1370 ORDINANCE NO. 1370 ( #13 - 09)
AN ORDINANCE TO CREATE JACKSONVILLE MUNICIPAL CODE §§ 3.30
AND 335 (IDENTITY THEFT PREVENTION PROGRAM); TO COMPLY WITH
FEDERAL REGULATIONS RELATING TO ADDRESS DISCREPANCIES; TO
COMPLY WITH FEDERAL REGULATIONS RELATING TO RED FLAGS AND
IDENTITY THEFT; AND, FOR OTHER PURPOSES.
WHEREAS, the Federal Trade Commission adopted Identity Theft Rules
requiring creation of certain policies relating to the use of consumer reports, address
discrepancy, and the detection, prevention, and mitigation of Identity Theft. The
Federal Trade Commission regulations, adopted as 16 CFR § 681.2, requires
creditors to adopt red flag policies to prevent and mitigate Identity Theft with
respect to covered accounts;
WHEREAS, a creditor is defined under the Act as a person that extends,
renews, or continues credit, and defines 'credit' in part as the right to purchase
property or services and defer payment therefore. The regulations specifically
include utility companies in the definition of creditor, and the City of Jacksonville is a
creditor by virtue of providing utility services and otherwise accepting payment(s)
for various municipal service(s), fine(s), and cost(s) in arrears;
WHEREAS the Federal Trade Commission regulations define 'covered account'
in part as an account that a creditor provides for personal, family or household
purposes that is designed to allow multiple payments or transactions and specifies
that a utility account is a covered account. The Federal Trade Commission
regulations require each creditor to adopt an Identity Theft Prevention Program
which will use red flags to detect, prevent and mitigate identity theft related to
information used in covered accounts;
WHEREAS the City of Jacksonville provides water, sewer, sanitation, fitness
and recreation, and emergency medical response services together with assessment
of court costs and fines, all for which payment is made after consumption of the
product and /or adjudication occurs or has otherwise been provided so as to qualify
as covered accounts because they are for household purposes and allowing for
multiple payments or transactions;
WHEREAS, the Federal Trade Commission regulations, adopted as 16 CFR
681.1, require users of consumer credit reports to develop policies and procedures
relating to address discrepancies between information provided by a consumer and
information provided by a consumer credit company, and the City of Jacksonville
uses consumer credit reports to establish various customer accounts; and,
WHEREAS the duly elected governing authority of the City of Jacksonville is
the Mayor and Council thereof;
NOW, THEREFORE, BE IT ORDAINED AND ENACTED BY THE CITY
COUNCIL OF THE CITY OF JACKSONVILLE, ARKANSAS, THAT;
SECTION ONE: Jacksonville Municipal Code § 3.30 is hereby created and
shall read as follows:
ORDINANCE NO. 1370 ( #13 -2009)
Page Two
JMC § 3.30 (Identity Theft Prevention Program)
This Section shall be known as the Identity Theft Prevention Program. The
purpose of this Section is to comply with 16 CFR § 681.2 in order to detect, prevent,
and mitigate Identity Theft by identifying, detecting, and responding so as to
prevent Identity Theft.
JMC § 3.30.010 (Definitions)
For purposes of this Section, the following definitions apply:
(a) `City' means the City of Jacksonville, Arkansas.
(b) 'Covered account' means: (i) An account that a financial institution or
creditor offers or maintains, primarily for personal, family, or household
purposes, that involves or is designed to permit multiple payments or
transactions, such as a credit card account, mortgage loan, automobile loan,
margin account, cell phone account, utility account, checking account, or savings
account; and, (ii) Any other account that the financial institution or creditor
offers or maintains for which there is a reasonably foreseeable risk to customers
or to the safety and soundness of the financial institution or creditor from
identity theft, including financial, operational, compliance, reputation, or
litigation risks.
(c) `Credit' means the right granted by a creditor to a debtor to defer
payment of debt or to incur debts and defer its payment or to purchase property
or services and defer payment therefore.
(d) `Creditor' means any person who regularly extends, renews, or
continues credit; any person who regularly arranges for the extension, renewal,
or continuation of credit; or any assignee of an original creditor who participates
in the decision to extend, renew, or continue credit and includes utility
companies and telecommunications companies.
(e) `Customer' means a person that has a covered account with a creditor.
(f) 'Identity Theft' means a fraud committed or attempted using
identifying information of another person without authority.
(g) `Person' means a natural person, a corporation, government or
governmental subdivision or agency, trust, estate, partnership, cooperative, or
association.
(h) `Personal Identifying Information' means a person's credit card account
information, debit card information bank account information and drivers' license
information and for a natural person includes their social security number, mother's
birth name, and date of birth.
(i) `Red flag' means a pattern, practice, or specific activity that indicates
the possible existence of identity theft.
(j) 'Service provider' means a person that provides a service directly to
the City.
JMC § 3.30.015 (Findings)
(1)The City is a creditor pursuant to 16 CFR § 681.2 due to its provision or
maintenance of covered accounts for which payment is made in arrears.
(2) Covered accounts offered to customers for the provision of city services
include water, sewer, sanitation, fitness and recreation, and emergency
medical response services together with assessment of court costs and fines.
(3) The processes of opening a new covered account, restoring an existing
covered account, making payments on such accounts, and other such
ORDINANCE NO. 1370 ( #13 -2009)
Page Three
activities have been identified as potential processes in which Identity Theft
could occur.
(4) The City limits access to personal identifying information to those employees
responsible for or otherwise involved in opening or restoring covered
accounts or accepting payment for use of covered accounts. Information
provided to such employees is entered directly into the various City
Department's computer systems and is not otherwise recorded.
(5) The City has determined that there is a low risk of Identity Theft occurring in
the following ways:
a. Use by an applicant of another person's personal identifying
information to establish a new covered account;
b. Use of a previous customer's personal identifying information by
another person in an effort to have service restored in the previous
customer's name;
c. Use of another person's credit card, bank account, or other method of
payment by a customer to pay such customer's covered account or
accounts; and,
d. Use by a customer desiring to restore such customer's covered
account of another person's credit card, bank account, or other
method of payment.
JMC § 3.30.020 (Process of Establishing a Covered Account)
(1) As a precondition to opening a covered account in the City, each
applicant shall provide the City with personal identifying information of the
customer's valid government issued identification card containing a photograph of
the customer or, for customers who are not natural persons, a photograph of the
customer's agent opening the account. Such applicant shall also provide any
information necessary for the appropriate Department providing the service for
which the covered account is created to access the applicant's consumer credit
report (if applicable), Such information shall be entered directly into the City
Department's computer systems and shall not otherwise be recorded.
(2) Each account shall be assigned an account number and personal
identification number (PIN) which shall be unique to that account. The City may or
may not utilize computer software to randomly generate assigned PINs and to
encrypt account numbers and PINs.
JMC § 3.30.025 (Access to Covered Account Information)
(1) Access to customer accounts shall be password protected and shall be limited
to those authorized applicable City Department personnel.
(2) Such password(s) shall be changed by Mayor or his /her designated agent(s)
on a regular basis, shall be at least Eight (8) characters in length, and may
contain a combination of letters, numbers, and /or symbols.
(3) Any unauthorized access to or other breach of customer accounts is to be
reported immediately to the Mayor, Department Head, and /or his/her
designated agent(s). As well, the password to the specific system involved
shall be changed immediately.
(4) Personal identifying information included in customer accounts is considered
confidential. Any request or demand for such information shall be
immediately forwarded to the applicable Department Head and the City
Attorney for appropriate response.
ORDINANCE NO. 1370 ( #13 -2009)
Page Four
JMC § 3.30.030 (Credit Card Payments)
(1) In the event that credit card payments made over the Internet are processed
through a Third Party Service Provider, such Third Party Service Provider
shall certify that it has an adequate Identity Theft Prevention Program in
place that is applicable to such payments.
(2) All credit card payments made over the telephone or the City's website shall
be entered directly into the customer's account information in the computer
database.
(3) Account statements and receipts for covered accounts shall include only the
last four digits of the credit or debit card or the bank account used for
payment of the covered account.
JMC § 3.30.035 (Sources and Types of Red Flags)
All employees responsible for or involved in the process of opening a covered
account, restoring a covered account, or accepting payment for a covered account
shall check for red flags as indicators of possible Identity Theft. Such red flags
could, but are not limited to, the following:
(1) Alerts from Consumer Reporting Agencies, Fraud Detection Agencies,
or Service Providers. Examples of alerts include but are not limited to:
a. Fraud or active duty alert included with a Consumer Report;
b. Notice of credit freeze in response to a Consumer Report request;
c. Notice of address discrepancy from a Consumer Reporting Agency;
d. Indications of a pattern of activity in a Consumer Report inconsistent
with the history and usual pattern of activity of the applicant or
customer, such as:
i. Recent and significant increase in volume of inquiries;
H. Unusual number of recently established credit relationships;
iii. Material change in the use of credit, especially with respect to
recently established credit relationships; or,
iv. An account closed for cause or identified for abuse of account
privileges by a financial institution or creditor.
(2) Suspicious Documents. Examples of Suspicious Documents
include:
a. Documents provided for identification which appear to be altered,
forged, or modified in some improper manner;
b. Identification on the photograph or physical description which is
inconsistent with the appearance of an applicant or customer;
c. Identification on the information which is inconsistent with that
information provided by the applicant or customer;
d. Identification on the information which is inconsistent with readily
accessible information on file with the City, such as a signature card
or a recent check;
e. An application that appears to have been altered, forged, or appears to
have been modified, destroyed, and /or reassembled.
(3) Suspicious personal identification, such as a suspicious address
change. Examples of suspicious identifying information include:
a. Personal identifying information that is inconsistent with extemal
information sources used by the City. For example:
ORDINANCE NO. 1370 (#13 -2009)
Page Five
i. The address does not match any address in the consumer
report; or,
ii. The Social Security Number (SSN) has not been issued,
or is listed on the Social Security Administration's Death
Master File.
b. Personal identifying information provided by the customer inconsistent
with other personal identifying information provided by the customer, such as
a lack of correlation between their SSN and date of birth;
c. Personal identifying information or a phone number or address
associated with known fraudulent applications or activities as indicated by
internal or third -party sources used by the financial institution or creditor;
d. Other information provided, such as fictitious mailing address, mail
drop addresses, jail addresses, invalid phone numbers, pager numbers, or
answering services, that are commonly associated with fraudulent activity;
e. A SSN provided is the same as that submitted by other applicants or
customers;
f. An address or telephone number provided is the same as or similar to
an account number or telephone number submitted by any other applicant(s)
or customer(s);
g. An applicant or customer fails to provide all required personal
identifying information on an application or in response to notification that
- - - -- the application is incomplete;
h. Personal identifying information is not consistent with personal
identifying information on file with the City;
1. Applicant or customer cannot provide authenticating information
beyond which generally would be available from a wallet or Consumer
Report;
j. Unusual use of or suspicious activity relating to a covered account.
Examples of suspicious activity include:
A) Just following the notice of a change of address for an account,
the City receives a request for the addition of authorized users on the
account; or,
B) A new revolving credit account is used in a manner commonly
associated with patterns of fraud patterns. For example:
i. The customer fails to make the first payment or
makes an initial payment but no subsequent payments;
k. An account is used in a mariner that is not consistent with established
patterns of activity on the account. There is, for example:
A) Nonpayment when there is no history of late or missed
payments; or,
B) A material change in purchasing or spending patterns;
An account that has been inactive for an extended period of time is
suddenly used, taking into consideration the type of account, the expected
pattern of usage, and other relevant factors;
m. Mail to the customer is returned repeatedly as undeliverable, although
transactions continue to be conducted in connection with the customer's
account;
n. City is notified that a customer is not receiving paper account
statements, of unauthorized charges or transactions, or that an account has
been opened fraudulently or by a person engaged in Identity Theft; and /or,
ORDINANCE NO. 1370 (#13-2009)
Page Six
o. Notice from customer(s), law enforcement, victim(s), or other reliable
sources regarding possible Identity Theft or phishing relating to covered
accounts.
JMC § 3.30.040 (Prevention and Mitigation of Identity Theft)
1) In the event that any City employee responsible for or involved in
restoring an existing covered account or accepting payment for a covered account
becomes aware of red flag(s) indicating possible Identity Theft with respect to
existing covered accounts, such employee shall use his /her discretion to determine
whether such red flag(s) suggest a threat of Identity Theft. If, in his /her discretion,
such employee determines that identity theft or attempted identity theft is likely or
probable, such employee shall immediately report such discrepancy(ies) to his /her
Immediate Supervisor. If, in his /her discretion, said employee deems that Identity
Theft is unlikely or that reliable Information is available to reconcile the red flag(s),
said employee shall convey this information to his /her Immediate Supervisor who
may, in his /her discretion, determine that no further action is necessary. If further
action is determined necessary, the City employee(s) shall perform one (1) or more
of the following responses:
a. Contact the customer;
b. Make the following changes to the account if, after contacting the
customer, it is apparent that someone other than the customer has
accessed the customer's covered account:
-_ -. I. change any account numbers, passwords, security codes, or
other security devices that permit access to an account; or,
ii. close the account;
c. Cease attempts to collect additional charges from the customer and
choose not to transfer the customer's account to a debt collector in
the event that the customer's account has been accessed without
authorization and such access has caused additional charges to
accrue;
d. Notify a debt collector within a reasonable time of the discovery of
likely or probable Identity Theft relating to a customer account that
has been transferred to said debt collector in the event that a
customer's account has been transferred to a debt collector prior to
the discovery of the likelihood or probability of Identity Theft relating
to such account;
e. Notify law enforcement, in the event that someone other than the
customer has accessed the customer's account causing additional
charges to accrue or accessing personal identifying information;
and /or,
f. Take other appropriate action to prevent or mitigate Identity Theft.
2) In the event that any City employee responsible for or involved in
opening a new covered account becomes aware of a red flag(s) indicating
possible Identity Theft with respect to an application for a new account, such
employee shall use his /her discretion to determine whether such red flag(s)
suggest a threat of Identity Theft. If, in his /her discretion, said employee
determines that Identity Theft or attempted Identity Theft is likely or probable,
such employee shall immediately report such to his /her Immediate Supervisor.
If, in his /her discretion, such employee deems that Identity Theft is unlikely or
that reliable information is available to reconcile the identified red flag(s), the
employee shall convey this information to his/her Immediate Supervisor who
ORDINANCE NO. 1370 ( #13 -2009)
Page Seven
may, in his /her discretion, determine that no further action is necessary. If
- - further action is determined necessary, a City employee shall perform one (1) or
more of the following responses:
a. Request additional identifying information from the applicant;
b. Deny the application for the new account;
c. Notify law enforcement of possible Identity Theft; and /or,
d. Take other appropriate action to prevent or mitigate Identity Theft.
JMC § 3.30.045 (Program Administration)
1. The Director of Administration is responsible for oversight of the
Program and its implementation and management oversight. The Mayor or
his /her designated representative(s) is /are responsible for reviewing reports
prepared by Staff regarding compliance with red flag requirement(s) and with
any recommendation(s) of material change to the Program. Any recommended
material changes to the Program shall be submitted to the City Council for
consideration and approval by the City Council.
2. The Finance Director for the City and /or the Business Office
Administrator of the Water Department shall report to the Mayor or his /her
designated representative(s) at least annually on compliance with red flag
requirements. The report will address material matters related to the Program
and evaluate issues such as:
a. The effectiveness of the Department and /or City's policies and
procedures in addressing the risk of Identity Theft in connection with the
opening of covered accounts and with respect to existing covered accounts;
b. Service Provider arrangements;
c. Significant incidents involving Identity Theft and management's
response; and /or,
d. Recommendations for material changes to the Program.
3. The Finance Director for the City and /or the Business Office
Administrator of the Water Department is /are responsible for providing
training to all employees responsible for or involved in opening a new
covered account, restoring an existing covered account, or accepting
payment for a covered account with respect to the implementation and
requirements of the Identity Theft Prevention Program. The Finance Director
for the City and /or the Business Office Administrator of the Water
Department shall exercise his /her discretion in determining the amount and
substance of training necessary.
JMC § 3.30.050 (Outside Service Providers)
In the event that the City engages a Service Provider to perform an activity in
connection with one (1) or more covered account(s), the Finance Director for the
City and /or the Business Office Administrator of the Water Department shall
exercise his /her discretion in reviewing such arrangements in order to ensure that,
to the best of his /her ability, the Service Provider's involvement and activities are
conducted in accordance with City, State, and Federal policies and procedures that
are designed to detect any red fiag(s) which may arise in the performance of the
Service Provider's duties and /or activities and take reasonably appropriate steps to
prevent or mitigate Identity Theft.
ORDINANCE NO. 1370 ( #13 -2009)
Page Eight
JMC § 3.30.055 (Updating the Program)
_._ The City shall review annually and, as deemed necessary by City, update the
Identity Theft Prevention Program along with any relevant red flags in order to
reflect changes in risks to the citizens or to the safety and soundness of the City and
its covered accounts from identity theft. In so doing, the City Council shall consider
the following factors and exercise its discretion in amending the Program:
(1) The City's experiences with identity theft;
(2) Updates in methods of identity theft;
(3) Updates in customary methods used to detect, prevent, and mitigate
identity theft;
(4) Updates in the types of accounts that the city offers or maintains; and
(5) Updates in service provider arrangements.
SECTION TWO: Jacksonville Municipal Code § 3.35 is hereby created and
shall read as follows:
JMC § 3.35 (Treatment of Address Discrepancies)
Pursuant to 16 CFR § 681.1, the purpose of this Article is to establish a
process by which the City will be able to form a reasonable belief that a Consumer
Report relates to the consumer about whom it has requested a Consumer Credit
Report when the City has received a notice of address discrepancy.
JMC § 3.35.010 (Definitions)
For purposes of this Section, the following definitions apply:
(1) 'Notice of address discrepancy' means a notice sent to a user by a Consumer
Reporting Agency pursuant to 15 U.S.C. § 1681(c)(h)(1) that informs the
user of a substantial difference between the address for the consumer that
the user provided to request the Consumer Report and the address(es) in the
agency's file for the consumer.
(2)'City' means the City of Jacksonville, Arkansas.
JMC § 3.35.020 (Policy)
In the event that City receives a notice of address discrepancy, the employee
responsible for verifying consumer addresses for the purpose of providing the
municipal service(s) or account(s) sought by the consumer shall perform one (1) or
more of the following activities, as determined to be appropriate by such employee:
(1) Compare the information in the consumer report with:
a. Information the City obtains and uses to verify a consumer's identity
in accordance with the requirements of the Customer Information
Program rules implementing 31 U.S.C. § 5318(1);
b. Information the city maintains in its own records, such as applications
for service, change of address notices, other customer account
records or tax records; and /or,
c. Information the city obtains from third -party sources that are deemed
reliable by the relevant employee.
(2) Verify the information in the consumer report with the consumer.
JMC § 3.35.030 (Fumishing Consumer's Address to Consumer Reporting Agency)
In the event that City reasonably confirms that an address provided by a
consumer to the City is accurate, City is required to provide such address to the
ORDINANCE NO. 1370 ( #13 -2009)
Page Nine
consumer reporting agency from which City received a notice of address
discrepancy with respect to such consumer. This information is required to be
provided to the consumer reporting agency when:
a. City is able to form a reasonable belief that the consumer report
relates to the consumer about whom City requested the report;
b. City establishes a continuing relation with the consumer; and /or,
c. City regularly and in the ordinary course of business provides
information to the consumer reporting agency from which it received
the notice of address discrepancy.
(2) Such information shall be provided to the consumer reporting agency as part
of the information regularly provided by City to such agency for the reporting
period in which City establishes a relationship with the customer.
JMC § 3.35.040 (Methods of Confirming Consumer Addresses)
The employee charged with confirming consumer addresses may, in his /her
discretion, confirm the accuracy of an address through one (1) or more of the
following methods:
(1) Verifying the address with the consumer;
(2) Reviewing the city's records to verify the consumer's address;
(3) Verifying the address through third party sources; or,
(4) Using other reasonable processes.
SECTION THREE: All Ordinances or parts of Ordinances in conflict
herewith are hereby repealed to the extent of such conflict.
SECTION FOUR: This Ordinance, This Ordinance, necessary for the
improvement of public facilities and operation so as to benefit and protect the
health, safety, and financial welfare of the citizens of Jacksonville, should be
implemented immediately. Therefore, an emergency is hereby declared, and this
Ordinance shall be in force and effect from and after its date of passage.
APPROVED AND ADOPTED THIS DAY OF MAY, 2009.
CITY OF JACKSONVILLE, ARKANSAS
/ t rrnwrwl Lornf
TO MY AIM, MAY
ATTEST
AL ,f :.
• TT, CITY • ERK
DAS
ROB RTE.: ' TTORN