Federal Agencies Overseeing Identity Theft: FTC, DOJ, SSA, IRS, and More

The federal oversight landscape for identity theft spans at least five major agencies, each holding distinct statutory authority over different dimensions of fraud, enforcement, and victim remediation. Understanding which agency governs which type of identity theft is essential for victims, legal professionals, and researchers navigating the enforcement and recovery process. Jurisdictional boundaries determine where complaints are filed, how investigations proceed, and what remedies may be available under federal law.

Definition and scope

Identity theft, as defined under 18 U.S.C. § 1028 (U.S. Code, Title 18, §1028), involves the knowing transfer, possession, or use of another person's means of identification without lawful authority. The statute covers a broad range of identifying data — Social Security numbers, driver's license numbers, credit card account numbers, biometric data, and electronic identifiers.

Federal jurisdiction over identity theft is not consolidated in a single agency. Instead, it is distributed across civil enforcement, criminal prosecution, benefits fraud prevention, tax administration, and consumer financial protection. This structural distribution reflects both the variety of harm categories and the pre-existing statutory mandates held by different departments. The identity-theft-provider network-purpose-and-scope outlines how these overlapping mandates shape the service and resource landscape for affected individuals.

The scope of federal involvement expands further when identity theft intersects with wire fraud, mail fraud, healthcare fraud, or financial institution fraud — all of which carry separate charges under Title 18 and fall under the overlapping jurisdiction of the FBI, U.S. Secret Service, and U.S. Postal Inspection Service.

How it works

Federal oversight of identity theft operates through a layered system of civil enforcement, criminal referral, administrative action, and interagency coordination. The process typically proceeds through the following phases:

  1. Complaint intake — Victim reports are received by agency-specific channels. The FTC's IdentityTheft.gov serves as the primary civilian intake portal, aggregating data into the Consumer Sentinel Network, which is accessible to more than 2,800 law enforcement agencies (FTC, Consumer Sentinel Network).

  2. Civil enforcement initiation — The Federal Trade Commission holds primary civil authority under Section 5 of the FTC Act (15 U.S.C. § 45) to act against deceptive and unfair practices, including data broker misuse and identity fraud-enabling services.

  3. Criminal referral and prosecution — The Department of Justice, through its Computer Crime and Intellectual Property Section (CCIPS) and U.S. Attorneys' offices, prosecutes identity theft offenses under 18 U.S.C. §§ 1028 and 1028A. The Identity Theft Enforcement and Restitution Act of 2008 strengthened DOJ's prosecutorial tools, including mandatory restitution orders (DOJ, CCIPS).

  4. Benefits and tax fraud investigation — The Social Security Administration's Office of the Inspector General (SSA-OIG) investigates fraudulent use of Social Security numbers, while the IRS Criminal Investigation division handles tax-related identity theft under 26 U.S.C. § 7201 and related statutes (IRS, Identity Theft Central).

  5. Financial sector oversight — The Consumer Financial Protection Bureau (CFPB) enforces the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., which governs credit file dispute rights arising from identity theft (CFPB, FCRA overview).

Common scenarios

Identity theft cases encountered by federal agencies fall into distinct typological categories, each routed to a different primary authority:

Tax identity theft — A fraudulent federal tax return is filed using a victim's Social Security number to claim a refund. Primary federal body: IRS. Victims file Form 14039 (Identity Theft Affidavit) and may receive an Identity Protection PIN (IRS, IP PIN Program).

Benefits identity theft — A stolen SSN is used to claim Social Security, Medicare, or Medicaid benefits. Primary federal body: SSA-OIG and the HHS Office of Inspector General. The SSA issued over 1 million replacement Social Security cards annually in the years leading up to its 2023 modernization initiatives (SSA, Annual Statistical Supplement).

Financial account fraud — New credit accounts or loans are opened using stolen identifying information. Primary federal bodies: FTC (civil), DOJ (criminal), and CFPB (credit reporting remediation). Victims can place fraud alerts under FCRA § 605A or initiate extended alerts through the three national credit bureaus.

Medical identity theft — A victim's identity is used to fraudulently obtain healthcare services or prescriptions. Primary federal body: HHS-OIG, with potential FBI involvement if healthcare fraud thresholds under 18 U.S.C. § 1347 are met (HHS-OIG).

Criminal identity theft — An offender presents stolen identity documents during arrest or prosecution, resulting in a victim acquiring a criminal record. Primary federal body: DOJ, in coordination with state law enforcement. FBI identity records maintained in the National Crime Information Center (NCIC) may require correction through the FBI's Identity History Summary process (FBI, NCIC).

Researchers and professionals navigating service providers in this space will find structured providers at the identity-theft-providers page.

Decision boundaries

Determining which federal agency has primary jurisdiction involves evaluating three dimensions: the type of identifying data misused, the downstream harm category, and whether the conduct is civil, administrative, or criminal.

FTC vs. DOJ — The FTC's role is civil enforcement and victim support infrastructure; the FTC cannot prosecute crimes. Criminal prosecution requires DOJ referral. A single identity theft incident may trigger both an FTC civil investigation and a parallel DOJ criminal indictment if the conduct meets the threshold under 18 U.S.C. § 1028A (Aggravated Identity Theft), which carries a mandatory 2-year consecutive sentence.

IRS vs. SSA-OIG — Both agencies respond to SSN misuse but diverge on purpose. IRS jurisdiction activates when the SSN is used to file fraudulent returns or claim tax credits. SSA-OIG jurisdiction activates when the SSN is used to receive federal benefits payments or alter earnings records.

CFPB vs. FTC — For credit reporting disputes arising from identity theft, the CFPB enforces FCRA against consumer reporting agencies, while the FTC retains enforcement authority over creditors and data brokers. Post-2012 Dodd-Frank Act transfer, the CFPB holds primary FCRA rulemaking authority for entities with over $10 million in assets (CFPB, Dodd-Frank §1029).

Federal vs. state jurisdiction — Federal jurisdiction applies when identity theft involves federal benefit programs, crosses state lines, or uses wire or mail communications. State attorneys general hold concurrent authority in most consumer fraud categories under state consumer protection statutes. The how-to-use-this-identity-theft-resource page maps how this federal-state layering affects service navigation.

 ·   · 

References

Read Next

Federal Identity Theft Laws: ITADA, FACTA, and Related Statutes ANA › Professional Services Authority › National Cyber › National Identity Theft Federal Identity Theft Laws: ITADA, FACTA, and Related... State Identity Theft Laws: Variation Across US Jurisdictions ANA › Professional Services Authority › National Cyber › National Identity Theft State Identity Theft Laws: Variation Across US... Identity Theft Criminal Penalties and Federal Prosecution Overview ANA › Professional Services Authority › National Cyber › National Identity Theft Identity Theft Criminal Penalties and Federal...