Barring further delays, beginning Nov. 1 all financial institutions and any company that extends credit to customers, even in the form of multiple-month payment plans, will be required to establish centralized anti-fraud procedures and systems under the Federal Trade Commission's new Red Flags Rule.

Facing a growing wave of identity theft, the FTC wants companies to pay more attention to establishing the identity of customers and credit recipients, and to put in place a system to flag theft attempts early. “Identity theft has been the No. 1 consumer complaint at the FTC for years now,” says Manas Mohapatra, an attorney with the agency's division of privacy and identity protection.

But attorneys specializing in business law warn that the new regulations could surprise many companies that have never viewed themselves as creditors. Mohapatra notes that even sending customers bills for payment in 30 days for a product or service could be construed as extending credit.

The FTC has postponed the rule's effective date several times as businesses objected that it was not clear who would be included. Even though its Web site (http://ftc.gov/redflagsrule) offers answers to frequently asked questions, the agency has promised further clarification.

“The Red Flags Rule has fines and penalties for noncompliance,” says Greg Bee, an attorney with the law firm of Taft Stettinius & Hollister, “but if it establishes a new 'standard of care' to be taken regarding extension of credit, it could also give rise to customer lawsuits.” That is, if a company's customers become victims of ID theft because of a transaction with the firm, they could file suit based upon any perceived failure by the company to meet the FTC's requirements.

The FTC expects a company's identity theft prevention program to be “appropriate to the size and complexity” of the business, according to the law firm's report on the rule, which concludes that “reasonable commonsense safeguards are likely to be enough for most businesses.” These might include requiring adequate identification of all customers and, in the event of suspected ID theft, alerting the customer, changing passwords, and possibly foregoing collection on an account or notifying law enforcement.

Most large companies already have systems in place to protect both themselves and their customers from ID theft and fraud, Mohapatra says. “For them, it's not a matter of adding a new layer on top of everything else,” he says. “It's just a matter of exercising common sense and of centralizing controls as a matter of policy.” Compliance could be something as simple as requiring two forms of ID to establish customer identity instead of just one.”

The rule could also help businesses, he added, citing a participant at an April hearing who said that the process of developing a red flag system helped get different offices in the company talking that hadn't talked before about what they were doing about identity theft.

Kevin Kalinich, national managing director of insurance broker Aon's financial services group, agrees that the new rule is probably a good thing for most businesses. “We found that among our clients and prospects, as of August, fully half of them did not have a good system for guarding against ID theft,” Kalinich says. “If this rule makes them become more compliant, they will save a lot of money, both in terms of fewer lawsuits by customers and lower insurance costs.”