1. What You Need to Know Customer Service 1 08/09/2012

2. 2 What is Identity Theft? Common Forms of Identifying Information: Name Address Social Security Number Birth date Mother’s maiden name Phone number Driver’s License Number Definition: Fraud committed by using identifying information of another person without authority.

3.  Caller requests specific information on an account, i.e., address, phone number, SSN, TDL…  Payment activity on account does not match billing or usage history.  The customer says they did not activate the account that now includes their identifying information.  Personal identifying information does not match previous information provided on account. 3

4. Red Flag – A pattern, practice or activity that indicates the possible existence of ID theft. Identifying red flags allows the CSR to spot suspicious patterns when they arise. The Red Flag Rule is enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration. What is the Red Flag Rule? Rule enforced by the Federal Trade Commission (FTC) that requires businesses and organizations to implement a written Identity Theft Prevention Program and training designed to detect the warning signs or “red flags” of identity theft in their day-to-day operations. Businesses are required to take steps to prevent the crime, and lessen the damage it inflicts. 4

5. 1. Alerts, notifications or warnings received from a Consumer Reporting Agency when opening an account. Credit Reporting agencies include: Experian or Texas DL verification at SGO Accurint at MNG 2. Existing accounts having unusual use of or suspicious activity.  Example: Single or multiple payments (usually by Credit Card) that create a credit on an account after which a caller requests a refund of the overpayments. 3. Notice from customers, victims of ID theft, law enforcement authorities, or other persons regarding ID theft. 5

6. Caller reports possible ID Theft event: CSR verifies ID and address on account Customer probed: Did a friend or relative reside at address? If YES, CSR explains that the customer is responsible for bill. If NO, the customer states the ID Theft is legitimate:  Inform the customer a fraud packet will be mailed to them and properly note the case as to why the customer is claiming ID Theft (Fraud).  For ID Theft/Fraud Cases the case category: “EFMI – Identity Theft Fraud” should be selected.  Using the proper case category provides automation of Identity Theft /Fraud investigations and mailing of fraud packets to the customer.  All Identity Theft CLOGs should be logged using the Class/Action code: “0017/0123 - Identity Theft Investigation” with the reason.  Inform the customer they must complete and return the packet to CNP within (30) business days with all required documents completed. These include:  ID Theft Report (not just a case#), including the full report filed with Police  ID Theft Affidavit signed and notarized  Proof of Residence form  Copy of other accounts in their name during same time period (electricity, phone, etc.)  Inform the customer they will be contacted within (5) business days by the Credit Department after their completed packet is received and the investigated.  Credit will update activity through CLOGs.  If a customer calls for a status report after the packet has been mailed, please refer to the CLOGs on the account for detailed information. If the customer does not agree to complete the packet, explain to the customer they are responsible for the bill. 6

7. 7 Work From Home Agents Handling Confidential Information  Agents should have designated work areas in home that can be secured behind a locked door if necessary.  Work area should be equipped with shredder for discarding of proprietary information/documents.  Visitors should not be in area when actively working.  Employee confidential documents should be secured in locked drawer or cabinet.  Examine work area before leaving to ensure precautions have been taken to secure confidential information.  Always password protect PC when leaving area for any length of time  Power down/completely log off computer at end of day.  If customer’s information has been compromised (i.e. home burglary ) the agent must contact the authorities to file a police report, as well as alert CNP management and Corporate Security. Both should be completed within 24 hours.

8. It is important that we use standard verification procedures to validate customers through identifying information such as:  Name  Social Security Number  Driver’s License Number  Address/Phone Number  Date of Birth Remember:  Don’t release information without identifying your customer.  Verify identifying information—Never give information  If notes on the customer’s account indicate suspicious activity, do not provide this information to the caller. 8

9. Printing  Don’t leave screenshots or documents with confidential information on the printer.  Avoid printing these documents unless absolutely necessary. Shred-It  Properly discard documents that include confidential or identifying information in the shred it bins Workstations  Make sure your PC is password protected when you leave your desk and is “shutdown” when you leave for the day.  Avoid exposing/leaving any customer confidential information on your desktop. Emails  Never email customer sensitive information without “blotting out” identifying or other confidential information first (i.e. Checkbook screens.).9

10.  Lock up any customer sensitive information daily.  Store records in a room or cabinet that is locked when unattended.  Shred papers containing customer information so that the information cannot be read or reconstructed (especially papers left at the printers).  Set Fax machines to memory at the end of each day to store any faxes that may be sent after business hours. 10

11. ScenariosExampleRisk Avoidance Personal identifying information given by customer is not consistent with information given to an external consumer agency. The SSN given by the customer does not match information from an outside agency, i.e., the BBB, Credit Reporting agency Credit performs skip tracing and may request proof of information, i.e., lease agreement, copy of ID Personal identifying information is associated with known fraudulent activity. Address/phone number provided is same as info. provided on a fraudulent application. Credit performs skip tracing, issues refusal of service, notes premise and contacts customer for payment. Customer Service determines if this is same party. Applies appropriate deposit rules. SSN and/or DL provided is same as on an existing account. SSN or DL provided cannot be validated when entered in SAP or external system. Customer Service verifies SSN and/or DL information. If info cannot be validated it is removed from application. Credit conducts investigation to validate information and contacts customer. Note may be placed on premise. The address or telephone number is same as on an existing account. Customer with existing service tries to open new account with fraudulent information. Customer Service verifies if info given is correct. Reviews premise, Clogs for acct history. Credit conducts investigation and contacts customer. Person opening account will not provide customer identifying information. Caller requesting service refuses to provide SSN/DL#, etc. Customer Service will complete application without identifying information and charge applicable deposit. Educate customer about reason for identifying information. Can suggest a PIN. Credit conducts skip tracing. If fraud found a refusal of service is issued, MVI stopped and/or payment arrangements made. 11 Alerts, notifications or warnings received from a Consumer Reporting Agency when opening an account.

12. ScenariosExampleRisk Avoidance An account is used in a way that is not consistent with established patterns of activity on the account. Customer has large credit balance on account not consistent with payment/usage history on account. Review account with Lead, Supervisor, or request assistance from Credit before requesting refund. Credit investigation includes skip tracing and possible request for additional documentation. Personal identifying information provided is not consistent with the name, address or account number on file with the company. Customer cannot provide valid identifying information consistent with information on existing CNP account. Standard verification required when accessing any account. Information should be verified—not provided to customer. The company is notified by phone or in writing of unauthorized charges or transactions in connection with customer’s account. Customer may dispute date of MVI/MVO transaction. There could be unauthorized gas usage (GULM) on account. Customer Service would review account history, bill statement, and issue applicable case to correct charges. 12 Existing accounts having unusual use of or suspicious activity Red Flag #3 Notice from customers, victims of Identity Theft, law enforcement authorities, or other persons regarding Identity Theft ScenariosExampleRisk Avoidance The company is notified that a fraudulent account has been opened using stolen identity information. Customer or law enforcement agency notifies CNP that an account has been opened with stolen information. Law enforcement and Corporate Security must also be notified. Use standard verification process to validate customer identity. Mail fraud packet. Investigation completed by Credit.