§ 39.05  IDENTITY THEFT PREVENTION PROGRAM.
   (A)   Identification of relevant red flags.
      (1)   The municipality has considered the guidelines and the illustrative examples of possible red flags from the FTC’s Identity Theft Rules and has reviewed the municipality’s past history with instances of identity theft, if any.
      (2)   The municipality hereby determines that the following are the relevant red flags for purposes of this program given the relative size of the municipality and the limited nature and scope of the services that the municipality provides to its citizens.
         (a)   Alerts, notifications or other warnings received from consumer reporting agencies or service providers.
            1.   A fraud or active duty alert is included with a consumer report or an identity verification response from a credit reporting agency;
            2.   A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report;
            3.   A consumer reporting agency provides a notice of address discrepancy, as defined in § 681.1(b) of the FTC’s Identity Theft Rules; and
            4.   A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
               a.   A recent and significant increase in the volume of inquiries;
               b.   An unusual number of recently established credit relationships;
               c.   A material change in the use of credit, especially with respect to recently established credit relationships; or
               d.   An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
         (b)   The presentation of suspicious documents.
            1.   Documents provided for identification appear to have been altered or forged;
            2.   The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification;
            3.   Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification;
            4.   Other information on the identification is not consistent with readily accessible information that is on file with the municipality, such as a signature card or a recent check; and
            5.   An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
         (c)   The presentation of suspicious personal identifying information, such as a suspicious address change.
            1.   Personal identifying information provided is inconsistent when compared against external information sources used by the municipality. For example:
               a.   The address does not match any address in the consumer report or CRA ID Check response; or
               b.   The Social Security number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.
            2.   Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the Social Security number range and date of birth;
            3.   Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the municipality. For example:
               a.   The address on an application is the same as the address provided on a fraudulent application; or
               b.   The phone number on an application is the same as the number provided on a fraudulent application.
            4.   Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the municipality. For example:
               a.   The billing address on an application is fictitious, a mail drop or a prison; or
               b.   The phone number is invalid or is associated with a pager or answering service.
            5.   The Social Security number provided is the same as that submitted by other persons opening an account or other customers;
            6.   The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers;
            7.   The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete;
            8.   Personal identifying information provided is not consistent with personal identifying information that is on file with the municipality; and
            9.   If the municipality uses challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
         (d)   The unusual use of, or other suspicious activity related to, a covered account.
            1.   Shortly following the notice of a change of address for a covered account, the municipality receives a request for the addition of authorized users on the account;
            2.   A new utility account is used in a manner commonly associated with known patterns of fraud patterns. For example: the customer fails to make the first payment or makes an initial payment but no subsequent payments;
            3.   A covered account with a stable history shows irregularities;
            4.   A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors);
            5.   Mail sent to the customer is returned repeatedly as undeliverable although usage of utility products or services continues in connection with the customer’s covered account;
            6.   The municipality is notified that the customer is not receiving paper account statements; and
            7.   The municipality is notified of unauthorized usage of utility products or services in connection with a customer’s covered account.
         (e)   Notice of possible identity theft.  The municipality is notified by a customer, a victim of identity theft, a law enforcement authority or any other person that it has opened a fraudulent account for a person engaged in identity theft.
   (B)   Detection of red flags.
      (1)   The employees of the municipality that interact directly with customers on a day-to-day basis shall have the initial responsibility for monitoring the information and documentation provided by the customer and any third-party service provider in connection with the opening of new accounts and the modification of or access to existing accounts and the detection of any red flags that might arise. Management shall see to it that all employees who might be called upon to assist a customer with the opening of a new account or with modifying or otherwise accessing an existing account are properly trained so that they have a working familiarity with the relevant red flags identified in this program so as to be able to recognize any red flags that might surface in connection with the transaction. An employee who is not sufficiently trained to recognize the red flags identified in this program shall not open a new account for any customer, modify any existing account or otherwise provide any customer with access to information in an existing account without the direct supervision and specific approval of a management employee. Management employees shall be properly trained so that they can recognize the relevant red flags identified in this program and exercise sound judgment in connection with the response to any unresolved red flags that may present themselves in connection with the opening of a new account or with modifying or accessing of an existing account. Management employees shall be responsible for making the final decision on any unresolved red flags.
      (2)   The Program Administrator shall establish from time to time a written policy setting forth the manner in which a prospective new customer may apply for service, the information and documentation to be provided by the prospective customer in connection with an application for a new utility service account, the steps to be taken by the employee assisting the customer with the application in verifying the customer’s identity and the manner in which the information and documentation provided by the customer and any third-party service provider shall be maintained. This policy shall be generally consistent with the spirit of the customer identification program rules (31 C.F.R. § 103.121) implementing § 326(a) of the USA Patriot Act but need not be as detailed. The Program Administrator shall establish from time to time a written policy setting forth the manner in which customers with existing accounts shall establish their identity before being allowed to make modifications to or otherwise gain access existing accounts.
   (C)   Response to detected red flags.
      (1)   (a)   If the responsible employees of the municipality as set forth in division (B) above are unable, after making a good faith effort, to form a reasonable belief that they know the true identity of a customer attempting to open a new account or modify or otherwise access an existing account based on the information and documentation provided by the customer and any third-party service provider, the municipality shall not open the new account or modify or otherwise provide access to the existing account as the case may be.
         (b)   Discrimination in respect to the opening of new accounts or the modification or access to existing accounts will not be tolerated by employees of the municipality and shall be grounds for immediate dismissal.
      (2)   The Program Administrator shall establish from time to time a written policy setting forth the steps to be taken in the event of an unresolved red flag situation. Consideration should be given to aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer’s account, or a notice that a customer has provided account information to a fraudulent individual or website. Appropriate responses to prevent or mitigate identity theft when a red flag is detected include:
         (a)   Monitoring a covered account for evidence of identity theft;
         (b)   Contacting the customer;
         (c)   Changing any passwords, security codes or other security devices that permit access to a covered account;
         (d)   Reopening a covered account with a new account number;
         (e)   Not opening a new covered account;
         (f)   Closing an existing covered account;
         (g)   Not attempting to collect on a covered account or not selling a covered account to a debt collector;
         (h)   Notifying law enforcement; and
         (i)   Determining that no response is warranted under the particular circumstances.
(Ord. 08-1110-10, passed 11-10-2008)