This article shall be known as the Identity Theft Prevention Program.
(Ord. 908; Code 2022)
The purpose of this Article is to comply with 16 CFR § 681.2 in order to detect, prevent and mitigate identity theft by identifying and detecting identity theft red flags and by responding to such red flags in a manner that will prevent identity theft.
(Ord. 908; Code 2022)
For purposes of this Article, the following definitions apply:
(a) ‘City’ means the City of Cottonwood Falls, Kansas.
(b) ‘Covered account’ means (i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, covered account, checking account, or savings account; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(c) ‘Credit’ means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.
(d) ‘Creditor’ means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit and includes covered companies and telecommunications companies.
(e) ‘Customer’ means a person that has a covered account with a creditor.
(f) ‘Identity theft’ means a fraud committed or attempted using identifying information of another person without authority.
(g) ‘Person’ means a natural person, a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative, or association.
(h) ‘Personal Identifying Information’ means a person’s credit card account information, debit card information, bank account information and driver’s license information and for a natural person includes their social security number, mother’s birth name, and date of birth.
(i) ‘Red flag’ means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
(j) ‘Service provider’ means a person that provides a service directly to the city.
(Ord. 908; Code 2022)
(a) The city is a creditor pursuant to 16 CFR § 681.2 due to its provision or maintenance of covered accounts for which payment is made in arrears.
(b) Covered accounts offered to customers for the provision of city services include water, sewer and solid waste accounts,
(c) The processes of opening a new covered account, restoring an existing covered account and making payments on such accounts have been identified as potential processes in which identity theft could occur.
(d) The city limits access to personal identifying information to those employees responsible for or otherwise involved in opening or restoring covered accounts or accepting payment for use of covered accounts. Information provided to such employees is entered directly into the city’s computer system and is not otherwise recorded.
(e) The city determines that there is a moderate risk of identity theft occurring in the following ways (if any):
(1) Use by an applicant of another person’s personal identifying information to establish a new covered account.
(2) Use of a previous customer’s personal identifying information by another person in an effort to have service restored in the previous customer’s name;
(3) Use of another person’s credit card, bank account, or other method of payment by a customer to pay such customer’s covered account or accounts;
(4) Use by a customer desiring to restore such customer’s covered account of another person’s credit card, bank account, or other method of payment.
(Ord. 908; Code 2022)
As a precondition to opening a covered account in the city, each applicant shall provide the city with personal identifying information of the customer. Such information may include a valid government issued identification card containing a photograph of the customer or, for customers who are not natural persons, a photograph of the customer’s agent opening the account. Such information shall be entered directly into the city’s computer system and shall not otherwise be recorded.
Each account shall be assigned an account number which shall be unique to that account.
(Ord. 908; Code 2022)
All employees responsible for or involved in the process of opening a covered account, restoring a covered account or accepting payment for a covered account shall check for red flags as indicators of possible identity theft and such red flags may include:
(a) Alerts from consumer reporting agencies, fraud detection agencies or service providers. Examples of alerts include but are not limited to:
(1) A fraud or active duty alert that is included with a consumer report;
(2) A notice of credit freeze in response to a request for a consumer report;
(3) A notice of address discrepancy provided by a consumer reporting agency;
(4) Indications of a pattern of activity in a consumer report that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
(A) A recent and significant increase in the volume of inquiries;
(B) An unusual number of recently established credit relationships;
(C) A material change in the use of credit, especially with respect to recently established credit relationships; or
(D) An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
(b) Suspicious documents. Examples of suspicious documents include:
(1) Documents provided for identification that appear to be altered or forged;
(2) Identification on which the photograph or physical description is inconsistent with the appearance of the applicant or customer;
(3) Identification on which the information is inconsistent with information provided by the applicant or customer;
(4) Identification on which the information is inconsistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check; or
(5) An application that appears to have been altered or forged, or appears to have been destroyed and reassembled.
(c) Suspicious personal identification, such as suspicious address change. Examples of suspicious identifying information include:
(1) Personal identifying information that is inconsistent with external information sources used by the financial institution or creditor. For example:
(A) The address does not match any address in the consumer report; or
(B) The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.
(2) Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer, such as a lack of correlation between the SSN range and date of birth.
(3) Personal identifying information or a phone number or address, is associated with known fraudulent applications or activities as indicated by internal or third-party sources used by the he financial institution or creditor.
(4) Other information provided, such as fictitious mailing address, mail drop addresses, jail addresses, invalid phone numbers, pager numbers or answering services, is associated with fraudulent activity.
(5) The SSN provided is the same as that submitted by other applicants or customers.
(6) The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of applicants or customers.
(7) The applicant or customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
(8) Personal identifying information is not consistent with personal identifying information that is on file with the financial institution or creditor.
(9) The applicant or customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
(d) Unusual use of or suspicious activity relating to a covered account.
Examples of suspicious activity include:
(1) Shortly following the notice of a change of address for an account, city receives a request for the addition of authorized users on the account.
(2) A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns for example:
(A) The customer fails to make the first payment or makes an initial payment but no subsequent payments.
(3) An account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:
(A) Nonpayment when there is no history of late or missed payments;
(B) A material change in purchasing or spending patterns.
(4) An account that has been inactive for a long period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).
(5) Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s account.
(6) The city is notified that the customer is not receiving paper account statements.
(7) The city is notified of unauthorized charges or transactions in connection with a customer’s account.
(8) The city is notified by a customer, law enforcement or another person that it has opened a fraudulent account for a person engaged in identity theft.
(e) Notice from customers, law enforcement, victims or other reliable sources regarding possible identity theft or phishing relating to covered accounts.
(Ord. 908; Code 2022)
In the event a city employee responsible for utility accounts becomes aware of red flags indicating identity theft in regard to utility accounts, city employees shall take appropriate responses which may include:
(a) Monitor a covered account for evidence of identity theft;
(b) Contact the customer;
(c) Change any passwords, security codes or other security devices that permit access to a covered account;
(d) Reopen a covered account with a new account number;
(e) Not open a new covered account;
(f) Close an existing covered account;
(g) Notify law enforcement; or
(h) Determine that no response is warranted under the circumstances.
(Ord. 908; Code 2022)
The city council shall annually review and, as deemed necessary by the council, update the Identity Theft Prevention Program along with any relevant red flags in order to reflect changes in risks to customers or to the safety and soundness of the city and its covered accounts from identity theft. In so doing, the city council shall consider the following factors and exercise its discretion in amending the program:
(a) The city’s experiences with identity theft;
(b) Updates in methods of identity theft;
(c) Updates in customary methods used to detect, prevent, and mitigate identity theft;
(d) Updates in the types of accounts that the city offers or maintains; and
(e) Updates in service provider arrangements.
(Ord. 908; Code 2022)
The City Clerk is responsible for oversight of the program and for program implementation.
(1) The City Clerk will report to the City Council at least annually, on compliance with the red flag requirements.
(Ord. 908; Code 2022)