FTC Identity Theft Reporting and Recovery Program

The Federal Trade Commission operates a dedicated identity theft reporting and recovery infrastructure that serves as the federal government's primary resource for victims of identity-related fraud in the United States. This page covers the program's legal foundation, the step-by-step recovery mechanism, the categories of theft it addresses, and the boundaries of what the program can and cannot accomplish. Understanding this program is essential for consumers, attorneys, and compliance professionals who work within FTC authority frameworks.

Definition and scope

The FTC's identity theft program is authorized under the Identity Theft Assumption and Deterrence Act of 1998 (15 U.S.C. § 1681a), which designated the FTC as the federal clearinghouse for identity theft complaints and directed the agency to collect, compile, and refer victim information to law enforcement. The program operates through IdentityTheft.gov, a web-based portal that generates personalized recovery plans and produces official documentation that victims use with creditors, credit bureaus, and law enforcement agencies.

Scope is defined broadly. The program covers theft of Social Security numbers, financial account credentials, tax filing identity, medical identity, child identity, and criminal identity (where a perpetrator gives a victim's name during arrest or prosecution). The FTC Consumer Sentinel Network aggregates complaint data from IdentityTheft.gov alongside reports submitted by partner agencies, providing law enforcement with cross-referenced data at the national level.

The program does not constitute legal representation, does not prosecute offenders, and does not directly compel creditors to act. Its authority is administrative and documentary — it supplies victims with standardized artifacts that carry legal weight under the Fair Credit Reporting Act (15 U.S.C. § 1681c-2).

How it works

The recovery process follows a structured sequence designed to produce enforceable documentation at each stage:

1. Initial report submission — The victim files a report at IdentityTheft.gov. The system generates an FTC Identity Theft Report, which is a signed, sworn statement equivalent to an affidavit for purposes of disputing fraudulent accounts.
2. Personalized recovery plan — The portal produces a step-by-step checklist tailored to the type of theft reported (e.g., credit card fraud vs. tax fraud vs. medical identity theft).
3. Pre-filled dispute letters — IdentityTheft.gov generates ready-to-send letters addressed to specific creditors, the three major credit bureaus (Equifax, Experian, and TransUnion), and debt collectors. These letters cite the FTC Identity Theft Report number and invoke rights under the Fair Credit Reporting Act and the Fair Debt Collection Practices Act.
4. Credit freeze and fraud alert guidance — The plan directs victims to place extended fraud alerts (active for 7 years under 15 U.S.C. § 1681c-1) or security freezes with each credit bureau at no cost, as established by the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018.
5. Law enforcement referral — The FTC Identity Theft Report can be paired with a local police report to create a complete Identity Theft Report package, which triggers blocking rights under FCRA § 605B, requiring credit bureaus to block fraudulent information within 4 business days of receiving the package.
6. Progress tracking — The IdentityTheft.gov portal allows victims to mark steps complete and update their plan if additional theft types are discovered.

The FTC complaint process feeds aggregated, anonymized data from these reports into law enforcement databases accessible to more than 2,500 federal, state, and local agencies through the Consumer Sentinel Network.

Common scenarios

Tax identity theft occurs when a fraudster files a federal or state tax return using a victim's Social Security number to claim a refund. The IRS Identity Protection PIN program works alongside the FTC recovery plan in these cases; victims submit Form 14039 (Identity Theft Affidavit) to the IRS while simultaneously using the FTC report to address any associated credit damage.

Medical identity theft involves a perpetrator obtaining healthcare services or prescription drugs under a victim's insurance credentials. This scenario requires victims to contact the relevant insurer and request an Explanation of Benefits audit, steps the IdentityTheft.gov plan incorporates alongside standard credit bureau actions.

Child identity theft exploits the fact that minors have clean credit histories and Social Security numbers that may go unmonitored for years. Parents or guardians can use IdentityTheft.gov to initiate a credit freeze for minors under 16 at all three major bureaus at no cost, a right codified in the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018.

Account takeover fraud — where an existing financial account is hijacked rather than a new account opened — requires slightly different documentation. The victim's primary tasks are contacting the financial institution directly under Regulation E (for electronic fund transfers) or Regulation Z (for credit accounts), then using the FTC report to address any secondary credit bureau tradeline damage.

For broader context on how these enforcement mechanisms connect to FTC data security enforcement actions against companies whose breaches enable identity theft at scale, the two programs intersect when a corporate data exposure is the documented source of the theft.

Decision boundaries

The FTC identity theft program has defined limits that determine when victims must turn to parallel resources:

• Criminal prosecution is not within FTC jurisdiction. Referrals for prosecution go to the Department of Justice, U.S. Secret Service, FBI, or state attorneys general depending on the crime type and dollar amount.
• HIPAA violations arising from medical identity theft are handled by the HHS Office for Civil Rights (hhs.gov/ocr), not the FTC, though the FTC report remains useful for the insurance and credit components.
• Social Security Administration involvement is necessary when a Social Security number is compromised. The SSA's Office of Inspector General (oig.ssa.gov) handles misuse of SSNs in benefit fraud, a distinct track from the FTC's credit-focused recovery process.
• Immigration-related identity theft (e.g., unauthorized use of an SSN for employment eligibility) requires engagement with the Social Security Administration and potentially U.S. Citizenship and Immigration Services, beyond what IdentityTheft.gov addresses.
• The FTC program does not replace private legal action. Victims pursuing civil damages against creditors who fail to block fraudulent accounts under FCRA § 616 or § 617 must retain private counsel or contact a nonprofit legal aid organization.

The distinction between an FTC Identity Theft Report and a full Identity Theft Report (which adds a police report) is operationally significant. The FTC-only report triggers extended fraud alert rights and dispute letter support. The combined package — FTC report plus police report — activates the stronger FCRA § 605B blocking rights, which require credit bureaus and furnishers to act within the 4-business-day statutory window.