Identity Theft and Fraud Prevention Training

Welcome to the annual Red Flags training for Blue Ridge Electric and Blue Ridge Energies employees!  This training is required by Board Policy 4-7B (Identity Theft and Fraud Prevention Program).  Our Identity Theft Prevention Operational Policy (policy #2-5-1-0) is designed to guide us in protecting the personally identifiable information of our members and customers.  Please take a few moments to carefully complete the training as these skills are the key to protecting our members' and customers' confidential information.

Image result for blue ridge energy logo

This training will enable employees to ensure compliance with our Identity Theft Operational Policy and effectively protect the personally identifiable information of our members and customers.

Red Flag Intro

  • Why do we have a Red Flags Policy?  The Fair and Accurate Credit Transaction Act (FACT Act) is a provision of the Federal Fair Credit Reporting Agency.  It requires us to take steps to curb identity theft.
  • What is a Red Flag? A Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft. 
  • What is Identity Theft? Identity theft is the illegal use of someone's personal information (such as a social security number) in order to obtain money or credit. Identity theft costs consumers and businesses millions of dollars each year and causes difficulties for victims trying to repair their good name and credit.  The existence of a Red Flag does NOT automatically mean Identity Theft has occurred.
  • The key to upholding our policy is that we cannot share any account information with anyone other than the member/customer.  The member/customer may contact us and add authorized individuals to their account if they wish for them to have access to their information or have the ability to make changes. 

Question 1

  • The applicant does not appear to have a credit file with the given identity information.
  • The applicant name & social security number do not match.
  • The given social security number has been reported as belonging to a deceased person.
  • The given social security number has not yet been issued by the social security administration.

When running a credit check, which of the following results could be a Red Flag and would require the applicant to provide further proof of identity? (Choose all that apply)

Operational Policy Highlights

  • When a new member/customer applies, we utilize the credit check process for 2 reasons:  1) to verify their identity, and 2) to check their credit rating if they intend to have a credit bearing account with us. 
  • The privacy of the customer always comes first when dealing with outside organizations, you must always get permission from the customer to give account information out.
  • Receipts at the front desk are only to be provided to the customer if they contain personal information.  ATS receipts now have the option to not include personal balance or account number details, so receipts can be provided to a non-member or customer paying. 
  • Per our policy, valid types of ID's include:
    • A valid, US government or state issued ID.
    • A foreign issued government passport, together with US government authorization. A foreign issued driver's license alone would not be sufficient. 

Image result for blue ridge energy logo

A credit check needs to be ran on each

Question 2

  • True
  • False
A credit check must be run for all new members and customers, unless they are opening a FlexPay electric service or Prepay Energies account, since these accounts do not require good credit.

Different Types of Personally Identifiable Information

Our policy lists the following as the types of personally identifiable information we are working to protect:

  1. Social security or tax identification number

  2. Driver’s license, state identification, or passport number

  3. Checking or savings account number

  4. Credit or debit card number and related expiration date or security code

  5. Personal identification code or requested code word to access account information

  6. Email address or internet login/password information

  7. Digital signature

  8. Any other data (including account number) which may be used to access financial information

  9. Any other account details which a member may be sensitive about us providing (i.e. balance on account, due dates, account status, etc.)

 

Image result for blue ridge energy logo

Question 3

  • Social security or tax identification number
  • Email address or internet login/password information
  • Personal identification code or requested code word to access account information
  • Birthdate
  • Any other account details which a member may be sensitive about us providing (i.e. balance on account, due dates, account status, etc.)

Which of the following is classified as Personally Identifiable Information? (Choose all that apply)

Providing Member Information to Parents or Individuals We Know

Many scenarios exist that could potentially jeopardize the information of members. It is important that employees know how to address those situations so that no mistakes are made when a member's information is truly at stake.

  • The first scenario is a parent inquiring about their child's account. If a caller requests information on their child's account, but is not listed as an authorized individual, no information can be given to that caller, even though they are the member's parent. However, if they are able to provide the account number, the parent is able to make a payment on the member's account. No other information should be given out. 
  • This is a situation frequent among members who are college students. It is important that the member designate their parent as an authorized individual if that parent is going to be calling to inquire on their account.
  • The second scenario is when a caller requests information on an account, and expects you, the employee, to provide that information because you know the caller personally. While you may know the caller, and be confident of their positive intentions, our first responsibility is to the member and the protection of their information. As with the first scenario, this individual could make a payment on the account if they are able to give the account number. However, no other information can be given unless the member personally calls to add the caller as an authorized individual on the account.

Question 4

  • The member's parent.
  • The member.
  • The member's landlord.
  • An individual that you, the employee, know personally to be of good character and positive intentions.
  • An individual who the member has personally authorized to receive information regarding their account.
Which of the following is able to receive information on a member's account? (Select all that apply.)

"Other" Contacts

  • It is also important to note that, when a member adds an "other" contact on their account, the member needs to specify what information that person can have access to. It is our responsibility to ensure that the member does so. For instance, a member can add an "other" contact and specify that this contact can only have access to their account balance. Such a contact would be unable to receive any information other than the account balance, such as Social Security number, driver's license number, or credit card number.
  • Some members may have an "other" contact listed on their account, but have not specified what information that person has access to. In that situation, we are to allow the contact to make any type of transactions (i.e. make a payment, ask for a past due balance, receive a time extension, etc.) However, unless specified by the member, they are not allowed to make any core changes to the account (i.e. update the address, update credit card information, connect or disconnect power, etc.).

Question 5

  • Receive or update the Social Security number on the account
  • Receive or update the checking or savings account number on the account
  • Make a payment on the account
  • Receive or update the member's e-mail address
  • Inquire or receive information about the member's account status
If an "other" contact has been authorized by the member to ONLY receive information pertaining to the account status, which of the following are items that the "other" contact does NOT have access to/the ability to do?

Scenarios for Review

Q – Wife calls in to get a time extension and her name is not on the account?

A – We may only grant time extensions to the member/customer.  The member/customer in that household would need to call and give permission to have the spouse added.  The only transaction we can do with her until that happens is to take a payment if she provides the account number and does not request any further balance or account details. 

Q – Person comes into district to make a payment on an account and does not have the bill.

A – We will accept the payment.  If they request other account details they will need to show identification.  If it is not the member, no receipt is to be provided if it contains account number of balance information.  If the person has the bill, we will take the payment and provide the receipt

Q – Member or customer calls in to change the address on their account.

A – Our first step is to verify their identity by asking for one of the approved items.  Once verified, update the system as requested.  If it is not the authorized individual that has called in, inform them we will need to speak with that individual to make the requested change.

Q – Receive a call that we have charged their credit card and it is not their payment.

A – May or may not be a member, so collect contact information and payment details (date, amount, last 4 digits of credit card #).  We will research the payment, but will NOT be able to release the account name to that individual.  They need to contact their credit card company to report the fraudulent charge.  The only way we release member information related to the payment is if they file a police report and we are subpoenaed to do so.  As a follow-up to this type of inquiry, complete a Red Flags Incident form, have your supervisor sign it, and forward it to a member of the Privacy Committee.

Q – Daughter calls in to handle matters on her parents’ account.

A – We can work with her if one of the two things is true:

 1) Her name has been added as a contact to the account (parent gave permission)

 2) We have a power of attorney on file (recorded, all pages)

Image result for blue ridge energy logo

Phone Call Scenario Question 1

  • Provide the caller with the confirmation # for the payment, thank her for calling, and move onto the next call.
  • Provide the caller with the confirmation # for the payment and thank her for calling. Then, contact the member/customer to inform her that a payment was made on her account, however, the outstanding balance is still $xx.xx and her account is still subject to disconnection on xx/xx/xx.
  • Ask the caller if she is sure that is all she would like to pay. Cannot explain why, but would she not like to pay only $10.00 more?
  • While the payment is processing, inform the caller that you are processing the $60.00 payment, but wanted to ensure she knows that this is not enough to keep the service from being disconnected. There is still a balance of $15.00 that must be paid by tomorrow.

Caller: “I need to make a payment on my daughter’s account.” 

Us:       “May I have the account # or phone # on the account so I can access her account?” 

Caller: “Yes, the account # is 123456”

Us:       “How much would you like to pay?”

Caller: “60.00 on my credit card”

We process the payment, but notice that 60.00 is not enough to keep the customer from having their electric/propane service disconnected.  Which of the following is the appropriate response to end this call:

 

Phone Call Scenario Question 2

  • Only when the customer wants to change account information.
  • Go ahead and verify the identity of all callers.
  • Only verify identity when the customer wants to make a payment.

What is a good rule of thumb for when to verify the identity of a caller?

Scenario Question 3

  • An individual that is neither a customer or member of ours states that we put a charge on his credit card and he wants his money back! He provides the date and amount and wants to know what he should do?
  • Energies customer calls to request a delivery. We see that her name is not on the account, so we instruct her that we need to speak with her husband, whose name is on the account.
  • Landlord calls in and requests that we disconnect power to the service address he owns. We inform him that we cannot take a disconnect service order from anyone except the member whose name the account is in.

In which of the following scenarios would you need to complete a Red Flags Incident report?

Do we have an obligation to report?

  • Yes, we should always inform authorities of any information we know about.
  • No, we are not "investigators". Our obligation is to follow our policies and procedures and treat all members and customers fairly and equally.
Are we required to report individuals we know are not living here legally? 

Complete Training

To complete the training, click "Home".  Lastly, click "Submit Results" - this will send us an e-mail that you have completed the required training!

Thank you and have a great day!