ORD NO 25-2008 CITY OF VAN BUREN, ARKANSAS
ORDINANCE NO. 9
BE IT ENACTED BY THE CITY COUNCIL, FOR THE CITY OF VAN BUREN,
ARKANSAS, AN ORDINANCE TO BE ENTITLED:
AN ORDINANCE TO AMEND THE CODE OF GENERAL
ORDINANCES OF THE CITY OF VAN BUREN, ARKANSAS,
TO ESTABLISH AN "IDENTITY THEFT PREVENTION
PROGRAM" IN COMPLIANCE WITH FEDERAL
REGULATIONS; TO COMPLY WITH FEDERAL
REGULATIONS RELATING TO RED FLAGS AND
IDENTITY THEFT; TO PROVIDE FOR CODIFICATION; TO
PROVIDE FOR SEVERABILITY; TO PROVIDE FOR AN
ADOPTION DATE AND EFFECTIVE DATE; AND FOR
OTHER PURPOSES ALLOWED BY LAW.
WHEREAS, the Federal Trade Commission "FTC has adopted rules, as setforth in 16 C.F.R.
681.2. pertaining to Identity Theft Prevention, pursuant to the "Red Flags Rule,"
which implements 114 of the FALRAND ACCURATE CREDIT TRANSACTIONS ACT OF
2003, which mandates that "creditors," as defined by 15 U.S.C. 1681 a(r)(5), adopt
an identity theft prevention program and red flag policies, to prevent and mitigate
identity theft with respect to covered accounts, on or before November 1, 2008; and
WHEREAS, 15 U.S.C. 1681a(r)(5) cites 15 U.S.C. 1691a, which defines a "creditor" as a
person that extends, renews or continues credit, and defines "credit'' in part as the
right to purchase property or services and defer payment therefore; and
WHEREAS, according to the FTC the Red Flags Rule's definition of "creditor' includes all
municipal utility companies, and the City of Van Buren owns and provides utility
services, specifically water sewer services, for which it accepts payments; and
WHEREAS. the City of Van Buren is a "creditor" with respect to 16 CFR 681.2, by virtue of
providing utility services, or by otherwise accepting payment for municipal services
in arrears; and
WHEREAS, the Federal Trade Commission regulations define 'covered account' in part as an
account that a creditor provides for personal, family or household purposes, that is
designed to allow multiple payments or transactions and specifies that a utility
account is a covered account; and
WHEREAS, the Federal Trade Commission regulations require each creditor to adopt an Identity
Theft Prevention Program which will use red flags to detect, prevent and mitigate
identity theft related to information used in covered accounts; and
WHEREAS, the City provides water and sewer services for which payment is made after the
product is consumed or the service has otherwise been provided which by virtue of
being utility accounts are covered accounts; and
WHEREAS, the City Attorney has reviewed the policies and procedures of the Van Buren Water
and Sewer Department and believes the proposed additions herein to the Municipal
Code fulfills, complies and implements the Red Flags Rule and other requirements
outlined by the Federal Trade Commission; and
WHEREAS, the City Council hereby finds that it is in the public interest to approve and adopt the
language herein, as part of the City Code, in compliance with FTC requirements.
NOW, THEREFORE, BE IT ORDAINED BY THE CITY COUNCIL OF THE CITY OF
VAN BUREN, ARKANSAS, FOR THE PURPOSE OF ADOPTING THE FOLLOWING
IDENTITY THEFT PREVENTION PROGRAM THAT:
SECTION 1: The foregoing recitals are hereby found to be true and correct and are hereby adopted
by the City Council and made a part hereof for all purposes.
SECTION 2: The City of Van Buren Municipal Code is hereby amended by adding Chapter 10.30
to Title 10, to read as follows:
`CHAPTER 10.30
Identity Theft Prevention Program
10.30.01 Short Title: This Chapter shall be known as the `Van Buren Identity Theft
Prevention Program.'
10.30.02 Purpose: The purpose of this Chapter is to comply with 16 CFR 681.2 in
order to detect, prevent and mitigate identity theft by identifying and
detecting identity theft red flags and by responding to such red flags in a
manner that will prevent identity theft.
10.30.03 Definitions: For purposes of this Chapter, the following definitions apply:
(a) `City' means the City of Van Buren.
(b) `Covered account' means (i) An account that a financial institution or
creditor offers or maintains, primarily for personal, family, or household
purposes, that involves or is designed to permit multiple payments or
transactions, such as a credit card account, mortgage loan, automobile loan,
margin account, cell phone account, utility account, checking account, or
savings account; and (ii) Any other account that the financial institution or
0 creditor offers or maintains for which there is a reasonably foreseeable risk
to customers or to the safety and soundness of the financial institution or
creditor from identity theft, including financial, operational, compliance,
reputation, or litigation risks.
(c) `Credit' means the right granted by a creditor to a debtor to defer payment
of debt or to incur debts and defer its payment or to purchase property or
services and defer payment therefore.
(d) `Creditor' means any person who regularly extends, renews, or continues
credit; any person who regularly arranges for the extension, renewal, or
continuation of credit; or any assignee of an original creditor who participates
in the decision to extend, renew, or continue credit and includes utility
companies and telecommunications companies:
(e) `Customer' means a person that has a covered account with a creditor.
(f) `Identity theft' means a fraud committed or attempted using identifying
information of another person without authority.
(g) `Person' means a natural person, a corporation, government or
governmental subdivision or agency, trust, estate, partnership, cooperative,
or association.
(h) `Personal Identifying Information' includes but is not limited to a
person' s credit card account information, debit card information bank account
information and drivers' license information and for a natural person includes
their social security number, mother's birth name, and date of birth.
(i) `Red flag' means apattern, practice, or specific activity that indicates the
possible existence of identity theft.
(j) `Service provider' means a person that provides a service directly to the
city.
10.30.04 Findings: The Federal Trade Commission "FTC requires every utility,
including public water and sewer systems, such as the Van Buren Water and
Sewer Department, to implement an Identity Theft Prevention Program
"ITPP The FTC requirements and regulations are necessary because of
114 of the Fair and Accurate Credit Transactions Act "FACTA The FTC
has set forth the ITPP requirement in 16 C.F.R. 681.2. Identity theft is
defined as a fraud committed or attempted using identifying information of
another person without authority. The City of Van Buren adopts the program
set forth in this Chapter to comply with FTC rules and regulations. In drafting
its ITPP, the City has considered: (1) the methods it provides to open its
accounts; (2) the methods it provides to access its accounts; and (3) its
previous experiences with identity theft. Based on these considerations, the
City Council hereby determines that the City Water Sewer Department is
a low to moderate risk entity, and as a result develops and implements the
streamlined ITPP set forth hereto. Further, the City determines that the only
covered accounts offered by the City are those under its water and sewer
utilities.
.:10.30.05 :Red Flags: The FTC regulations identify numerous red flags that must be
considered in adopting an ITPP. The FTC has defined a red flag as a pattern,
practice, or specific activity that indicates the possible existence of identity
theft. The City identifies the following red flags from the examples provided
in the regulations of the FTC:
(a) Notifications from Consumer Reporting Agencies: The City does not
request, receive, obtain or maintain information about its utility customers
from any Consumer Reporting Agency.
(b) Suspicious documents Possible red flags include:
i) presentation of documents appearing to be altered or forged;
ii) presentation of photographs or physical descriptions that are not
consistent with the appearance of the applicant or customer;
iii) presentation of other documentation that is not consistent with the
information provided when the account was opened or existing
customer information:
iv) presentation of information that is not consistent with the account
application; or
v) presentation of an application that appears to have been altered,
forged, destroyed, or reassembled.
(c) Suspicious personal identifying information Possible red flags include:
i) personal identifying information is being provided by the customer
that is not consistent with other personal identifying information
provided by the customer or is not consistent with the customer's
account application;
ii) personal identifying information is associated with known fraudulent
activity;
iii) the social security number (ifrequired or obtained) is the same as that
submitted by another customer;
iv) the telephone number or address is the same as that submitted by
another customer;
v) the applicant's failure to provide all personal identifying information
requested on the application; or
vi) the applicant or customer's inability to provide authenticating
information beyond that which generally would be available to a
consumer.
(d) Unusual use of or suspicious activity related to an account Possible red
flags include:
i) a change of address for an account followed by a request to change
the account holder's name;
ii) a change of address for an account followed by a request to add new
or additional authorized users or representatives;
iii) an account is not being used in a way that is consistent with prior use
(such as late or no payments when the account has been timely in the
past);
iv) a new account is used in a manner commonly associated with known
patterns of fraudulent activity (such as customer fails to make the first
payment or makes the first payment but no subsequent payments);
v) mail sent to the account holder is repeatedly returned as
undeliverable;
vi) the City receives notice that a customer is not receiving his paper
statements; or
vii) the City receives notice of unauthorized activity on the account.
(e) Notice regarding possible identity theft Possible red flags include:
i) notice from a customer, an identity theft victim, law enforcement
personnel or other reliable sources regarding possible identity theft or
phishing related to utility accounts.
10.30.06 Red Proof of Identity: Any person or entity opening a utility account shall
provide a complete application and provide satisfactory evidence of their
identity and/or address. Said proof may include but not be limited to: a valid
driver's license; passport; state, federal, employer, or school issued
identification card; or military identification card. The required application
must be completed in its entirety and must be signed in order to establish a
utility account.
10.30.07 Red Confidentiality of Applications and Account Information: All personal
information, personal identifying information, account applications and
account information collected and maintained by the City shall be a
confidential record of the City and shall not be subject to disclosure unless
otherwise required by State or Federal Law. Additionally, any employee with
access to utility customers' personal information, account applications or
account information shall be required to keep such information in confidence
and protect the privacy of Customers, and may be required to execute and
abide by a written Confidentiality and Non Disclosure Policy.
10.30.08 Red Access to utility account information: Access to utility account
information shall be limited to employees that provide customer service and
technical support to the City's utilities. Any computer that has access to
utility customer account or personal identifying information shall be
password protected and all computer screens shall lock after no more than
fifteen (15) minutes of inactivity. All paper and non electronic based utility
account or customer personal identifying information shall be stored and
maintained in a locked room or cabinet and access shall only be granted by
the Compliance Officer or his/her designee, or in the alternative shall be
scanned for secure, password protected, digital storage, and then shredded.
10.30.09 Red Credit Card Transactions: In the event credit cards are added as a
payment option for utility accounts, all interne or telephone credit card
payments shall only be processed through a third -party service provider
which certifies that it has an identity theft prevention program operating and
in place. Credit card payments accepted in person shall require a reasonable
connection between the person or entity billed for the utility services and the
credit card owner.
10.30.10 Red Suspicious Transactions: Suspicious transactions include but are not
limited to the presentation of incomplete applications; unsigned applications;
payment by someone other than the person named on the utility account;
presentation of inconsistent signatures, addresses or identification. Suspicious
transactions shall not be processed and shall be immediately referred to the
Compliance Officer.
10.30.11 Notification of Law Enforcement: The Water Superintendent/Director shall
use his /her discretion on whether to report suspicious transactions to the
police department or other appropriate law enforcement.
10.30.12 Third -Party Service P All transactions processed through a third
part} service provide s hall be permitted only if the service provider eertif es
that it has complied with the FTC regulations and has in place a consumer
identity theft prevention program.
10.30.13 Compliance Officer and Training: The "Compliance Officer" for this ITPP
and Chapter shall be the Water. Superintendent/Director or his/her designee.
The Compliance Officer shall conduct training of all city utility employees
that transact business with customers of the City's utilities. The Compliance
Officer shall periodically review this program and recommend any necessary
updates to the City Council.
10.30.14 Annual Report: An annual report, as required by FTC regulations, shall be
provided by the Water Sewer Department Superintendent/Director to the
Mayor and City Council. The contents of the annual report shall address
and /or evaluate at least the following:
(a) the effectiveness of the policies and procedures of the City in addressing
the risk of identity theft in connection with the opening of utility accounts and
with respect to access to existing utility accounts; and
(b) software, credit -card processing, and service provider arrangements; and
(c) any incidents involving identity theft, or suspected identity theft, with
utility accounts and the City's remedial response; and
(d) any changes, or proposed changes, in methods to identify identity theft
and/or to prevent identity theft; and
(e) any recommendations for changes or modifications to the City's ffPP.
SECTION 3: The various provisions and parts of this Ordinance are hereby declared to be
severable, and, if any section or part of a section, or any provision or part of a
provision herein, is declared to be unconstitutional, inappropriate, or invalid by any
court of competent jurisdiction, such holding shall not invalidate or affect the
remainder of this Ordinance and to that extent the provisions hereto are declared to
be severable.
SECTION 4: All ordinances, resolutions or other acts of the City in conflict with the terms hereof
are repealed or amended to the extent of any such conflict.
SECTION 5: The adoption date of this ordinance is October 20, 2008.
S SECTION 6: The effective date of this ordinance is November 1.2008.
1N WITNESS WI- IEREOF City of Van Buren, Arkansas, by its City Council, did pass,
approve, and adopt, by a vote of u!/ for and 0 against, the foregoing Ordinance at its meeting
held on the 20` day of October 2008..
API
Robert D. Fre ma�• aye
ATTESTED: APPROVED AS TO FORM:
Barbie Curtis, City Clerk/Treasurer N. Donald Jenkins, Jr., City Attorney