Be prepared to pull out your driver's license on your next visit to the dentist. And don't be surprised if a retailer asks for a birth date or mother's maiden name if it's giving you credit for your big-ticket purchase.
They're just following federal rules to protect consumers from identity theft. Beginning next month, a wide range of businesses — auto dealers, cell phone companies, real estate agents, mortgage brokers, utilities and health care providers — must start complying with "Red Flag Rules." The rules are meant to stop fraud before it happens by requiring certain businesses to look for signs that customers might be imposters and, if there are signs that they are, to take action.
"People will notice more requests for verification for their identity, and some people will feel insulted or annoyed," says Anne Wallace, president of the Identity Theft Assistance Center. "I would urge them to regard this as a protection."
The Fair and Accurate Credit Transactions Act of 2003 required financial institutions and businesses to establish identity theft programs. Banks and other financial institutions have had to comply since late 2008. But other businesses — some of which had no idea that the law applied to them — were given until this June.
Whether businesses must comply depends on their billing practices and roles in credit decisions. The rules apply to those that provide services upfront and let customers pay later or in installments — like a dentist who lets you spread out the cost of pricey inlays, says Rebecca Kuehn, an assistant director with the Federal Trade Commission, which oversees business compliance.
Businesses must also comply if they help arrange loans or credit, such as debt collectors and retailers offering financing. Companies that accept credit cards or hospitals paid by insurance don't come under the rules, Kuehn says.
Those who fail to comply face legal action, penalties and greater regulatory oversight for years, Kuehn says.
While consumers are expected to benefit, not everyone is happy about the rules.
The American Bar Association successfully argued in court that lawyers should be excluded, although the FTC is appealing the decision, Kuehn says. Accountants sued, too, and their fate will hinge on how the appeals court rules on lawyers' case, she says.
All the other businesses that must be in compliance next month have to set up an identity theft program to detect "red flags," or signs that consumers might not be who they say they are. Companies determine the red flags for their particular businesses, but federal regulators offered a couple of dozen examples.
A red flag, for instance, can be a fraud alert on a credit report, or a credit application with a different address and phone number than records show. It may be a rash of new credit accounts being opened or people who don't look like their photo ID. Or suspicions could be raised if a customer uses a dead person's Social Security number.
Businesses must also spell out how they will react when a red flag is triggered to prevent identity theft or lessen the damage. They could, for example, contact the real customer, monitor the account for unusual activity, refuse to extend credit or call the police, the FTC says.
Red flag rules may already be having an impact in the credit card world, reports Javelin Strategy & Research.
For years, the No. 1 method thieves used to take over a credit card was to change the address on the account. By the time consumers noticed that they were no longer getting statements, the thieves would have racked up months of purchases, says Mary Monahan, research director.
In 2006, only 16 percent of the top card issuers alerted customers to requests for address changes on their accounts, Javelin found. As of last year, 92 percent offered alerts.
Thieves are still using the change-of-address tactic. But now the most popular scheme for taking over an account is to request being added as an authorized user on someone else's card, Monahan says.
"It's a moving target. Once you block one door, the criminals go through the window," Monahan says.
As thieves change their methods, the Red Flag Rules also require businesses keep up by adjusting their programs.
Some privacy experts say the effectiveness of the Red Flag Rules will depend on how strictly regulators enforce compliance. But others say the rules will help plug some security holes.
Financial institutions have sophisticated fraud prevention programs, but that's not the case in every industry, says Thomas Oscherwitz, chief privacy officer with California-based ID Analytics.
"Fraudsters go to the weakest link," Oscherwitz says. They can seek out Social Security numbers or birth dates from one lax company, and then "use that to create a new credit card in your name," he says.
Businesses can't assume that their work is done after creating an identity theft program.
"It's not a silver bullet. It's a step in the right direction," says Jeremy Miller, a director of operations with Kroll Fraud Solutions in Nashville, Tenn. Businesses need to go further, such as conducting background checks on employees to prevent fraud from within or limiting worker access to sensitive information, he says.
Consumers can't let their guard down, either. Be on the lookout for red flags, too. If you get a strange call from a collection agency or receive statements from companies you don't deal with, investigate immediately, Miller says.
Read financial statements as soon as they arrive in the mail. And get your free annual credit reports to make sure there isn't any funny business going on in your accounts.