Deep Dive
Step-by-step breakdown
Step 1. FTC Identity Theft Reports: The Regulatory Trigger
The FTC Identity Theft Report is the foundational document in the federal identity theft dispute framework. Created through IdentityTheft.gov (now managed under the FTC's consumer portal), the report generates a unique case number and a pre-populated affidavit that satisfies the requirements of FCRA §605B and the Fair and Accurate Credit Transactions Act (FACTA). Without this report, consumers attempting to invoke blocking rights face significantly higher evidentiary burdens. With it, credit bureaus and furnishers are required to block fraudulent information within four business days.
FTC data shows that the agency received 1.4 million identity theft reports in 2023, up from 1.1 million in 2022 and just 651,000 in 2019. Credit card fraud and government document/benefits fraud were the two largest categories, accounting for 40% and 26% of reports respectively. The FTC's Consumer Sentinel Network, which aggregates identity theft data from the FTC, the FBI's IC3, state attorneys general, and other sources, recorded 5.7 million total fraud reports in 2023, of which identity theft comprised roughly 25%.
A critical distinction exists between an FTC Identity Theft Report and a police report. Prior to FACTA, consumers needed a police report to invoke most identity theft protections. Many police departments refused to take reports for identity theft, particularly when the victim was in a different jurisdiction from the perpetrator. The FTC report was designed to fill this gap — it is accepted by all three bureaus and by furnishers as a substitute for a police report. However, some creditors and debt collectors still request police reports, and the CFPB has clarified in Bulletin 2017-01 that an FTC Identity Theft Report alone is sufficient to trigger FCRA blocking obligations.
- FTC Identity Theft Report triggers mandatory 4-business-day blocking under FCRA §605B
- 1.4 million identity theft reports filed with the FTC in 2023; 40% involved credit card fraud
- Created at IdentityTheft.gov, the report generates a unique case number and pre-populated affidavit
- CFPB Bulletin 2017-01: FTC Identity Theft Report alone is sufficient — police report not required
- Consumer Sentinel Network recorded 5.7 million total fraud reports in 2023; identity theft was 25% of total
Step 2. FCRA §605B Blocking: The Mandatory Removal Mechanism
Section 605B of the FCRA (added by FACTA in 2003) creates the most powerful removal mechanism available to identity theft victims. When a consumer submits an identity theft report, a copy of the report (or the FTC report number), proof of identity, and a statement identifying the fraudulent information, the credit bureau must block the reported items within four business days. The block prevents the information from appearing on the consumer's credit report and prohibits the bureau from reselling or redistributing it.
The blocking obligation is not discretionary. Unlike a standard dispute under §611, where the bureau investigates and may verify the information, §605B blocking is triggered by the identity theft report submission — the bureau does not independently verify whether identity theft occurred before blocking. The only basis for declining to block is if the bureau 'reasonably determines' that the identity theft report was filed in error, the dispute is materially inaccurate, or the consumer obtained the goods or services associated with the blocked account. The burden is on the bureau to affirmatively establish one of these exceptions.
However, the blocking mechanism has a significant gap: it addresses the credit report but not the underlying debt. A blocked tradeline does not eliminate the collector's claim or prevent future collection activity through channels other than credit reporting. Consumers who successfully block a fraudulent account should also send a written dispute to the collector citing the identity theft, include a copy of the FTC report, and request that the collector cease collection under FDCPA §1692c and verify the debt under §1692g. This dual-track approach — blocking at the bureau and disputing with the collector — is necessary to resolve the full scope of the problem.
- §605B requires credit bureaus to block identity theft items within 4 business days of receiving required documentation
- Blocking is mandatory upon proper submission — no investigation required before blocking
- Bureau can decline only if it reasonably determines the report was filed in error, is materially inaccurate, or the consumer obtained the goods/services
- Blocking removes the information from the credit report but does not eliminate the underlying debt claim
- Consumers must separately dispute with the collector to stop collection activity on fraudulent accounts
Step 3. Extended Fraud Alerts: 7-Year Protection Under FCRA §605A
FCRA §605A provides two tiers of fraud alerts. The initial fraud alert (§605A(a)) lasts one year and requires only a statement of good-faith belief that identity theft has occurred or is imminent. The extended fraud alert (§605A(b)) lasts seven years and requires submission of an identity theft report. Both types instruct creditors to take reasonable steps to verify the consumer's identity before extending new credit — typically by calling the phone number the consumer provides. The Economic Growth, Regulatory Relief, and Consumer Protection Act (2018) extended the initial alert from 90 days to one year.
The practical effectiveness of fraud alerts depends on creditor compliance. Under §605A(h), any creditor that extends credit without following the verification procedures in a fraud alert faces liability for the resulting debt. However, the FTC's 2014 study found that creditor compliance with fraud alert verification requirements was inconsistent: approximately 30% of creditors surveyed did not have systematic processes for checking fraud alerts before approving applications. The CFPB has not conducted a follow-up study, but complaint data suggests the compliance gap persists.
One frequently overlooked benefit of extended fraud alerts: they entitle the consumer to two free credit reports per year from each bureau (in addition to the annual free report under §612). This means an identity theft victim with an extended alert can access up to nine free bureau reports per year (three annual plus six additional), providing frequent monitoring without cost. Under the CARES Act expansion (extended through 2026), weekly reports are already available for free, making this benefit somewhat redundant in the current environment — but it will become relevant again when the weekly free report program expires.
- Initial fraud alert: 1 year, requires good-faith belief statement only (extended from 90 days in 2018)
- Extended fraud alert: 7 years, requires submission of an identity theft report
- §605A(h): creditors who extend credit without following fraud alert verification procedures face liability
- FTC (2014): ~30% of creditors lacked systematic processes for checking fraud alerts before approving applications
- Extended alerts provide 2 additional free credit reports per bureau per year beyond the standard annual entitlement
Step 4. Security Freezes vs. Fraud Alerts: Regulatory Differences
A security freeze (credit freeze) under FCRA §605A(i)-(j), added by the Economic Growth Act of 2018, prohibits the bureau from releasing the consumer's credit report to new creditors without the consumer's explicit authorization. Unlike a fraud alert, which is a notification that creditors may ignore (at their legal risk), a freeze is a hard block — the bureau cannot release the file. Freezes are free under federal law since September 2018; before that, bureaus charged up to $10 per freeze per bureau in most states.
The operational distinction matters for identity theft victims. A fraud alert says 'call to verify before approving.' A freeze says 'do not release this file.' For consumers who have experienced identity theft and want to prevent new fraudulent accounts, a freeze is the more effective tool. However, freezes create friction when the consumer applies for legitimate credit — the consumer must temporarily lift or 'thaw' the freeze with each bureau before a creditor can pull the report. The thaw can be accomplished online, by phone, or by mail and must take effect within one business day under §605A(i)(1)(C).
A common error is assuming a freeze stops all identity theft activity. Freezes prevent new account fraud (someone opening accounts in your name) but do not prevent: existing account takeover (fraudulent charges on accounts you already have), tax refund fraud (filing a false tax return using your SSN), employment fraud, or medical identity theft. The FTC recommends a layered approach: freeze with all three bureaus plus an extended fraud alert plus monitoring of existing accounts plus an IRS Identity Protection PIN. No single measure addresses all identity theft vectors.
- Security freeze: hard block on file release, free since September 2018 under federal law
- Fraud alert: notification to creditors to verify, but does not prevent file release
- Freezes must be thawed within 1 business day when the consumer requests it (§605A(i)(1)(C))
- Freezes prevent new account fraud but not existing account takeover, tax fraud, or medical identity theft
- FTC recommends layered approach: freeze + extended fraud alert + account monitoring + IRS IP PIN
Step 5. Bureau and Furnisher Obligations After an Identity Theft Claim
Beyond blocking, FCRA §605B imposes a chain of obligations. When a bureau blocks information based on an identity theft report, it must notify the furnisher that the block has been placed. The furnisher must then stop reporting the blocked information to any bureau and must not sell, transfer, or place for collection the debt associated with the blocked account. Violation of this prohibition constitutes a willful FCRA violation under §616, carrying statutory damages of $100-$1,000, plus actual and punitive damages.
CFPB enforcement has focused on furnishers who re-report blocked accounts. The Bureau's 2022 consent order against a major bank ($3.5 million penalty) involved the bank's automated system re-reporting accounts that had been blocked by the bureaus due to identity theft claims. The bank's system lacked a flag to prevent re-reporting after a block, causing accounts to cycle between blocked and reported status for months. The order required the bank to implement system controls preventing automatic re-reporting of any account subject to an identity theft block.
For consumers, the enforcement landscape means that documentation is paramount. Every communication — the FTC report, the blocking request to each bureau, the bureau's acknowledgment of the block, any subsequent re-reporting of the blocked information, and the furnisher dispute — should be preserved. Under FACTA §151(b), identity theft victims also have the right to request copies of applications and business transaction records related to the fraudulent accounts from the creditors who opened them. These records may identify the perpetrator and serve as evidence if the case is referred to law enforcement.
- After blocking, the bureau must notify the furnisher; the furnisher must stop reporting and stop collection on the blocked account
- Violation of the re-reporting prohibition is a willful FCRA violation under §616 ($100-$1,000 statutory damages)
- CFPB 2022 consent order ($3.5M) against a bank for automated re-reporting of identity theft-blocked accounts
- FACTA §151(b): identity theft victims can request copies of fraudulent applications and transaction records from creditors
- Preserve every document: FTC report, blocking request, bureau acknowledgment, re-reporting evidence, furnisher disputes
