to their identity theft prevention programs and when necessary impose fines where the disregard of "red flags" has resulted in losses to consumers. WHEREAS, staff recommends approval of the Policies and Procedures for Customer Credit Security Program in Accordance with the Fair & Accurate Credit TransactionsAct of 2003 attached marked Exhibit A; and WHEREAS, as indicated in the proposed Polices and Procedures, a subcommittee has been created to develop, implement, and administer the proposed program and will create, at least annually, a report on its compliance with the FACT Act for consideration by the Council. In addition, the subcommittee will identify necessary changes, which, when implemented, will increase data security, automate manual processing, establish electronic audit trails by tracking history for all activities, and improve reporting capability, all of which serve to protect the credit information of City's utility customers. NOW, THEREFORE, BE IT RESOLVED, that the Lodi City Council does hereby approve the Policies and Procedures for Customer Credit Security Program in accordance with the FACT Act of 2003 as shown on ExhibitA attached hereto. Dated: October 15, 2008 I hereby certify that Resolution No. 2008-206 was passed and adopted by the City Council of the City of Lodi in a regular meeting held October 15, 2008, by the following vote: AYES: COUNCIL MEMBERS— Hansen, Hitchcock, Johnson, Katzakian, and Mayor Mounce NOES: COUNCIL MEMBERS — None ABSENT: COUNCIL MEMBERS— None ABSTAIN: COUNCIL MEMBERS— None DI JOHL City Clerk 2008-206 EEXHIEIT A CITY OF LODI PROCEDURES FOR CUSTOMER CREDIT SECURITY PROGRAM PREPARED IN ACCORDANCE WITH THE FAIR AND ACCURATE CREDIT TRANSACTION ACT OF 2003 Approved by Resolution of the City Council on October 15, 2008 Resolution No. 2008 Proceduresfor Customer Security Protection Program. 1012008 PROCEDURES FOR CUSTOMER CREDIT SECURITY PROGRAM PREPARED IN ACCORDANCE WITH THE FAIR AND ACCURATE CREDIT TRANSACTION ACT OF 2003 Purpose. The purpose of this Program is to comply with 16 CFR § 681.2 (Fair & Accurate Credit Transaction Act of 2003) in order to detect, prevent and mitigate identity theft by identifying and detecting identity theft red flags and by responding to such red flags in a manner that will prevent identity theft for customers of the City of Lodi. Definitions. For purposes of this Program, the following definitions apply: (a) 'City' means the City of Lodi. (b) 'Covered account' means (i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institutionor creditorfrom identitytheft, including financial, operational, compliance, reputation, or litigation risks. (c) 'Credit' means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore. (d) 'Creditor means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit and includes utility companies and telecommunications companies. (e) 'Customer means a person that has a covered account with a creditor. (9 'Identity theft' means a fraud committed or attempted using identifying information of another person without authority. 2 Proceduresfor Customer Security Protection Program.1012008 (g) `Person' means a natural person, a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative, or association. (h) `Personal Identifying information' means a person's credit card account information, debit card information bank account information and drivers' license information and for a natural person includestheir social security number. (i) `Privacy Officer" means that City employee designated by City's Deputy City Manager/Internal Services Directorto administer City's Customer Credit Security Program under the direction of City's Financial Services Manager. The Privacy Officer will also oversee a committee of designated City employees charged with reviewing and recommending modifications and updates to the Program. (j} `Red flag' means a pattern, practice, or specific activity that indicates the possible existence of identity theft. (k) `Service provider' means a person that provides a service directly to the city. Findings. (1) The City is a creditor pursuant to 16 CFR § 681.2 due to its provision or maintenance of covered accounts for which payment is made in arrears. (2) Covered accounts offered to customers for the provision of city services include electric, water, wastewater, refuse and other related charges/fees. (3) The processes of opening a new covered account, restoring an existing covered account, making payments on such accounts, and transferring services have been identified as potential processes in which identitytheft could occur. (4) City limits access to personal identifying information to those employees responsible for or otherwise involved in opening or restoring covered accounts or accepting paymentfor use of covered accounts. Information provided to such employees is entered directly into the city's computer system and is not otherwise recorded. (5) City determines that there is a low risk of identity theft occurring in the following ways: 3 Proceduresfor Customer Security Protection Program.1012008 a. Use by an applicant of another person's personal identifying information to establish a new covered account; b. Use of a previous customer's personal identifying information by another person in an effortto have service restored in the previous customer's name; c. Use of another person's credit card, bank account, or other method of payment by a customer to pay such customer's covered account or accounts; d. Use by a customer desiring to restore such customer's covered account of another person's credit card, bank account, or other method of payment. Process of Establishing a Covered Account. As a precondition to opening a covered account for City services, each applicant shall provide one form of the following personal identifying information: a. State issued Driver's License or Identification card; b. United States Passport; c. United States Military Identification; or d. United States ResidentAlien Identification. Each applicant shall also provide information necessaryfor the department providing the service for which the covered account is created to verify identity through a credit reporting agency. Each applicant shall also provide written documentation of ownership or rental/lease agreement signed under penalty of perjury by both the applicant and the managing agent of the property. Such information shall be entered directly into City's computer system and shall not otherwise be recorded. Access to Covered Account Information. (1) Access to customer accounts shall be limited to authorized City personnel. (2) Any unauthorized access to or other breach of customer accounts is to be reported immediatelyto the Privacy Officer or in hislher absence the Financial Services Manager or designee. (3) Personal identifying information included in customer accounts is considered confidential and any request or demand for such information shall be immediately forwarded to the Privacy Officer or in hislher absence the Financial Services Manager or designee. 4 Procedures for Customer Security Protection Program.10/2008 Credit Card Payments. (1) In the event that credit card paymentsthat are made over the Internetare processed through a third party service provider, such third party service provider shall certify that it has an adequate identity theft prevention program in place that is applicable to such payments. (2) Account statements and receipts for covered accounts shall include only the last four digits of the credit or debit card or the bank account used for payment of the covered account. Sources and Types of Red Flags. All City employees responsible for or involved in the process of opening a covered account, restoring a covered account or accepting payment for a covered account shall check for red flags as indicators of possible identity theft and such red flags may include: (1) Alerts from consumer reporting agencies, fraud detection agencies or service providers. Examples of alerts include but are not limited to: a. A fraud or active duty alert that is included with a consumer report; b. A notice of credit freeze in response to a request for a consumer report; c. A notice of address discrepancy provided by a consumer reporting agency; d. Indications of a pattern of activity in a consumer report that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: L A recent and significant increase in the volume of inquiries; ii. An unusual number of recently established credit relationships; iii. A material change in the use of credit, especially with respect to recently established credit relationships; or iv. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. (2) Suspicious documents. Examples of suspicious documents include: a. Documents provided for identification that appear to be altered or forged; b. Identification on which the photograph or physical description is inconsistent with the appearance of the applicant or customer: Proceduresfor Customer Security Protection Program.10/2008 5 c. Identification on which the information is inconsistentwith information provided by the applicant or customer; d. Identification on which the information is inconsistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check; or e. An application that appears to have been altered or forged, or appears to have been destroyed and reassembled. (3) Suspicious personal identification, such as suspicious address change. Examples of suspicious identifying information include: a. Personal identifying information that is inconsistentwith external information sources used by the financial institution or creditor. For example: i. The address does not match any address in the consumer report; or ii. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File. b. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. c. Personal identifying information or a phone number or address, is associated with known fraudulent applications or activities as indicated by internal or third -party sources used by the financial institution or creditor. d. Other information provided, such as fictitious mailing address, mail drop addresses, jail addresses, invalid phone numbers, pager numbers or answering services, is associated with fraudulent activity. e. The SSN provided is the same as that submitted by other applicants or customers. f. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of applicants or customers. g. The applicant or customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. h. Personal identifying information is not consistent with personal identifying information that is on file with the financial institution or creditor. i. The applicant or customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. 6 Proceduresfor Customer Security Protection Program. 10/2008 (4) Unusual use of or suspicious activity relating to a covered account. Examples of suspicious activity include: a. Shortly following the notice of a change of address for an account, city receives a request for the addition of authorized users on the account. b. An account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: i. Nonpayment when there is no history of late or missed payments; ii. A material change in payment patterns; c. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's account. d. City is notified that the customer is not receiving paper account statements. e. City is notified cf unauthorized charges or transactions in connection with a customer's account. f. City is notified by a customer, law enforcement or another person that it has opened a fraudulent account for a person engaged in identity theft. (5) Notice from customers, law enforcement, victims or other reliable sources regarding possible identity theft or phishing relating to covered accounts. Prevention and Mitigation of Identity Theft. (1) In the event that any City employee responsiblefor or involved in restoring an existing covered account or accepting paymentfor a covered account becomes aware of red flags indicating possible identity theft with respect to existing covered accounts, such employee shall use his or her discretion to determine whether such red flag or combination of red flags suggests a threat of identitytheft. If, in his or her discretion, such employee determines that identity theft or attempted identity theft is likely or probable, such employee shall immediately report such red flags to the Privacy Officer or in hislher absence the Financial Services Manager or designee. If, in hislher discretion, such employee deems that identity theft is unlikely or that reliable information is available to reconcile red flags, the employee shall convey this information to the Privacy Officer, who may in hislher discretion determine that no further action is necessary. If the Privacy Officer or in hislher absence the Financial Services Manager or designee determines that further action is necessary, a city employee shall perform one or more of the following responses, as determined to be appropriate: a. Contact the customer; 7 Proceduresfor Customer Security Protection Program.1012008 b. Make the following changes to the account if, after contacting the customer, it is apparent that someone other than the customer has accessed the customer's covered account: L change any account numbers, passwords, security codes, or other security devices that permit access to an account: or ii. close the account; c. Cease attempts to collect additional charges from the customer and decline to sell the customer's account to a debt collector in the event that the customer's account has been accessed without authorization and such access has caused additional charges to accrue; d. Notify a debt collector within two business days of the discovery of likely or probable identity theft relating to a customer account that has been sold to such debt collector in the event that a customer's account has been sold to a debt collector prior to the discovery of the likelihood or probability of identity theft relating to such account; e. Notify law enforcement, in the event that someone other than the customer has accessed the customer's account causing additional charges to accrue or accessing personal identifying information; or f. Take other appropriate action to prevent or mitigate identity theft. (2) In the event that any City employee responsible for or involved in opening a new covered account becomes aware of red flags indicating possible identity theft with respect an application for a new account, such employee shall use his or her discretion to determine whether such red flag or combination of red flags suggests a threat of identity theft. If, in his or her discretion, such employee determines that identity theft or attempted identity theft is likely or probable, such employee shall immediately report such red flags to the Privacy Officer or in hislher absence the Financial Services Manageror designee. If, in his/her discretion, such employee deems that identitytheft is unlikelyor that reliable information is available to reconcile red flags, the employee shall convey this information to the Privacy Officer, who may in hislher discretion determine that no further action is necessary. If the Privacy Officer or in hislher absence the Financial Services Manager or designee in his/her discretion determines that further action is necessary, a City employee shall perform one or more of the following responses, as determined to be appropriate: a. Request additional identifying information from the applicant: b. Deny the application for the new account; c. Notify law enforcement of possible identity theft; or d. Take other appropriate action to prevent or mitigate identity theft. Updating this Program. a Proceduresfor Customer Security Protection Program.1012008 The City Council shall annually review and, as deemed necessary, update this Program along with any relevant red flags in order to reflect changes in risks to customers or to the safety and soundness of City and its covered accounts from identity theft. In so doing, the City Council shall consider the following factors and exercise its discretion in amending this Program: (1) City's experiences with identity theft: (2) Updates in methods of identity theft; (3) Updates in customary methods used to detect, prevent, and mitigate identity theft; (4) Updates in the types of accounts that the city offers or maintains; and (5) Updates in service provider arrangements. Program Administration. The Privacy Officer under the direction of the Financial Services Manager is responsible for oversight of this Program and for Program implementation and is responsible for reviewing reports prepared by City staff regarding compliance with red flag requirements and with recommending material changes to the Program, as necessary in the opinion of the City Manager or City Attorney to address changing identity theft risks and to identify new or discontinued types of covered accounts. Any recommended material changes to the program shall be submitted to the City Council for consideration and approval. (1) Privacy Officer in coordination with the Financial Services Managerwill report to the City Manager and City Attorney at least annually, on compliance with the red flag requirements. The report will address material matters related to this Program and evaluate issues such as: a. The effectiveness of the policies and procedures of City in addressing the risk of identity theft in connectionwith the opening of covered accounts and with respect to existing covered accounts; b. Service provider arrangements; c. Significant incidents involving identity theft and management's response; and d. Recommendations for material changes to the Program. (2) The Privacy Officer or designee is responsible for providing training to all employees responsible for or involved in opening a new covered account, restoring an existing covered account or accepting paymentfor a covered account with respect to the implementation and requirements of this Program. The Privacy Officer in coordination with the Financial Services 9 Proceduresfor Customer Security Protection Program.10l2008 Manager shall exercise their discretion in determining the amount and substance of training necessary. Outside Service Providers. In the event that City engages a service provider to perform an activity in connection with one or more covered accounts the Privacy Officer in coordination with the Financial Services Manager shall exercise their discretion in reviewing such arrangements in order to ensure, to the best of their ability, that the service provider's activities are conducted in accordance with policies and procedures, agreed upon by contract, that are designed to detect any red flags that may arise in the performance of the service provider's activities and take appropriate steps to prevent or mitigate identity theft. 10 Procedures for Customer Security Protection Program. 1012008 Policies and Procedures for Customer Credit Security (2003 FACT Act Compliance) City Council Regular Session October 15, 2008 Overview of Fair &Accurate Credit Transactions Act of 2003 Compliance The Fact Act: Enacted by Congress identity theft. in 2003 to curtail effects of Amended in 2007 to require creditors, includin governmental agencies, to initiate identity thept prevention policies if payments for goods or services are deferred. Accounts for City services such as electric, water, wastewater and refuse are covered under the Act. 2 Overview of Fair &Accurate Credit Transactions Act of 2003 Compliance Purpose of the FACT Act: • To detect, prevent and mitigate consumer identity theft through adopted polices and procedures. • To respond to indicators of identity theft — "red flag" warnings - that will prevent City customers from becoming victims of identity theft. K Overview of Fair &Accurate Credit Transactions Act of 2003 Compliance Examples of "Red Flag" Indicators of Identity Theft: • Identification documents appear altered or forged. • Consumer reporting agency initiates freeze on customer's credit report. • Social Security number is the same as other customers or appears on SSA Death Master File. • Existing account with a stable history begins to show irregularities. 4 Overview of Fair &Accurate Credit Transactions Act of 2003 Compliance When Identity Theft Can Occur: • Opening anew account. • Restoring an existing account. • Making payments on covered accounts. • Transferring services. 6i Overview of Fair &Accurate Credit Transactions Act of 2003 Compliance How Do We Comply with the FACT Act? • Limiting access to personal identifying information to new account personnel only. • Requiring applicants for service to provide information necessary to verify identity through a credit reporting agencies. • Requiring applicants to provide ownership documentation or rental/lease agreement signed by both the applicant and managing agent of the property. C.1 Overview of Fair &Accurate Credit Transactions Act of 2003 Compliance How Do We Comolv with the FACT Act? (cont. • Limiting access to new or existing customer accounts to authorized personnel. • Revising account statements and receipts for covered accounts to include only the last four digits of the credit/debit card or the bank account used for payment. • Requiring third party service providers of internet Payment processing to certify application of an adequate identity theft prevention program. 7 Overview of Fair &Accurate Credit Transactions Act of 2003 Compliance Customer Credit Security Protection Program • Reviewed existing policies and procedures. • Analyzed red flags and their effects on current business practices. • Identified areas of improvement (needs assessment). • Incorporated identity theft protection enhancements 1.1 Overview of Fair &Accurate Credit Transactions Act of 2003 Compliance Completed FACT Act Requirements: • Appointed a Privacy Officer. • Reviewed current internal policies and business practices for FACT Act compliance and completed needs assessment. • Created Security. Policies and Procedures for Customer Credit • Formed privacy committee to review and propose based on needs assessment (final appointment of department representatives to follow approval). changes Overview of Fair &Accurate Credit Transactions Act of 2003 Compliance Final FACT Act Requirements: • Council approval of Policies and Procedures for Customer Credit Security Program • Finalize compliance documents and reports Recommendation: Staff recommends Council approval of the proposed Policy and Procedures as submitted by the Financial Services Manager and Privacy Officer 10