HomeMy WebLinkAbout109-09 RESOLUTIONRESOLUTION NO. 109-09
A RESOLUTION APPROVING AND ADOPTING POLICY
AND PROCEDURE NO. BC -04 "IDENTITY THEFT
PREVENTION PROGRAM" TO COMPLY WITH
PROVISIONS OF THE FAIR AND ACCURATE CREDIT
TRANSACTIONS (FACT) ACT.
BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF
FAYETTEVILLE, ARKANSAS:
Section 1. That the City Council of the City of Fayetteville, Arkansas, hereby
approves and adopts Policy and Procedure No. BC -04 "Identity Theft Prevention
Program" to comply with provisions of the Fair and Accurate Credit Transactions
(FACT) Act. A copy of the Policy and Procedure, marked Exhibit "A," is attached
hereto and made a part hereof.
�{GdR441i F[ F"3R`F7�cp/PjP n
PASSED and APPROVED this 19th day of May, 2009. ;
E FAYETTEVI LLE
G) tea`
se�'�/�oepdo C'°tee
aae0°
By:
AN, Mayor SO DRASMITH, City Clerk/Treasurer
APPROVED:
B
ATTEST:
Rainy Laycox
Submitted By
City of Fayetteville Staff Review Form
City Council Agenda Items
and
Contracts, Leases or Agreements
5/19/2009
City Council Meeting Date
Agenda Items Only
Billing & Collections
Division
Action Required:
Finance
Department
Council approval for Mayor to sign Policy and Procedure establishing an Identity Theft Prevention Program. This
program was mandated by the Federal Trade Commission which requires every utility, including public electric, water
and systems, such as the City of Fayetteville to implement an Identity Theft Program. The FTC requirements and
regulations are necessary because of § 114 of the Fair and Accurate Credit Transactions Act (FACIA).
$
1 f A
Cost of this request
N/A
Account Number
N/A
Project Number
Category 1 Project Budget
N/A
$
Program Category / Project Name
N/A
Funds Used to Date Program / Project Category Name
NIA
Remaining Balance Fund Name
Budgeted Item 1-1 Budget Adjustment Attached 1-1
Department Director
City Attorney
0 -
"73 -ZOO
Date
L,L
Finance and Internal Services Director
Date
5 -q -
Date
Previous Ordinance or Resolution #
Original Contract Date:
207 Original Contract Number:
Received in
Mayor's Office
ENT
Comrnents:The FTC Red Flag Rules are to be adopted and in place by May 1, 2009
Revised January 15, 2Qp9
THE CITY OF FAYEI I EVILLE, ARKANSAS
DEPARTMENTAL CORRESPONDENCE
To: Mayor Lioneld Jordan and Fayetteville City Council
From: Paul Becker, Finance Director
Date: April 24, 2009
Subject: Identity Theft Prevention Program
Recommendation
Staff recommends approval of a resolution requesting the council to approve a Identity Theft
Prevention Program. A copy of the policy is attached.
Discussion
The Federal Trade Commission has mandated that utility systems that extend credit in any way to
customers implement an Identity Theft Program. This includes the City of Fayetteville's water &
sewer system. The mandate was necessary to meet the requirements embodied in the Fair and
Accurate Transactions Act. The Billings and Collections Division drafted the policy using suggested
guidelines.
Budget
The implementation of this policy will have no budget impact at this time.
RESOLUTION NO.
A RESOLUTION APPROVING AND ADOPTING POLICY AND
PROCEDURE No. BC -04 "IDENTITY THEFT PREVENTION PROGRAM"
TO COMPLY WITH PROVISIONS OF THE FAIR AND ACCURATE
CREDIT TRANSACTIONS (FACT) ACT.
BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF
FAYETTEVILLE, ARKANSAS:
Section 1. That the City Council of the City of Fayetteville, Arkansas, hereby
approves and adopts Policy and Procedure No. BC -04 "Identity Theft Prevention
Program" to comply with provisions of the Fair and Accurate Credit Transactions
(FACT) Act. A copy of the Policy and Procedure, marked Exhibit "A," is attached
hereto and made a part hereof.
PASSED and APPROVED this 19th day of May, 2009.
APPROVED: ATTEST:
By: By:
LIONELD JORDAN, Mayor SONDRA E. SMITH, City Clerk/Treasurer
BC -04
Page 1 of 3
CITY OF FAYETTEVILLE, ARKANSAS
POLICY AND PROCEDURE
Subject:
Identity Theft Prevention Program
Policy Number:
BC -04
Original Policy Date:
May 1, 2009
Effective Date of New/Revised Policy:
May 1, 2009
Revision Dates:
Custodian: (Division)
Billing and Collections
Mayor's Signature and Date
BC -04.0 PURPOSE:
To comply with the Federal Trade Commission (FTC) Red Flag Rules which was developed pursuant to
the Fair and Accurate Credit Transactions (FACT) Act of 2003 and which requires every utility, including
public utilities such as the City of Fayetteville to implement an Identity Theft Prevention Program (ITPP).
The City of Fayetteville adopts this sensitive information policy to help protect employees, customers, and
the municipality from damages related to the Toss or misuse of sensitive information.
BC -04.1 PROCEDURE:
COMPLIANCE OFFICER
RED FLAGS
The Compliance Officer for this ITPP and Policy and Procedure shall be the Billing
and Collections Manager or his/her designee. The Compliance Officer shall conduct
training of all City utility employees that transact business with customers of the City's
utilities. The Compliance Officer shall periodically review this program and recommend
any necessary updates to the City Council.
The FTC regulations identify numerous red flags that must be considered in
adopting an ITPP. The FTC has defined a red flag as a pattern, practice, or specific
activity that indicates the possible existence of identity theft. The City identifies the
following red flags from the examples provided in the regulations of the FTC:
a. Suspicious documents - Possible red flags include:
i. presentation of documents appearing to be altered or forged;
ii. presentation of photographs or physical descriptions that are not
consistent with the appearance of the applicant or customer;
iii. presentation of other documentation that is not consistent with the
information provided when the account was opened or existing customer
information;
iv. presentation of information that is not consistent with the account
application; or
v. presentation of an application that appears to have been altered, forged,
destroyed, or reassembled.
BC -04
Page 2 of 3
b. Suspicious personal identifying information - Possible red flags include:
i. personal identifying information is being provided by the customer that is
not consistent with other personal identifying information provided by
the customer or is not consistent with the customer's account
application;
ii. personal identifying information is associated with known fraudulent
activity;
the social security number (if required or obtained) is the same as that
submitted by another customer;
i. the telephone number or address is the same as that submitted by
another customer;
iv. the applicant's failure to provide all personal identifying information
requested on the application; or
v. the applicant or customer's inability to provide authenticating information
beyond that which generally would be available to a consumer.
c. Unusual use of or suspicious activity related to an account - possible red flags
include:
i. a change of address for an account followed by a request to change the
account holder's name;
ii. a change of address for an account followed by a request to add new or
additional authorized users or representatives;
iii. an account is not being used in a way that is consistent with prior use
(such as late or no payments when the account has been timely in the
past);
iv. a new account is used in a manner commonly associated with known
patterns of fraudulent activity (such as customer fails to make the first
payment or makes the first payment but no subsequent payments);
v. mail sent to the account holder is repeatedly returned as undeliverable;
vi. the City receives notice that a customer is not receiving his paper
statements; or
vii. the City receives notice of unauthorized activity on the account.
d. Notice regarding possible identity theft - Possible red flags includes:
i. notice from a customer, an identity theft victim, law enforcement
personnel or other reliable sources regarding possible identity theft or
phishing related to utility accounts.
RED PROOF OF IDENTITY
Any person or entity opening a utility account shall provide a complete
application and provide satisfactory evidence of their identity and/or address. Said proof
may include but not be limited to: a valid driver's license; passport; state or federal
identification card; or military identification card. The required application must be
completed in its entirety and must be signed in order to establish a utility account.
RED CONFIDENTIALITY OF APPLICATIONS AND ACCOUNT INFORMATION
All personal information, personal identifying information, account applications
and account information collected and maintained by the City shall be a confidential
record of the City and shall not be subject to disclosure unless otherwise required by
State or Federal Law. Additionally, any employee with access to utility customers'
personal information, account applications or account information shall be required to
keep such information in confidence and protect the privacy of Customers. Please see
BC -04
Page 3 of 3
the section titled Confidential Information (34.1) in Policy and Procedure HR -34, Ethics
and Conflict of Interest Statement.
RED ACCESS TO UTILITY ACCOUNT INFORMATION
Access to utility account information shall be limited to approved City employees
with a verified need as determined by the Compliance Officer for the policy. Any
computer that has access to utility customer account or personal identifying information
shall be password protected and all computer screens shall be locked when the employee
leaves the work station. All paper and non -electronic based utility account or customer
personal identifying information shall be stored and maintained in a locked room or
cabinet and access shall only be granted by the Compliance Officer or his/her designee,
or in the alternative shall be scanned for secure, password protected, digital storage, and
then shredded
RED CREDIT CARD TRANSACTIONS
Credit card transactions shall only be processed by a third party processor that
complies with all appropriate credit card processing requirements of the card issuer.
Credit card payments made to the City shall comply with the merchant agreement and/or
card holders agreement.
RED SUSPICIOUS TRANSACTIONS
Suspicious transactions include but are not limited to the presentation of
incomplete applications; unsigned applications; payment by someone other than the
person named on the utility account; presentation of inconsistent signatures, addresses
or identification. Suspicious transactions shall not be processed and shall be immediately
referred to the Compliance Officer.
NOTIFICATION OF LAW ENFORCEMENT
The Compliance Officer shall use his/her discretion on whether to report
suspicious transactions to the police department or other appropriate law enforcement.
ANNUAL REPORT
An annual report, as required by FTC regulations, shall be provided by the Billing
and Collections division to the Mayor's Chief of Staff. The contents of the annual report
shall address and/or evaluate at least the following:
a) the effectiveness of the policies and procedures of the City in addressing the risk of
identity theft in connection with the opening of utility accounts and with respect to
access to existing utility accounts; and
b) software, credit-card processing, and service provider arrangements; and
c) any incidents involving identity theft, or suspected identity theft, with utility accounts
and the City's remedial response; and
d) any changes, or proposed changes, in methods to identify identity theft and/or to
prevent identity theft; and
e) any recommendations for changes or modifications to the City's ITPP.