The URL can be used to link to this page

Home My WebLink About2009/04/28 Item 3 CITY COUNCIL AGENDA STATEMENT ~ \ ft-. CllY OF ,..~ "'"' (HULA VISTA APRIL 28, 2009, Item~ ITEM TITLE: RESOLUTION OF THE CITY COUNCIL OF THE CITY OF. CHULA VISTA ESTABLISHING AN IDENTITY THEFT PREVENTION PROGRAJ.\II IN COMPLIAt'JCE WITH THE FAIR AND ACCURATE CREDIT TRANSACTION (FACT) ACT DlRECTOR OF Ff~E/TREAS1JRER -1th CITY NIANAGER . ASSISTAt'JT CITY'. IANAGER 9 SUBMITTED BY: REVIEWED BY: SUlVlMARY The Federal Trade Commission (FTC), in accordance with the Fair and Accurate Credit Transaction (FACT) Act, has set "red flag" rules requiring the City to establish written programs which provide for the detection of and response to specific activities ("red flags") that could be related to identity ~a . 4/5THS VOTE: YES D NO 0 ENVIRONMENTAL REVIEW The Environmental Review Coordinator has reviewed the proposed activity for compliance with the California Environmental Quality Act (CEQA) and has determined that the activity is not a "Project" as defined under Section 15378 (b)( 4) of the State CEQA Guidelines; therefore, pursuant to Section 15060(c)(3) of the State CEQA Guidelines the activity is not subject to CEQA Thus, no environmental review is necessary. RECOMMENDATION Council approve the resolution. BOARDS/COMl\HSSION RECOM1vIENDATION Not applicable. DISCUSSION In accordance with the Fair and Accurate Credit Transaction (FACT) Act adopted by the federal government, the Federal Trade Commission (FTC) has set "red flag" rules requiring the City to establish written programs, which provide for the detection of and response to specific activities ("red flags") that could be related to identity theft. Any private or public entity that extends credit to 3-1 APRIL 28, 2009 Item~ Page 20f2 customers by first providing goods or services and then billing for them later is subject to these requirements. As a municipal utility provider, the City is subject to this requirement since it provides sewer service and bills for the service after it has been rendered. In short, the City extends credit to its customers from the time it provides the service until the time that payment is actually . received by the City. The primary goals of the proposed program (Attachment A) are: 1. Identify relevant patterns, practices and specific activities (referred to in the program as "red flags" that signal possible identity theft relating to information maintained in the City's customer accounts, both those currently existing and those accounts established in the future. 2. Detect "red flags" after the program has been implemented. 3. Respond promptly and appropriately to detected "red flags" to prevent or mitigate identity theft relating to the City's customer account information. 4. Ensure that the program is updated periodically to reflect any necessary changes. ). Establish a process for administration and oversight of the program. Along with all other municipal utility providers in the nation, the City is required to formally adopt an identity theft prevention program by May 1, 2009. The proposed program will comply with FTC requirements and provide greater security for the City's sewer billing customers. DECISION MAKER CONFLICT Staff has reviewed the decision contemplated by this action and has determined that it is not site specific and consequently the 500 foot rule found in California Code of Regulations section 18704.2( a)(I) is not applicable to this decision. FISCAL IMPACT Current Year Impact This action should have no impact to the General Fund. On-Going Impact There should be no future impacts to the General Fund. ATTACHMENTS A. Identity Theft Prevention Program Administrative Policy Prepared by: N. Ivfandery. Treasury Ivfanager, Finance Dept. 3-2 _\*~ ~ ?Q~ 4.- ~\J\s.eJ JlI#Jj)EJ) ou -; /1 T ;nee-/?:J . ~~f? ~ ~~-- ~~~~ -- --""'---- CIlV Of CHULA VISTA City of Chula Vista Finance Department U tHity Billing Division Identity Theft Prevention Program This program is in response to and in compliance with the Fair and Accurate Credit Transaction (FACT) Act of 2003 and the final rules and guidelines for the FACT Act issued by the Federal Trade Commission and federal bank regulatOlY agencies in November 2007 Adopted by Resolution # on April 28, 2009 : -; " Identity Theft Prevention Program Purpose This document was created in order to comply with regulations issued by the Federal Trade Commission (FTC) as paIi of the implementation of the Fair aIld Accurate Credit Transaction (FACT) Act of2003. The FACT Act requires that financial institutions and creditors implement written programs which provide for detection of and response to specific activities ("red flags") that could be related to identity theft. These prograI11S must be in place by May 1, 2009. The FTC regulations require that the program must: 1. Identify releVaIlt red flags and incorporate them into the program 2. Identify ways to detect red flags 3. Include appropriate responses to red flags 4. Address new aIld changing risks through periodic program updates 5. Include a process for administration and oversight ofthe prograI11 Program Details Relevant Red Flags Red flags are warning signs or activities that alert a creditor to potential identity theft. The guidelines published by the FTC include 26 examples of red flags which fall into the five categories below: .. Alerts, notifications or other warnings received from consumer repOlting agencies or service providers .. Presentation of suspicious documents .. Presentation of suspicious personal identifying information .. Unusual use of, or other suspicious activity related to, a covered account II Notice from customers, victims of identity theft, or law enforcement authorities After reviewing the FTC guidelines and examples, City staff determined that the following red flags are applicable to utility accounts. These red flags, and the appropriate response, are the focus of this program. 1. Suspicious Documents and Activities a. Documents provided for identification appear to have been altered or forged. b. The photograph on the identification is not consistent with the physical appearance of the customer. c. Other inforn1ation on the identification is not consistent with the inforn1ation provided by the customer. d. The customer does not provide required identification documents when attempting to establish a utility account or make a payment. e. A customer refuses to provide proof of identity when discussing an established utility account. f. A person other than the account holder or co-applicant requests information or asks to make changes to an established utility account. g. An employee requests access to the billing system or information about a utility account, and the request is inconsistent with the employee's role in the City. 2. A customer notifies the Finance Department of any of the following activities: a. Utility statements are not being received several months in a row. b. Unauthorized changes to the utility account. c. Unauthorized charges on a utility account. d. Fraudulent activity on the customer's bank account or credit card that is used to pay utility charges. 3. The Finance Department is notified by a customer, a victim of identity theft, or a member ofIaw enforcement that a utilities account has been opened for a person engaged in identity theft. " Detecting and Responding to Red Flags Red flags wiIl be detected as utility biIIing employees interact with customers. An employee wiII be alelied to these red flags during the foIlowing processes: I. Establishing a new utility account: When establishing a new account, a customer is asked to provide a name, social security number and service address. The utility biIling employee may be is presented with infomlation that appears inconsistent. Response: Do not establish the utility account until the customer's identity has been confinued. 2. Reviewing customer identification in order to process a payment or emoIl the customer in the automatic clearing house eACH) program: The utility billing employee may be is presented with documents that appear altered or inconsistent with the information provided by the customer. Response: Do not accept payment until the customer's identity has been confirmed. 3. Answering customer inquiries on the phone. via emaiI. and at the counter: Someone other than the account holder may asks for infonuation about a utility account (including online bill pay accounts) or may asks to make changes to the information on an account, or a -:-A customer may also refuses to verify their identity when asking about an account. Response: Inform the customer that only the account holder m-ay- can receive information about the utility account. Do not make changes to or provide any infonuation about the account. 4. Processing requests from City employees: Employees may submit requests for information from the biIling system that is inconsistent with the role they play at the City. Response: AIl requests for information from the biIling system should be reviewed for appropriateness. If the information requested does not fall within the scope ofthat employee's job, the request wiIl be denied. Only the Utility Billing Division staff and the appropriate ITS staff has direct access to the biIling system. 5. Receiving notification that there is unauthorized activity associated with a utility account: Customers may caIl to aleli the City about fraudulent activity related to their utility account and/or bank account or credit card used to make payments on the account. Response: Verify the customer's identity, and notify the Accounting Teclmician immediately. Take appropriate actions to COlTect the errors on the account, which may includes: a. Assisting the customer with deactivation of their payment method (ACH and Online bill pay) b. Updating personal information on the utility account c. Updating the mailing address on the utility account d. Updating account notes to document the fraudulent activity e. Notifying and working with law enforcement officials 6. Receiving notification that a utility account has been established for a person engaged in identity theft: Response: These issues should be escalated to the Accounting Teclmician immediately. The claim will be investigated, and appropriate action will be taken to resolve the issue as quickly as possible. Additional procedures that help Utility billing staff to protect against identity theft include: 1. Ensuring that office computers are password protected. 2. Keeping cubicles and common area work spaces clear of papers containing customer information. 3. Ensuring that customer ACH information is filed in a locked cabinet. .., Administration and Oversight ofthe Program Finance Depart staffis required to prepare an atmual report which address the effectiveness of the program, document significant incidents involving identity theft and related responses, provides updates related to extemal service providers, and include recommendations for material changes to the program. The program will be reviewed at least atmually and updated as needed based on the following: 1. Experience with identity theft 2. Changes to the types of accounts and/or programs offered 3. Implementation of new systems atld/or new vendor contracts Specific roles are as follows: The Accounting Technician will prepare an annual report to the Treasury Matlager for review. The Accounting Technician will also oversee the daily activities related to identity theft detect-ion and prevention, and ensure that all members of the Utility Billing division are trained to detect and respond to red flags. The Treasury Manager will provide ongoing oversight to ensure that the program is effective. The Director of Finance will review the annual report and approve recommended changes to the program, both alU1Ually and on an as-needed basis. The City Council must approve the initial program. ~{f? ~~ . .. .... . ItB ~~~~ ~ "';:;:;:~""'f1iC CllY Of. CHULA.VISTA City of Chula Vista Finance Department Utility Billing Division Identity Theft Prevention Program This program is in response to and in compliance with the Fair and Accurate Credit Transaction (FACT) Act of 2003 and the final rules and guidelines for the FACT Act issued by the Federal Trade Commission and federal bank regulatory agencies in November 2007 . Adopted by Resolution # on April 28, 2009 3-3 Identity Theft Prevention Program Purpose This document was created in order to comply with regulations issued by the Federal Trade Commission (FTC) as part of the implementation of the Fair and Accurate Credit Transaction (F ACT) Act of 2003. The FACT Act requires that financial institu{ions and creditors implement ""TItten programs which provide for detection of and response to specific activities ("red flags") that could be related to identity theft. These programs must be in place by May 1,2009. The FTC regulations require that the program must: 1. Identify relevant red flags and incorporate them into the program 2. Identify ways to detect red flags 3. Include appropriate responses to red flags 4. Address new and changing risks through periodic program updates ). Include a process for administration and ov'ersight of the program 3-4 City of Chula Vista Utility Billing Division Identity Theft Prevention Program Page 2 01'6 Pr02:ram Details Relevant Red Flags Red flags are warning signs or activities that alert a creditor to potential identity theft. The guidelines published by the FTC include 26 examples ofred flags which fall into the five categories below: . Alerts, notifications or other warnings received from consumer reporting agencies or service providers o Presentation of suspicious documents . Presentation of suspicious personal identifying information . Unusual use of, or other suspicious activity related to, a covered account . Notice from customers, victims of identity theft, or law enforcement authorities After reviewing the FTC guidelines and examples, City staff determined that the following red flags are applicable to utility accounts. These red flags, and the appropriate response, are the focus of this program. 1. Suspicious Documents and Activities a. Documents provided for identification appear to have been altered or forged. b. The photograph on the identification is not consistent with the physical appearance of the customer. c. Other information on the identification is not consistent with the information provided by the customer. d. The customer does not provide required identification documents when attempting to establish a utility account or make a payment. e. A customer refuses to provide proof of identity when discussing an established utility aCCOlmt. f. A person other than the account holder or co-applicant requests information or asks to make changes to an established utility account. g. An employee requests access to the billing system or information about a utility account, and the request is inconsistent with the employee's role in the City. 2. A customer notifies the Finance Department of any of the following activities: a. Utility statements are not being received several months in a row. b. Unauthorized changes to the utility account. c. Unauthorized charges on a utility account. d. Fraudulent activity on the customer's bank account or credit card that is used to pay utility charges. 3-5 City of Chula Vista Utility Billing Division Identity Theft Prevention Program Page 3 of6 3. The Finance Department is notified by a customer, a victim of identity theft, or a member of law enforcement that a utilities account has been opened for a person engaged in identity theft. Detecting and Responding to Red Flags Red flags will be detected as utility billing employees interact with customers. An employee will be alerted to these red flags during the following processes: 1. Establishing a new utility account: When establishing a new account, a customer is asked to provide a name, social security number and service address. The utility billing employee may be presented with information that appears inconsistent. Response: Do not establish the utility account until the customer's identity has been confirmed. 2. Reviewing customer identification in order to process a payment or enroll the customer in the automatic clearing house (ACH) program: The utility billing employee may be presented with documents that appear altered or inconsistent with the information provided by the customer. Response: Do not accept payment until the customer's identity has been confirmed. 3. Answering customer inquiries on the phone. via email. and at the counter: Someone other than the account holder may ask for information about a utility account (including online bill pay accounts) or may ask to make changes to the information on an account. A customer may also refuse to verify their identity when asking about an account. Response: Inform the customer that only the account holder may receive information about the utility account. Do not make changes to or provide any information about the account. 4. Processing requests from City emplovees: Employees may submit requests for information from the billing system that is inconsistent with the role they play at the City. Response: All requests for information from the billing system should be reviewed for appropriateness. If the information requested does not fall within the scope ofthat employee's job, the request will be denied. Only the Utility Billing Division staff and the appropriate ITS st:iff has direct access to the billing system. 5. Receiving notification that there is unauthorized activitv associated ,'lith a utility account: Customers may call to alert the City about fraudulent activity related to their utility account and/or bank account or credit card used to make payments on the aCCOlmt. 3-6 City of Chula Vista Utility Billing Division Identity Theft Prevention Program Page 4 01'6 Response: Verify the customer's identity, and notify the Utility Billing Supen:isor immediately. Take appropriate actions to correct the errors on the account, which may include: a. Assisting the customer with deactivation of their payment method (ACH and Online bill pay) b. Updating personal information on the utility account c. Updating the mailing address on the utility account d. Updating account notes to document the fraudulent activity e. Notifying and working with law enforcement officials 6. Receiving notification that a utility account has been established for a person engaged in identity theft: Response: These issues should be escalated to the Utility Billing Supervisor immediately. The claim will be investigated, and appropriate action will be taken to resolve the issue as quickly as possible. Additional procedures that help Utility billing staff to protect against identity theft include: 1. Ensuring that office computers are password protected. 2. Keeping cubicles and common area work spaces clear of papers containing customer information. 3. Ensuring that customer ACH information is filed in a locked cabinet. 3-7 City of Chula Vista Utility Billing Division Identity Theft Prevention Program Page50f6 Administration and Oversight of the Program Finance Depart staff is required to prepare an annual report which address the effectiveness of the program, document significant incidents involving identity theft and related responses, provides updates related to external service providers, and include recommendations for material changes to the program. The program will be reviewed at least annually and updated as needed based on the following: 1. Experience with identity theft 2. Changes to the types of accounts and/or programs offered 3. Implementation of new systems and/or new vendor contracts Specific roles are as follows: The Utility Billing Supervisor \vill prepare an annual report to the Treasury Manager for review. The Utility Billing Supervisor will also oversee the daily activities related to identity theft detection and prevention, and ensure that all members of the Utility Billing division are trained to detect and respond to red flags. The Treasury Manager will provide ongoing oversight to ensure that the program is effective. The Director of Finance will review the annual report and approve recommended changes to the program, both annually and on an as-I].eeded basis. The City Council must approve the initial program. 3-8 City of Chula Vista Utility Billing Division Identity Theft Prevention Program Page 6 of 6 RESOLUTION NO. 2009- RESOLUTION OF THE CITY COlJNCIL OF THE CITY OF CHULA VISTA ESTABLISHING Ai"\f IDENTITY THEFT PREVENTION PROGRAi.\;I IN COMPLIANCE WITH THE FAIR Al"\fD ACCURA..TE CREDIT TRAi."\fSACTION (FACT) ACT WHEREAS, the Federal Trade Commission ("FTC"), in accordance with the Fair and Accurate Credit Transaction (FACT) Act, has adopted regulations requiring the "creditors" to develop and implement of an identity theft prevention program, and W1-IEREAS, because the City of Chula Vista provides sewer service to its customers, it is a "creditor" under the applicable FTC regulations and must therefore comply with those regulations by adopting and implementing an identity theft prevention program, and WHEREAS, the City Council desires to take action to comply with the applicable FTC regulations by adopting an identity theft prevention program. NOW, THEREFORE, BE IT RESOLVED that the City Council of the City ofChula Vista hereby adopts, and directs staff to implement the Identity Theft Prevention Program. Presented by i~:~) l L~~artl i. '. f ~lty Attorney Maria Kachadoorian Director of Finance 3-9