CITY OF ELK CITY IDENTITY THEFT PREVENTION POLICY
Identity theft, the fraudulent use of an individual's personal identifying information, is a
high-level risk to consumers and therefore to our city and our customers. This policy
reaffirms and formalizes the actions and processes our city will take with respect to
This policy includes the final rules and guidelines implementing section 114 of the Fair and
Accurate Credit Transactions Act of 2003 (FACT Act) and final rules implementing section 315 of
the FACT Act.
The rules implementing section 114 require each creditor to develop and implement a
written Identity Theft Prevention Program (Program) to detect, prevent, and mitigate
identity theft in connection with the opening of a covered account or existing covered
In addition, the agencies issued joint rules under section 315 that provide guidance
regarding reasonable policies and procedures that a user of consumer reports must
employ when a consumer reporting agency sends the user a notice of address
The agencies also issued guidelines to assist creditors in the formulation and maintenance of a
Program that satisfies the requirements of these rules.
The guidance and standards set forth in this policy are intended to take specific steps to:
• Comply with the Interagency Final Rule Regarding Sections 114 and 3 I 5 of the Fair
and Accurate Credit Transactions Act of 2003".
• Minimize the threat of identity theft through disclosure or compromise of
customer information held by the city.
• Respond to known or suspected identity theft involving our city or its customers.
• Provide assistance to city customers who may have been victims of identity theft.
• Establish processes or procedures for the training of city personnel.
• Establish processes or procedures for the education of city customers.
For the purposes of this policy, the following definitions apply:
• Any person or firm who regularly extends, renews, or continues credit
• Any person or firm who regularly arranges for the extension, renewal or continuation of
• Any assignee of an original creditor who participates in the decision to extend, renew, or
Account means a continuing relationship established by a person with the city to obtain a product
or service for personal, family, household or business purposes. Account includes:
• An extension of credit, such as the utility billing (water, electricity, sewer, garbage and
internet) involving a deferred payment, and
• A deposit account.
Covered Account means:
• An account that our city offers or maintains primarily for personal, family or household
purposes that involve or are designed to permit multiple payments or transactions such as utility
billing (water. electricity, sewer, garbage and internet) or the purchase of property.
• Any other account that our city offers or maintains for which there is a reasonably
foreseeable risk to customers or to the safety and soundness of the city from identity theft,
including financial, operational, compliance, reputation or litigation risks.
• This definition may include accounts established for business purposes and covers any
relationship the account holder has with the city, including deposit relationships, utility
relationships, and include fiduciary, agency, custodial, and other advisory relationships.
Customer means a person that has a covered account with the city. This includes not only consumers
but also other types of persons for which our city believes there is a reasonably foreseeable risk
to its customers or to the city's safety and soundness from identity theft.
Clear and conspicuous means reasonably understandable and designed to call attention to the nature
and significance of the information presented.
Identity Theft means a fraud committed or attempted using the identifying information of another
person without authority.
Identifying Information means "any name or number that may be used, alone or in conjunction with
any other information, to identify a specific person," including any:
• Name, social security number, date of birth, official state or governmental issued driver's
license or identification number, alien registration number, government passport number, employer
or taxpayer identification number;
• Unique biometric data, such as fingerprint, voice print, retina or iris image, or other
unique physical representation;
• Unique electronic identification number, address, or routing code; or
• Telecommunication identifying information or access device.
Notice of address discrepancy means a notice sent to a user by a consumer reporting agency
pursuant to the law that informs the user of a substantial difference between the address for the
consumer that the user provided to request the consumer report and the address(es) in the agency's
file for the consumer.
Red Flag means a pattern, practice, or specific activity that indicates the possible existence of
Service Provider means a person that provides a service directly to the city.
ELEMENTS OF THE IDENTITY THEFT PREVENTION PROGRAM
• Identify relevant red flags and incorporate them into the Program
• Detect red flags that are part of the Program
• Respond appropriately to any red flags that are detected
• Ensure the Program is updated periodically to address changing risks.
GUIDELINES OF THE IDENTITY THEFT PREVENTION PROGRAM
• Incorporate all existing anti-fraud policies and procedures into the Program.
• Program to be approved by the Elk City Commission , Elk City Public Works Authority, Elk
City Industrial Authority and Elk City Airport Authority
• Ensure oversight of the Program by the City Manager, City Treasurer and City Clerk
• Train appropriate staff
• Oversee any service provider arrangements made
ADMINISTRATION OF THE IDENTITY THEFT PREVENTION PROGRAM
• The city's Identity Theft Prevention Program will be administered by the City Clerk.
• The Program will be monitored at least annually.
• Service provider's activities will be conducted in accordance with the city's Program.
• The City Manager will make a report to the Elk City Commission, the Elk City Public Works
Authority, the Elk City Industrial Authority and the Elk City Airport Authority at least on an
• Significant incidents involving identity theft will be reported as they happen.
• The Program will be reviewed and critiqued to determine the effectiveness of the policies
and procedures in addressing the risk of identity theft in connection with the city's covered
• All service providers' activities will be conducted in accordance with reasonable policies
and procedures designed to detect, prevent, and mitigate the risk of identity theft.
IDENTIFICATION OF COVERED ACCOUNTS INCLUDING A RISK ASSESSMENT
The city performed an initial risk assessment of the likelihood that we offer covered accounts
taking into consideration:
• The types of covered accounts that we offer
• The methods we use to open accounts
• The methods we use to provide access to our accounts
• Previous experiences with identity theft
To assist us in this process, we used the illustrative examples of Red Flags that are contained in
the FACT Act.
PERIODIC UPDATES OF THE IDENTITY THEFT PREVENTION PROGRAM
The city will review its existing, Identity Theft Prevention Program at least annually and make
such revision and amendments, as it deems appropriate to reflect changes in risks to customers and
to the safety and soundness of the city from identity theft.
Our staff will be trained to recognize and properly react to unauthorized or fraudulent attempts to
obtain customer information. Employees will also be trained to protect customer information
through appropriate measures, such as taking additional steps to verify that a caller is a bonafide
Employees will also be trained to implement the city's written policies and procedures governing
the disclosure of customer information, and will be informed and reminded on a periodic basis not
to deviate from them. Moreover, employees must also know to whom and how they should report
OVERSIGHT OF SERVICE PROVIDERS
The City will adopt and implement an information security program that establishes adequate
administrative, technical and physical safeguards to protect customer information against misuse,
alteration, destruction, or unauthorized disclosure. The City will perform due diligence on
service providers and will require that all contracts with service providers, who have access to
customer non-public personal information in the course of providing services to our city, have a
clause that requires the provider to maintain an information security program designed to achieve
PREVENTION AND DETERRENCE OF IDENTITY THEFT
Our city will employ a variety of methods to safeguard customer information and reduce the risk
of loss from identity theft, including:
• Verification of personal information to establish the identity of individuals applying for
new or addition services.
• Consumer reports can be an important source for preventing fraud. When processing an
application for a new account, the city may rely on a consumer report from a consumer reporting
agency. Our city will not process an application when there is an existing fraud alert without
contacting the individual in accordance with instructions that usually accompany a fraud alert
(i.e., a victim's statement), or otherwise employing additional steps to verify the individual's
identity. Consumer reports may also be a source for detecting fraud. Signs of possible fraudulent
activity that may appear on consumer reports may include late payments on a consumer's accounts in
the absence of a previous history of late payments, numerous credit inquiries in a short period of
time, higher-than-usual monthly credit balances, and a recent change of address in conjunction with
other signs. The city will institute procedures to share a fraud alert across our various lines of
• When an applicant fails to provide all requested information on an application, our city will
not process the incomplete application without further explanation.
• Inasmuch as a change of address request on an existing account may be a sign of fraudulent
activity, our city will verify the customer information before executing an address change.
• Our city will implement appropriate controls and procedures to limit access to customer
records. We will also ensure that our service providers adopt similar controls.
• Because insiders could be identity thieves, our city will consider conducting background
checks for its employees, in accordance with applicable law.
• Our city will also monitor its service providers to confirm that they have implemented
appropriate measures to limit access to customer records.
• Appropriate protective measure will also be taken for disclosing information through other
communication channels (e.g., e-mail or wireless devices) which our city may use. It is our
policy that in most cases e-mail is not an appropriate channel to communicate certain types
of account information unless it is secure e-mail.
• Our city will implement appropriate controls and procedures to limit access to customer
records which are to be destroyed by shredding. We will also ensure that our service providers
adopt similar controls.
RESPONSE TO SUSPECTED IDENTITY THEFT SCHEMES
In order to properly respond to instances of suspected identity theft, we will:
• Incorporate notification of known email-related frauds into the response program to alert
customers of fraudulent requests for information and to caution them against responding.
• Notify Internet service providers, domain name issuing companies, and law enforcement to shut
down fraudulent Web sites and other Internet resources that are being used to facilitate phishing
or other fraudulent e-mail practices.
• Increase suspicious activity monitoring and employ addition identity verification controls.
• If fraud is detected in connection with customer accounts, we will report the fraud and offer
our customers assistance consistent with regulatory guidance on this subject.
• In the event that our city is a victim of an email-related scam, we will promptly notify law
enforcement by filing a Suspicious Activity Report (SAR).
RESPONSE PROGRAM FOR KNO\VN IDENTITY THEFT
The city will take all necessary steps to prevent unauthorized access to or use of sensitive
customer information. Sensitive customer information includes the customer's name, address or
telephone number in conjunction with the customer' s Social Security number, driver's license
number, account number, and their credit or debit card number. It also includes any combination of
customer information that would allow someone to log on or access a customer's account, such as the
user name and personal identification number (PIN) or password.
In the event that sensitive customer information is accessed or used, the city will:
• Assess the nature ad the scope of the incident and identify what customer information systems
and types of customer information have been misused or accessed;
• Notify our law enforcement and file a SAR as the city becomes aware of the incident;
• Promptly notify the appropriate law enforcement authorities when a reportable violation is
• Take appropriate steps to contain and control the incident to prevent further unauthorized
access to or use of customer information;
• Notify customers of the incident.
INCIDENT INVOLVING A SERVICE PROVIDER
The City will notify our customers and when an incident of unauthorized access to sensitive
customer information involves our customer information systems maintained by a service provider.
The city may, however, elect to authorize or contract with the service provider to notify our
customers on our behalf.
CUSTOMER NOTICE OF UNAUTHORIZED ACCESS TO CUSTOMER INFORMATION
The City will notify customers when we become aware of an incident of unauthorized access to
customer information and at the conclusion of our investigation if the city determines that misuse
of information has occurred or the city believes it is reasonably possible that misuse will occur.
The customer notice will be given in a clear and conspicuous manner and will be delivered in a
manner designated to ensure that a customer can reasonably be expected to receive it. Acceptable
methods that the city will use include telephone and mail. E-mail notices are acceptable for those
customers who have valid e-mail addresses and who have agreed to receive communications with the
The notice will contain the following items:
• Description of the incident;
• Type of information subject to unauthorized access;
• Measures taken by the city to protect customer s from further unauthorized access;
• Contact information for the nationwide consumer reporting agencies;
• Telephone number customers can call for information and assistance; and
• A reminder to customer to remain vigilant over the next twelve to twenty four months and to
report any suspected identity theft incidents to the city.
EDUCATION OF CUSTOMERS
Educating consumers about preventing identity theft and identifying potential pretext calls may
help reduce their vulnerability to these fraudulent practices. We will make available to our
customers, brochures in our lobbies or on our Web site, describing preventative measures consumers
can take to avoid becoming victims of these types of fraud.
ASSISTANCE FOR VICTIMS
In the event that one of our customers becomes a victim of identity theft, we will take the
following steps, as appropriate, to assist them:
• Have trained personnel respond to customer calls regarding identity theft or pretext
• Determine if it is necessary to close the account immediately after a customer reports
unauthorized use of that account. Where a customer has multiple accounts with us, we will assess
whether any other account has bee the subject of potential fraud.
• Help educate the customer about appropriate steps to take if they have been victimized.
Periodic unannounced independent testing will be conducted to ensure that city personnel are
aware of and abiding by this policy. This testing will include in its activities testing to
determine if any city customers have been the victims of ID theft and, if so, where the city took
the proper steps thereafter. In addition, this testing will focus on additional modifications that
should be made to the city's identity theft prevention program.
REVIEW OF POLICY
The Elk City Commission, Elk City Public Works Authority, Elk City Industrial Authority, and the
Elk City Airport Authority shall review this policy at least annually, making such revisions and
amendments, as is deemed appropriate.
ALERTS, NOTIFICATIONS, OR OTHER WARNINGS RECEIVED
The City Will:
• Verify identity of the customer.
• Authenticate customer's information.
• Monitor transactions on the customer's accounts.
• Verify validity of address changes or changes in personal information.
Requirement to Form a Reasonable Belief
Whenever our city receives an alert, notification, or other warning of address discrepancy from a
consumer reporting agency that has a substantial difference between the address the city submitted
to the consumer reporting agency and the address(s) in the agency's file for the consumer, the city
will take steps to form a reasonable belief that the consumer report relates to the consumer about
whom the city requested the report.
In order to develop a reasonable belief that the consumer report relates to the consumer about whom
we requested a report, we will compare the information in the consumer report provided by the
consumer reporting agency with information that the city;
• Obtained and used to verify the consumer's identity;
• Maintains in our records, such as applications, change of address notifications, other
customer account records; (or)
• Obtained from a third-party source(s);
• In addition, the city will verify the information in the consumer report provided by the
consumer reporting agency with the customer.
Requirement to Furnish a Consumer's Address to a Consumer Reporting Agency
The city will furnish an address for the consumer that the city has reasonably confirmed is
accurate to the consumer reporting agency from whom the city received the notice of address
discrepancy whenever the city can form a reasonable belief that the consumer report relates to the
consumer about whom the city requested the report.
The city will furnish this information if the city establishes a continuing relationship with the
consumer and if the city regularly and in the ordinary course of business furnishes information to
the consumer reporting agency from which the notice of address discrepancy relating to the
consumer was obtained.
Examples of confirmation methods that may be used by the city are:
• Verification of the address with the consumer about whom it has requested the report, or
• Review of its records to verify the address of the consumer, or
• Verification of the address through third-party sources; or
• Use of other reasonable means.
The city will furnish the consumer's address that the city has confirmed is accurate to the
consumer reporting agency as part of the information it regularly furnishes for the reporting
period in which the city established a relationship with the consumer.
DUTIES REGARDING CHANGES OF ADDRESS
The city will assess the validity of a change of address if it receives notification of a change of
address for a consumer's account.
Form of Notice
Any written or electronic notice that the city provides under this paragraph will be clear and
conspicuous and provided separately from its regular correspondence with the consumer.
• Documents provided for identification which appear to be altered
• Personal information provided that is inconsistent with external information sources
• Unusual use of the account in a manner that is not consistent with historical patterns of
• Notice from customer of unauthorized charges or use
APPROPRIATE RESPONSES TO RED FLAGS
• Monitor accounts
• Contact customer
• Change passwords or sign ons
• Refuse to open an account
• Don't collect on an account
• Notify law enforcement as deemed appropriate
• No response