FTC Identity Theft Report: Filing, Usage, and Limitations
The FTC Identity Theft Report is a federally recognized document generated through the Federal Trade Commission's IdentityTheft.gov platform, serving as a formal record of identity theft incidents reported by consumers in the United States. This page covers the report's legal definition, the filing process, its recognized uses across creditor and law enforcement contexts, and the boundaries of what the document can and cannot accomplish. For professionals navigating the identity theft services sector, understanding the scope and limitations of this report is foundational to advising clients or structuring recovery workflows.
Definition and scope
The FTC Identity Theft Report is produced when a consumer completes an identity theft complaint through IdentityTheft.gov, the Federal Trade Commission's dedicated recovery portal. The report is not a police report and does not carry the weight of a sworn criminal affidavit. However, under the Fair Credit Reporting Act (FCRA), specifically 15 U.S.C. § 1681c-2, an identity theft report filed with a consumer reporting agency triggers a legally enforceable obligation for that agency to block fraudulent tradelines from the victim's credit file within four business days of receiving the report.
The FTC defines identity theft, for purposes of this report, as fraud committed using another person's identifying information without authorization. The report captures incident details including the type of misuse (tax fraud, credit card fraud, loan fraud, medical identity theft), the timeframe, and the fraudster's actions. It is distinct from a general consumer complaint and is specifically structured to activate statutory consumer protections under the FCRA and the Fair and Accurate Credit Transactions Act (FACTA).
The FTC, as an independent federal agency operating under 15 U.S.C. § 41 et seq., does not prosecute individual cases of identity theft. Criminal prosecution falls to the Department of Justice under the Identity Theft and Assumption Deterrence Act (18 U.S.C. § 1028), which established federal criminal penalties reaching up to 15 years imprisonment for aggravated identity theft offenses.
How it works
The filing process follows a structured sequence through IdentityTheft.gov:
- Incident intake — The consumer selects the type of identity theft from a categorized menu (tax, credit, medical, employment, government benefits, etc.) and provides details about what occurred.
- Affirmation — The consumer affirms the accuracy of the information submitted, satisfying the "identity theft report" definition under 16 C.F.R. § 603.3, which requires the report to be filed with a federal, state, or local government agency.
- Report generation — The platform generates a PDF document labeled as an FTC Identity Theft Report, timestamped and unique to that filing, containing a reference number.
- Personalized recovery plan — The platform generates a customized checklist of recovery steps based on the theft type selected.
- Pre-filled letters — IdentityTheft.gov generates pre-drafted dispute letters formatted for submission to credit bureaus, creditors, and the IRS (for tax fraud cases), each referencing the report number.
- Optional updates — The consumer may log back into the system to update the report if additional fraudulent activity is discovered.
The three major consumer reporting agencies — Equifax, Experian, and TransUnion — are required under the FCRA to accept the FTC Identity Theft Report as sufficient documentation to place a fraud alert, initiate extended fraud alerts (lasting 7 years), or block fraudulent tradelines. Extended fraud alerts require the consumer to be contacted directly before new credit is issued, a protection that standard fraud alerts (lasting 1 year) do not fully enforce.
Common scenarios
The FTC Identity Theft Report is generated and used across five primary theft categories recognized by the FTC's annual Consumer Sentinel Network Data Book:
- Credit card fraud — The most reported category in the FTC's Consumer Sentinel Network (FTC Consumer Sentinel Network Data Book 2023), used to dispute unauthorized accounts and flag tradelines for removal.
- Tax identity theft — The report, combined with IRS Form 14039 (Identity Theft Affidavit), initiates the IRS Identity Protection PIN program and flags the taxpayer's account for manual review.
- Medical identity theft — Used to request correction of medical records under HIPAA (45 C.F.R. § 164.526) and to dispute fraudulent insurance claims with providers.
- Government benefits fraud — Specifically Social Security Administration benefit fraud, where the report supports a claim filed through the SSA's fraud reporting channel (ssa.gov/fraud).
- Employment fraud — Where a thief uses another person's Social Security Number for employment, triggering IRS notices about unreported income; the FTC report supports a response to the IRS CP2000 or similar correspondence.
Professionals catalogued in the identity theft providers sector — including credit repair organizations, identity theft resolution services, and nonprofit credit counseling agencies — routinely use the FTC Identity Theft Report as the starting document in client onboarding and dispute workflows.
Decision boundaries
The FTC Identity Theft Report carries legal weight in specific, bounded contexts. Understanding where it applies and where it does not is critical for professional and consumer use alike.
Where the report is legally operative:
- Triggering the FCRA § 605B tradeline block obligation at consumer reporting agencies
- Supporting an extended fraud alert request under FCRA § 605A
- Satisfying the FTC's definition of an identity theft report for purposes of activating FACTA-based consumer protections
- Providing documentation to creditors who are legally required under FCRA § 623 to investigate disputed fraudulent accounts
Where the report is not sufficient:
- It does not substitute for a police report in jurisdictions where creditors or financial institutions require law enforcement documentation before reversing fraud losses
- It does not compel criminal investigation; law enforcement agencies (local, state, federal) act independently
- It does not automatically restore a victim's credit score — it initiates the dispute process, which credit bureaus have up to 30 days to resolve under FCRA § 611
- It does not cover business identity theft, which falls outside the FTC's consumer identity theft framework and is addressed through separate channels including the FTC's business fraud reporting at ftc.gov/ReportFraud
FTC Identity Theft Report vs. Police Report — key distinctions:
| Attribute | FTC Identity Theft Report | Police Report |
|---|---|---|
| Issuing authority | Federal Trade Commission | Local/state law enforcement |
| Legal status | Federal administrative record | Criminal law enforcement document |
| Filing mechanism | IdentityTheft.gov (self-service) | In-person or online with law enforcement agency |
| FCRA tradeline block trigger | Yes (§ 605B) | Can substitute in some cases |
| Criminal investigation initiated | No | Potentially, depending on jurisdiction |
| Required for insurance claims | Rarely | Frequently required |
| Accepted by all creditors | Not universally | More widely accepted |
Consumers and service providers navigating the identity theft resource framework should treat the FTC Identity Theft Report as a federal administrative instrument with strong civil protections but limited criminal enforcement reach. For incidents involving significant financial losses, concurrent filing with local law enforcement and the FTC is the standard practice recommended by the Department of Justice's Identity Theft resource page.
The scope and purpose of this report within the broader service landscape is further detailed in the identity theft provider network purpose and scope reference.