SL Logo

City Council

Agenda Request

Agenda Of:

11-17-09

Agenda Request No:

iii-b

Initiated By:

Linda Symank Linda Symank Initials

Director of Fiscal Services

Responsible Department:

Fiscal Administration

Presented By:

Linda Symank

Director of Fiscal Services

Department Head:

Linda Symank Linda Symank Initials

Director of Fiscal Services

 

 

Additional Department. Head (s):

 

Subject / Proceeding:

Approval of Utilities Billing and Collection Identity Theft Program In Compliance with the Fair & Accurate Credit Transaction Act of 2003 As Amended

Exhibits:

Identify Theft Red Flag Policy

Ordinance

Clearances

Approval

Legal:

N/A

Executive Director:

n/a

Purchasing:

n/a

Asst. City Manager:

Karen GlynnKHG INITALS

Budget:

n/a

City Manager:

Allen BogardSIGNATUR

Budget

Expenditure Required:  $

n/a

Amount Budgeted/Reallocation:  $

n/a

Additional Appropriation:  $

n/a

Recommended Action

Approve Utilities Billing and Collection Identify Theft Red Flag Program and Policy

Executive Summary

The Fair & Accurate Credit Transaction Act of 2003 (FACTA) was amended to require creditors to adopt an Identify Theft Prevention Program (Red Flag Policy).  The Red Flag Rule is an anti-fraud regulation that requires creditors and financial institutions with covered accounts to develop a program that will identify, detect, and respond to warning signs that could indicate identify theft. The Rule defines creditors and includes utility companies in the definition.  A municipal utility is a creditor with covered accounts as defined by the Rule and required to comply with the amendment.

 

The Federal Trade Commission (FTC) has delayed enforcement of the rule in order to provide needed resources and guidance to clarify who was covered and what must be done to be in compliance with the Red Flag Rule.  The new compliance deadline is June 1, 2010.    Cities have been provided with a sample policy.  We have used this policy as a basis for developing our policy for Utility Billing and Collection.

 

The new requirements were reviewed with the Finance/Audit Committee.  They supported our position to document our current procedures and to develop a policy in compliance with the law, involving only departments and employees covered by the amendment.

 

The attached policy identifies red flags that pertain to our operations and documents our procedures for detecting and responding to these red flags.  We have formalized the program by establishing an Identity Theft Committee comprised of the Treasurer, Director of Fiscal Services, and the Director of Human Resources.  The Committee will be responsible for administration of the program and ensuring required training, reporting, and updating of the program is completed.   Our proposed policy covers all the necessary actions that the City must take in order to be in full compliance with FACTA.  We have been conscious of the potential for identity theft and already had procedures in place that would protect confidential information.  This policy formalizes those procedures and in a documented program that is required to be approved by the governing body.     

 

 

Exhibits

 

Resolution No. 09-40

Adopted by Res. No.

Date of adoption:           

Effective date:

 

 

 

RESOLUTION NO. 09-40

 

A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF SUGAR LAND, TEXAS, ADOPTING A CITY COUNCIL POLICY REGARDING IDENTITY THEFT IN ACCORDANCE WITH AN AMENDMENT TO THE FAIR AND ACCURATE CREDIT TRANSACTION ACT OF 2003; PROVIDING A SEVERABILITY CLAUSE AND DECLARING AN EFFECTIVE DATE.

 

WHEREAS, a recent amendment to the Fair and Accurate Credit Transactions Act of 2003 requires the development of an Identity Theft Prevention Program; and

 

WHEREAS, the new rules require municipal utilities and other departments to implement an identity theft program; and

 

WHEREAS, this Resolution is being passed in full accordance with all requirements of State law, including, but not limited to the Open Meeting Act; and

 

WHEREAS, the City Council determines that the passage of this Resolution is in the best interest of the public; NOW THEREFORE,

 

 

BE IT RESOLVED BY THE CITY COUNCIL

OF THE CITY OF SUGAR LAND, TEXAS:

 

 

Section l.  That the City Council adopts the following policy:

 

 

Utility Billing and Collection Identity Theft Prevention Program

 

 

The Fair & Accurate Credit Transaction Act of 2003 (FACTA) was amended to require adoption of an Identity Theft Prevention Program by cities who extend credit to consumers.  These regulations, known as Red Flag Regulations, require creditors to develop and implement an Identity Theft Program to detect, prevent and diminish identity theft in connection with certain accounts.  According to the Rule, a municipal utility is a creditor subject to the Rule requirements.  Each program must contain reasonable policies and procedures to identify relevant Red Flags for new and existing covered accounts, identify ways to detect and respond to Red Flags to prevent and mitigate identity theft and to ensure that the program is updated periodically to reflect changes in risks to customers or to the safety and soundness of the creditor from Identity Theft. 

 

According to the Rule, a municipal utility is a creditor subject to the Rule requirements.  The Rule defines creditors “to include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

 

All the Utility’s accounts that are individual utility service accounts held by customers of the utility whether residential, commercial or industrial are covered by the Rule. 

 

This policy is authorized by City Council with approval of this Resolution.

 

 

Identify Theft

Fraud committed using the indentifying information of another person.

 

 

Red Flag

A pattern, practice, or specific activity that indicates the possible existence of Identify Theft.

 

 

Covered Account

Any account the Utility offers or maintains primarily for personal, family, or household purposes, that involves multiple payments or transactions; and any other account the Utility offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the Utility from Identity Theft.

 

 

Creditor Covered by Rule

Includes finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

 

 

Identifying Information

Any name or number that may be used, alone or in conjunction with any other information to identify a specific person, including:  name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer’s Internet Protocol address, or routing code.

 

POLICY

 

The City of Sugar Land shall protect its utility customers from identity theft by training staff to indentify, detect, and respond to Red Flags that indicate a potential fraudulent activity, by protecting sensitive information that may be used for identity theft in accordance with Texas State Library and Archives Commission approved records retention schedule, customer confidentiality provisions, and the City’s open records policy, and by having a secured web site maintained by the City’s Information Technology Department.

In order to identify relevant Red Flags, Utility Billing and Collection has considered the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts, and its previous experiences with Identity Theft. 

 

Utility Billing and Collection has identified the following red flags, in each of the listed categories:

 

B.  Suspicious Documents

  1. Identification document or card that appears to be forged, altered or inauthentic;
  2. Identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
  3. Other document with information that is not consistent with existing customer information (such as if a person’s signature on a check appears forged); and
  4. Application for service that appears to have been altered or forged.

 

C.  Suspicious Personal Identifying Information

  1. Identifying information presented that is inconsistent with other information the customer provides (example: inconsistent birth dates);
  2. Identifying information presented that is inconsistent with other sources of information;
  3. Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
  4. Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
  5. An address or phone number presented that is the same as that of another person;
  6. A person fails to provide complete personal identifying information on an application when reminded to do so (however, by law social security numbers must not be required); and
  7. A person’s identifying information is not consistent with the information that is on file for the customer.

 

D.  Suspicious Account Activity or Unusual Use of Account

  1. Change of address for an account followed by a request to change the account holder's name;
  2. Payments stop on an otherwise consistently up-to-date account;
  3. Account used in a way that is not consistent with prior use (example: very high activity);
  4. Mail sent to the account holder is repeatedly returned as undeliverable;
  5. Notice to the Utility that a customer is not receiving mail sent by the Utility;
  6. Notice to the Utility that an account has unauthorized activity;
  7. Breach in the Utility's computer system security; and
  8. Unauthorized access to or use of customer account information

 

E.  Alerts from Others

  1. Notice to the Utility from a customer, identity theft victim, law enforcement or other person that it has opened or is maintaining a fraudulent account for a person engaged in Identity Theft.

 

II. DETECTING RED FLAGS

 

A.    New Accounts

 

In order to detect any of the Red Flags identified above associated with the opening of a new account, employees will carefully review all documents submitted for new service.  The City of Sugar Land accepts applications via facsimile, Internet, and in person.  Utility personnel will take the following steps to obtain and verify the identity of the person opening the account:

 

  1. Require certain identifying information such as name, date of birth, residential or business address, principal place of business for an entity, driver's license or other identification;
  2. Verify the customer's identity (for instance, review a driver's license or other identification card);
  3. Review documentation showing the existence of a business entity; and
  4. Independently contact the customer.

 

B.     Existing Accounts

 

In order to detect any of the Red Flags identified above for an existing account, Utility personnel will take the following steps to monitor transactions with an account:

 

  1. Verify the identification of customers if they request information (in person, via telephone, via facsimile, via email);
  2. Verify the validity of requests to change billing addresses; and
  3. Verify changes in banking information given for billing and payment purposes.

 

III. PREVENTING AND MITIGATING IDENFITY THEFT

 

In the event Utility personnel detect any identified Red Flags, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag:

 

  1. Continue to monitor an account for evidence of Identity Theft;
  2. Contact the customer;
  3. Change any passwords or other security devices that permit access to accounts;
  4. Not open a new account;
  5. Close an existing account;
  6. Reopen an account with a new number;
  7. Notify the Program Administrator for determination of the appropriate step(s) to take;
  8. Notify law enforcement; or
  9. Determine that no response is warranted under the particular circumstances.

 

IV. PROTECT CUSTOMER IDENTIFYING INFORMATION

 

In order to further prevent the likelihood of Identity Theft occurring with respect to Utility accounts, Utility Billing and Collection will take the following steps with respect to its internal operating procedures to protect customer identifying information:

 

  1. Ensure that its website is secure or provide clear notice that the website is not secure;
  2. Ensure complete and secure destruction of paper documents and computer files containing customer information;
  3. Ensure that office computers are password protected and that computer screens lock after a set period of time;
  4. Request only the last 4 digits of social security numbers (if any);
  5. Ensure computer virus protection is up to date;
  6. Require and keep only the kinds of customer information that are necessary for utility purposes;
  7. If identifying information is maintained, then file cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with sensitive information will be locked when not in use;
  8. Storage rooms containing documents with sensitive information and record retention areas will be locked at the end of the workday or when unsupervised; and
  9. Desks, workstations, work areas, printers and fax machines, and common shared work areas will be cleared of all documents containing sensitive information when not in use.

 

V. PROGRAM UPDATES

 

The Treasury Manager over Utility Billing and Collection is designated the Program Administrator.  The Program Administrator will periodically review and update this Program to reflect changes in risks to customers and the soundness of the Utility from Identity Theft.  In doing so, the Program Administrator will consider the Utility's experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the Utility's business arrangements with other entities.  After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted.  If warranted, the Program Administrator will update the Program or present the City Council with his or her recommended changes and the City Council will make a determination of whether to accept, modify or reject those changes to the Program.

 

VI. PROGRAM ADMINISTRATION

 

Responsibility for developing, implementing and updating this Program lies with an Identity Theft Committee for Utility Billing and Collection.  The Committee is headed by a Program Administrator who is the Treasury Manager over Utility Billing and Collection and includes the Director of Fiscal Services and Director of Human Resources as committee members.  The Program Administrator will be responsible for the Program administration, for ensuring appropriate training of Utility staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program. 

 

VII. STAFF TRAINING AND REPORTS

 

Training shall be conducted for employees for whom it is reasonably foreseeable that they may come into contact with accounts or personally identifiable information that may constitute a risk to the City or its customers.  The Program Administrator is responsible for ensuring identity theft training for all requisite employees is completed in compliance with this policy and subsequently, as part of the initial training for all new employees.

 

The Program Administrator shall provide reports to the Committee on incidents of Identity Theft.  The Program Administrator is responsible for reviewing this policy on an annual basis to ensure compliance with current Red Flag Rule guidelines and appropriate responses in the event that fraudulent activity is discovered.  

           

The Treasury Manager is responsible for the enforcement of this policy.

 

 

 

 

APPROVED on   ______________________________, 2009.

           

           

 

                                                                                                _________________________

                                                                                                James A. Thompson, Mayor

 

 

 

ATTEST:

 

 

 

_____________________________

Glenda Gundermann, City Secretary

 

Reviewed for Legal Compliance:

 

SIGNATURe