Attorneys have until May 1 to have their Red Flag Rules in place, according to the Federal Trade Commission. The rules were established in 2003 as part of the Fair and Accurate Credit Transaction Act (FACT Act), the same congressional act that allows consumers to routinely view their credit reports without charge.

Under the Red Flag Rules, anyone who extends credit must develop policies and procedures to identify and respond to any potential identity theft attempts. The warning signs—red flags—include:

• Identification documents and credit or debit cards that appear to have been altered or fraudulently manufactured.
• Photo identification in which the photo doesn’t appear to represent the client offering it.
• Unexpected or suspicious changes of address.
• A fraud alert or credit freeze on the clients’ credit report.
• Unusual account activity.

The federal agency’s definition of creditor originated with the Equal Credit Opportunity Act. The broad definition encompasses any businesses that extend credit or defer payment for services rendered. As such, attorneys who offer delayed or partial payment for client representation are included.

Small businesses, doctors’ offices and medical facilities were taken by surprise when they discovered a few months ago that they were included in the FTC’s definition of “creditors,” and the American Medical Association has petitioned the FTC for an exclusion or a delay in enforcement of the rules.

The FTC response was that the rule won’t provide an undue burden. “For example, a small medical practice with a well-known, limited patient base might have a lower risk of identity theft, and thus might adopt a more limited program than a clinic in a large metropolitan setting that sees a high volume of patients.

Presumably, the same applies to legal practices, though even small criminal law practices might be required to apply more stringent rules.