Federal Agencies Overseeing Identity Theft: FTC, DOJ, SSA, IRS, and More
The federal oversight landscape for identity theft spans at least seven distinct agencies, each operating under separate statutory authority with distinct enforcement and victim-assistance functions. Understanding which agency holds jurisdiction over a particular form of identity theft determines where victims file reports, where prosecutors seek charges, and which regulatory frameworks apply. This page maps the agency structure, their respective mandates, jurisdictional boundaries, and the points at which their roles intersect or diverge.
Definition and scope
Federal oversight of identity theft is not consolidated in a single agency. Instead, authority is distributed across agencies whose core mandates — consumer protection, tax administration, criminal prosecution, social insurance administration — each touch a distinct dimension of identity fraud. The primary federal statute framing this oversight is the Identity Theft and Assumption Deterrence Act of 1998 (18 U.S.C. § 1028), which established identity theft as a federal crime and directed the Federal Trade Commission to serve as the central clearinghouse for consumer complaints.
A victim of tax identity theft interacts primarily with the IRS, not the FTC. A victim of Social Security identity theft routes their report to the Social Security Administration's Office of Inspector General. A victim of financial identity theft may engage both the FTC for complaint logging and the Consumer Financial Protection Bureau for regulatory remediation. The scope of this page covers the five agencies most frequently involved in identity theft oversight — FTC, DOJ, SSA, IRS, and the CFPB — along with the supporting roles of the FBI and the U.S. Postal Inspection Service.
How it works
The federal oversight mechanism operates across three functional layers: complaint intake and data aggregation, criminal investigation and prosecution, and regulatory enforcement or victim assistance.
Layer 1 — Complaint intake and data aggregation
The Federal Trade Commission operates IdentityTheft.gov, the federally designated one-stop reporting platform authorized under 15 U.S.C. § 45. Complaints filed through this system feed into the FTC's Consumer Sentinel Network, which is accessible to over 2,800 law enforcement partners (FTC Consumer Sentinel Network). The FTC does not investigate individual cases or make arrests; its function is aggregation, pattern analysis, and the generation of personalized recovery plans.
Layer 2 — Criminal investigation and prosecution
The Department of Justice prosecutes identity theft crimes under 18 U.S.C. § 1028 and the aggravated identity theft statute at 18 U.S.C. § 1028A, which carries a mandatory 2-year consecutive sentence. The DOJ Computer Crime and Intellectual Property Section (CCIPS) coordinates on cases involving digital intrusion. The FBI investigates complex, multi-jurisdictional, and organized identity theft rings, often in coordination with the U.S. Secret Service for financial crimes. The U.S. Postal Inspection Service holds jurisdiction when mail is used as a vector — directly relevant to mail theft and identity fraud cases.
Layer 3 — Regulatory enforcement and victim assistance
The IRS Identity Protection Specialized Unit handles tax-related impersonation, issues Identity Protection PINs (IP PINs) to confirmed victims, and investigates fraudulent return filings. Detailed guidance on this program is covered in the IRS Identity Protection PIN Guide. The Social Security Administration's Office of Inspector General (SSA-OIG) investigates misuse of Social Security numbers. The Consumer Financial Protection Bureau enforces the Fair Credit Reporting Act alongside the FTC, relevant to victims disputing fraudulent accounts — a process detailed in the credit bureau dispute process.
Common scenarios
Specific identity theft types activate different agency combinations:
- Tax refund fraud — Primary agency: IRS. Secondary: DOJ for prosecution, FTC for complaint logging. Victim files IRS Form 14039 (Identity Theft Affidavit) and requests an IP PIN.
- Social Security number misuse for employment — Primary agency: SSA-OIG. Secondary: DOJ, FTC. Employer records may need correction through the SSA's earnings correction process.
- Data breach leading to account fraud — Primary agency: FTC (for complaint and recovery plan). CFPB if financial accounts are affected. FBI if breach originates from organized cybercrime. See data breach and identity theft for the breach-to-fraud pathway.
- Criminal identity theft (impersonation during arrest) — Primary agency: DOJ/FBI for criminal record correction. Local law enforcement for an identity theft clearance letter. Covered in full at criminal identity theft.
- Child identity theft involving government benefits — Primary agencies: SSA-OIG, FTC, and state-level social services. Relevant to child identity theft and government benefits identity theft.
- Medical identity theft — Primary agency: HHS Office for Civil Rights (HIPAA enforcement). FTC for complaint. Covered in detail at medical identity theft.
Decision boundaries
The critical jurisdictional distinctions that determine which agency a victim, attorney, or researcher should engage are:
| Identity Theft Type | Lead Federal Agency | Statutory Basis |
|---|---|---|
| General/financial fraud | FTC | 15 U.S.C. § 45; 18 U.S.C. § 1028 |
| Tax fraud / fraudulent returns | IRS | 26 U.S.C. § 6103; IRM 25.23 |
| SSN misuse | SSA-OIG | 42 U.S.C. § 408 |
| Criminal prosecution (federal) | DOJ / FBI | 18 U.S.C. § 1028, § 1028A |
| Medical record fraud | HHS / OCR | 45 C.F.R. Parts 160, 164 (HIPAA) |
| Credit reporting violations | CFPB / FTC | 15 U.S.C. § 1681 (FCRA) |
| Mail fraud vector | USPIS | 18 U.S.C. § 1341 |
The FTC versus CFPB distinction merits explicit clarification: the CFPB holds primary supervisory authority over large financial institutions (those with assets exceeding $10 billion, per the Dodd-Frank Wall Street Reform and Consumer Protection Act, 12 U.S.C. § 5481), while the FTC retains enforcement authority over non-bank entities. For identity theft victims disputing fraudulent accounts at a major bank, the CFPB's complaint system at consumerfinance.gov is the appropriate regulatory channel, not the FTC alone.
The DOJ's aggravated identity theft statute (18 U.S.C. § 1028A) applies only when identity theft is committed in connection with a predicate felony — it does not create a standalone victim-assistance mechanism. This statute is enforcement-facing, not victim-facing. Victims seeking remediation engage the FTC, IRS, SSA-OIG, or CFPB depending on the fraud category, while the DOJ's role activates through prosecutorial referral.
A full breakdown of penalty structures and prosecution thresholds appears in identity theft penalties and prosecution, and the federal statutory framework is documented at identity theft laws federal.
References
- Federal Trade Commission — IdentityTheft.gov
- FTC Consumer Sentinel Network
- Identity Theft and Assumption Deterrence Act, 18 U.S.C. § 1028
- DOJ Computer Crime and Intellectual Property Section (CCIPS)
- IRS Identity Theft Central
- SSA Office of Inspector General
- HHS Office for Civil Rights — HIPAA
- Consumer Financial Protection Bureau — Submit a Complaint
- U.S. Postal Inspection Service — Mail Fraud
- 18 U.S.C. § 1028A — Aggravated Identity Theft (Cornell LII)
- Dodd-Frank Act, 12 U.S.C. § 5481 (Cornell LII)
- Fair Credit Reporting Act, 15 U.S.C. § 1681 (FTC)