§ 36.64 IDENTITY THEFT PREVENTION ELEMENTS.
   (A)   Identification of relevant red flags. The village has considered the guidelines and the illustrative examples of possible red flags from the FTC's Identity Theft Rules and has reviewed the village's past history with instances of identity theft, if any. The village hereby determines that the following are the relevant red flags for purposes of this program given the relative size of the village and the limited nature and scope of the services that the village provides to its citizens:
      (1)   Alerts, notifications, or other warnings received from consumer reporting agencies or service providers.
         (a)   A consumer reporting agency alerts the village of a credit freeze, address disparity, or that an account has been noted to have abusive or fraudulent activity.
      (2)   The presentation of suspicious documents.
         (a)   Documents provided for ID do not appear to be genuine and unaltered.
         (b)   The photo or physical description is not consistent with the appearance of the applicant.
         (c)   Information given to open the account is not consistent with the ID of the applicant.
      (3)   The presentation of suspicious personal identifying information, such as a suspicious address change.
         (a)   Personal ID is of the same type associated with fraudulent activity: fictitious address, mail box drop, or prison or phone number is invalid; it is associated with a pager or answering service.
         (b)   Personal ID provided is associated with known fraudulent activity.
         (c)   Personal ID is inconsistent with utility records.
         (d)   The customer fails to provide all needed personal ID upon request.
      (4)   The unusual use of, or other suspicious activity related to, a covered account.
         (a)   The utility is notified of unauthorized charges or transactions in connection with a customer's account.
         (b)   Customer notifies utility that they are not receiving their bill.
         (c)   Mail sent to customer is repeatedly returned.
         (d)   Payments are made in a manner associated with fraud. For example, a deposit or initial payment is made and no payments are made thereafter.
      (5)   Notice of possible identity theft. Utility is notified by law enforcement officials or others, that it has opened a fraudulent account for a person engaged in identity theft.
   (B)   Detection of red flags.
      (1)   The employees of the village that interact directly with customers on a day-to-day basis shall have the initial responsibility for monitoring the information and documentation provided by the customer and any third-party service provider in connection with the opening of new accounts and the modification of or access to existing accounts and the detection of any red flags that might arise. Management shall see to it that all employees who might be called upon to assist a customer with the opening of a new account or with modifying or otherwise accessing an existing account are properly trained such that they have a working familiarity with the relevant red flags identified in this program so as to be able to recognize any red flags that might surface in connection with the transaction.
      (2)   An employee who is not sufficiently trained to recognize the red flags identified in this program shall not open a new account for any customer, modify any existing account or otherwise provide any customer with access to information in an existing account without the direct supervision and specific approval of a management employee. Management employees shall be properly trained such that they can recognize the relevant red flags identified in this program and exercise sound judgment in connection with the response to any unresolved red flags that may present themselves in connection with the opening of a new account or with modifying or accessing of an existing account. Management employees shall be responsible for making the final decision on any such unresolved red flags.
      (3)   The Program Administrator shall establish from time to time a written policy setting forth the manner in which a prospective new customer my apply for service, the information and documentation to be provided by the prospective customer in connection with an application for a new utility service account, the steps to be taken by the employee assisting the customer with the application in verifying the customer's identity and the manner in which the information and documentation provided by the customer and any third-party service provider shall be maintained. Such policy shall be generally consistent with the spirit of the Customer Identification Program rules (31 CFR § 103.121) implementing Section 326(a) of the USA Patriot Act but need not be as detailed. The Program Administrator shall establish from time to time a written policy setting forth the manner in which customers with existing accounts shall establish their identity before being allowed to make modifications to or otherwise gain access to existing accounts.
   (C)   Response to detected red flags.
      (1)   If the responsible employees of the village as set forth in the previous division are unable, after making a good faith effort, to form a reasonable belief that they know the true identity of a customer attempting to open a new account or modify or otherwise access an existing account based on the information and documentation provided by the customer and any third-party service provider, the village shall not open the new account or modify or otherwise provide access to the existing account as the case may be. Opening new accounts or the modification or access to existing accounts will be on a non-discriminatory basis based on the village's policies.
      (2)   The Program Administrator shall establish from time to time a written policy setting forth the steps to be taken in the event of an unresolved red flag situation. Consideration should be given to aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer's account, or a notice that a customer has provided account information to a fraudulent individual or website. Appropriate responses to prevent or mitigate identity theft when a red flag is detected include:
         (a)   Monitoring a covered account for evidence of identity theft.
         (b)   Contacting the customer.
         (c)   Changing any passwords, security codes, or other security devices that permit access to a covered account.
         (d)   Reopening a covered account with a new account number.
         (e)   Not opening a new covered account.
         (f)   Closing an existing covered account.
         (g)   Not attempting to collect on a covered account or not selling a covered account to a debt collector.
         (h)   Notifying law enforcement.
         (i)   Determining that no response is warranted under the particular circumstances.
(Ord. 08-0723, passed 10-15-08)