Disputing Fraudulent Accounts with Credit Bureaus: Equifax, Experian, TransUnion
Fraudulent accounts opened through identity theft appear on consumer credit reports and can damage credit scores, impair loan eligibility, and generate collection activity against victims who bear no responsibility for the debt. The dispute process — governed by the Fair Credit Reporting Act (FCRA) and administered through Equifax, Experian, and TransUnion — provides a formal mechanism for removing inaccurate or unauthorized tradelines. This page maps the structure of that process, the regulatory framework that enforces it, and the classification distinctions that determine how a dispute is routed and resolved.
Definition and scope
A credit bureau dispute is a formal challenge to the accuracy or legitimacy of information appearing on a consumer credit report. Under 15 U.S.C. § 1681i, consumer reporting agencies (CRAs) — the statutory term for credit bureaus — are required to investigate disputes within 30 days of receipt (extendable to 45 days if the consumer submits additional documentation during the investigation window). The dispute right applies to any item the consumer alleges is inaccurate, incomplete, or unverifiable.
In the identity theft context, disputes target fraudulent tradelines: accounts opened without the consumer's knowledge, charges posted to existing accounts by unauthorized parties, or collection entries derived from debts the consumer never incurred. The three nationwide CRAs — Equifax, Experian, and TransUnion — each maintain independent databases, which means a fraudulent account appearing on all three reports requires three separate dispute submissions unless the consumer invokes the FCRA § 605B block procedure, which operates differently from a standard dispute and is specifically reserved for identity theft victims.
The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) share oversight of CRA compliance. The CFPB supervises the three major bureaus under the Dodd-Frank Act (12 U.S.C. § 5514) and publishes supervisory guidance on dispute handling obligations. The FTC retains enforcement authority under the FCRA for violations not covered by CFPB jurisdiction.
For a broader view of how identity theft services and dispute-related resources are organized nationally, see the Identity Theft Providers provider network.
How it works
The dispute-to-resolution pipeline follows a structured sequence with defined legal deadlines at each stage.
-
Initiation — The consumer submits a dispute to one or more of the three CRAs by mail, online portal, or phone. The FTC and CFPB both recommend certified mail for identity theft disputes to create a verifiable record. Each bureau maintains a dedicated dispute intake address and online portal: Equifax Dispute Center, Experian Dispute Center, and TransUnion's dispute portal at transunion.com.
-
Documentation package — For identity theft disputes specifically, supporting documentation strengthens the claim. Useful materials include: a filed FTC Identity Theft Report (generated at IdentityTheft.gov), a police report where obtainable, government-issued identification, and account statements or notices showing the disputed item. An FTC Identity Theft Report alone qualifies the consumer for the FCRA § 605B block, which is a faster pathway than a standard FCRA § 1681i dispute for confirmed identity theft cases.
-
Bureau investigation — The CRA forwards the dispute to the information furnisher (the creditor or collection agency that reported the tradeline) via an Automated Consumer Dispute Verification (ACDV) system. The furnisher is obligated under FCRA § 1681s-2(b) to investigate and report back within the bureau's investigation window.
-
Outcome notification — The CRA must notify the consumer in writing of the results. If the disputed item is deleted or modified, the bureau must provide a free copy of the updated report. If the furnisher verifies the item as accurate, it remains on the report, and the consumer receives written notice with the furnisher's contact information.
-
Escalation options — If the dispute is rejected and the consumer believes the determination is incorrect, escalation paths include: re-dispute with additional documentation, direct dispute to the furnisher under CFPB regulations (12 C.F.R. § 1022.43), a CFPB complaint submission, or private legal action under the FCRA, which allows for statutory damages ranging from $100 to $1,000 per willful violation (15 U.S.C. § 1681n).
Common scenarios
New account fraud — An identity thief uses stolen personal information to open a credit card, auto loan, or retail account. The victim has no knowledge of the account until it appears on a credit report or a collection notice arrives. This is the most common scenario driving FCRA § 605B block requests. The FTC's IdentityTheft.gov platform generates a pre-populated recovery plan tailored to this scenario.
Account takeover with new charges — The thief gains access to an existing account and posts unauthorized charges. The fraudulent charges may appear as a high balance or as a collection entry after the account defaults. This scenario typically requires both a creditor-level fraud dispute and a CRA dispute if the delinquency has already been reported.
Mixed file errors — A CRA incorrectly merges the credit records of two different consumers with similar identifying information. The result is a report containing tradelines that belong to a different person. This is a data integrity failure rather than third-party fraud, but it follows the same FCRA § 1681i dispute pathway.
Synthetic identity accounts — Fraudsters construct a fabricated identity using a real Social Security number paired with a fictitious name and address. The SSN holder may not discover the synthetic file until the fraudster defaults and the account appears in collection. These disputes often require direct engagement with the Social Security Administration's fraud reporting channel and an FTC Identity Theft Report.
Decision boundaries
The FCRA establishes two legally distinct remedies that apply to overlapping but different situations:
| Mechanism | Governing Statute | Eligibility Requirement | Bureau Response Deadline |
|---|---|---|---|
| Standard Dispute | FCRA § 1681i | Any consumer alleging inaccuracy | 30 days (45 with supplemental docs) |
| Identity Theft Block | FCRA § 605B | Identity theft victims with FTC or law enforcement report | 4 business days (provisional); permanent block thereafter |
The block (§ 605B) is the stronger remedy: it prohibits the CRA from reporting the blocked information and requires the CRA to notify the furnisher. However, bureaus may decline to block if they reasonably determine the information was not caused by identity theft, if the request is frivolous, or if the consumer obtained goods or services through the transaction in question. A declined block request reverts to the standard § 1681i dispute pathway.
The distinction between a direct dispute (submitted to the furnisher under 12 C.F.R. § 1022.43) and a bureau dispute (submitted to the CRA under § 1681i) is material: a direct dispute does not trigger the bureau's investigation obligations; it triggers the furnisher's. Both can be filed simultaneously without legal conflict.
Consumers who have placed a fraud alert on their credit report receive a different layer of protection — creditors must take additional steps to verify identity before opening new accounts — but a fraud alert does not remove existing fraudulent tradelines. Removal requires a formal dispute or block. A credit freeze similarly restricts new account access but does not cleanse the existing credit file.
The provider network purpose and scope section of this site provides context on how identity theft service categories — including dispute support services — are classified within the national service landscape. For a structured overview of how to navigate this reference resource, see How to Use This Identity Theft Resource.