How to Report Identity Theft: Federal, State, and Local Procedures
Identity theft reporting in the United States operates across three distinct jurisdictional layers — federal agencies, state attorneys general and consumer protection offices, and local law enforcement — each with defined intake procedures, documentation standards, and downstream legal effects. Filing reports at the correct level, in the correct sequence, determines whether a victim qualifies for statutory protections under the Fair Credit Reporting Act (FCRA) and whether criminal investigation can proceed. The procedures described here cover the full federal-state-local reporting architecture, the documentation each channel requires, and the decision logic for routing a case appropriately.
Definition and scope
Identity theft reporting is the formal process by which a victim creates a verifiable, timestamped record that an unauthorized party has used or attempted to use their personal identifying information. That record has legal weight: under [15 U.S.C. Without a filed report, that statutory timeline does not apply.
The Federal Trade Commission (FTC) defines identity theft broadly to include financial fraud, tax identity theft, medical identity theft, criminal identity theft, and synthetic identity theft. Each subtype may require reporting to different agencies in addition to the FTC. The full taxonomy of reportable identity theft types is covered at identity theft types and categories.
Scope matters because under-reporting suppresses the statistical record used by Congress and agencies to calibrate enforcement. The FTC received 1.4 million identity theft reports in 2023 (FTC Consumer Sentinel Network Data Book 2023), making identity theft the top category of consumer fraud complaints for the third consecutive year.
How it works
The reporting process follows a defined sequence. Deviating from the sequence — for example, going directly to local police before filing an FTC report — can delay legal protections because many creditors and credit bureaus require the FTC Identity Theft Report as the threshold document.
Standard federal-state-local reporting sequence:
-
File an FTC Identity Theft Report at IdentityTheft.gov. This generates a personalized recovery plan and a formal FTC Identity Theft Report, which carries the weight of a sworn statement under 18 U.S.C. § 1001. The platform, administered by the FTC, pre-populates dispute letters and directs victims to agency-specific next steps. The process is documented in detail at IdentityTheft.gov explained.
-
Place a fraud alert or credit freeze with Equifax, Experian, and TransUnion. An initial fraud alert lasts 1 year and is free under the Economic Growth, Regulatory Relief, and Consumer Protection Act (Pub. L. 115-174). An extended 7-year fraud alert is available to confirmed identity theft victims who have filed an FTC report. A credit freeze is indefinite until lifted. Mechanics are covered at credit freeze and fraud alert guide.
-
File a local police report. Not all jurisdictions accept identity theft reports if no local nexus exists, but a police report number strengthens the documentation package required by some creditors and is mandatory for extended fraud alerts. Procedural specifics are at identity theft police report guide.
-
Report to relevant sector-specific agencies. Tax fraud goes to the IRS at IRS Form 14039. Social Security identity theft is reported to the Social Security Administration's Office of the Inspector General. Benefits fraud goes to the relevant federal or state benefits agency.
-
File state-level complaints. Every state attorney general maintains a consumer protection division. Filing at the state level creates a parallel record and may trigger state-specific remedies under statutes such as California's Identity Theft Victim Assistance Act or Texas Identity Theft Enforcement and Protection Act.
Common scenarios
Different theft patterns route to different reporting combinations:
-
Financial identity theft (new account fraud): FTC report → credit freeze at all three bureaus → police report → creditor dispute using the FTC Identity Theft Affidavit (IRS Form 14039 equivalent does not apply here; the FTC affidavit process is covered at identity theft affidavit explained).
-
Tax identity theft: IRS Form 14039 filed directly with the IRS, FTC report at IdentityTheft.gov, state tax agency notification if a state return was also filed fraudulently.
-
Medical identity theft: FTC report, written request to healthcare providers for accounting of disclosures under the HIPAA Privacy Rule (45 C.F.R. § 164.528), and complaint to HHS Office for Civil Rights if the provider does not respond.
-
Child identity theft: Parent or guardian files FTC report, requests manual credit file review from all three bureaus (minors do not have automatic files), and contacts the Social Security Administration if the child's SSN was misused.
-
Criminal identity theft: Requires coordination with local law enforcement to correct arrest records; the FTC report alone is insufficient — a court order or law enforcement agency verification letter is typically required by the arresting jurisdiction.
Decision boundaries
The primary routing decision is whether the theft is financial or non-financial, because the documentation chain and responsible agencies diverge sharply:
| Theft Category | Primary Federal Agency | Police Report Required? | Credit Bureau Action Required? |
|---|---|---|---|
| New account / credit fraud | FTC | Recommended | Yes — freeze or alert |
| Tax fraud | IRS | No | No |
| Medical fraud | FTC + HHS OCR | No | No (medical records dispute) |
| Benefits fraud | Relevant agency + FTC | No | Situational |
| Criminal record fraud | FTC + local PD | Yes — mandatory | No |
| SSN misuse | SSA OIG + FTC | Recommended | Yes |
The second decision boundary concerns timing. FCRA Section 605B's 4-business-day block obligation applies only if the victim submits both an identity theft report and proof of identity simultaneously to the credit bureau. Submitting the FTC report alone, without the accompanying identity document, restarts the clock. The FTC Identity Theft Report guide details the exact documentation bundle required.
For victims navigating multiple theft types simultaneously — a pattern common after a data breach — the identity theft victim recovery roadmap provides a sequenced multi-agency checklist that parallels the procedures described here.
State law introduces a third decision layer. 50 states have enacted identity theft statutes, but restitution mechanisms, victim certification processes, and law enforcement intake procedures vary. California Penal Code § 530.5 and Texas Penal Code § 32.51, for example, both establish felony-level offenses for identity theft but differ in restitution scope and affidavit requirements. State-by-state variation is indexed at state identity theft laws reference.
References
- Federal Trade Commission — Consumer Sentinel Network Data Book 2023
- IdentityTheft.gov (FTC)
- 15 U.S.C. § 1681c-2 — FCRA Identity Theft Block Provision (House OLRC)
- IRS Form 14039 — Identity Theft Affidavit
- HHS Office for Civil Rights — HIPAA Privacy Rule, 45 C.F.R. § 164.528
- Social Security Administration Office of Inspector General — Report Fraud
- Economic Growth, Regulatory Relief, and Consumer Protection Act, Pub. L. 115-174
- FTC — Free Credit Freeze Information