To Current Publications >>
Expanding Services To Reach Victims of Identity Theft and Financial Fraud
skip navigationAbout This E-PubMessage From the DirectorGrantee ProfilesHome
Publication Date: October 2010
NCJ 230590
skip navigation
Printer-Friendly Option
Office of Justice ProgramsOffice for Victims of Crime
Text Size Changer iconText Size:  A  |  A  |  A  |  A

Identity Theft and Financial Fraud

Federal Identity Theft Laws

Legislative efforts to create federal identity theft laws must balance the competing needs of victims, government agencies, and businesses, yet stay flexible enough to anticipate future identity crime issues.

Prior to 1998, crimes that would now be considered identity theft were charged under "false personation" statutes, which go back to the late 19th century. False personation can be defined as "the crime of falsely assuming the identity of another to gain a benefit or avoid an expense."

It wasn’t until Congress passed the Identity Theft and Assumption Deterrence Act of 1998 that identity theft was officially listed as a federal crime. The act strengthened the criminal laws governing identity theft. Specifically, it amended 18 U.S.C. § 1028 ("Fraud and related activity in connection with identification documents") to make it a federal crime to—

knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law. (See

The Identity Theft and Assumption Deterrence Act accomplished four things:

  • It made identity theft a separate crime against the individual whose identity was stolen and credit destroyed. Previously, victims had been defined solely by financial loss and often the emphasis was on banks and other financial institutions, rather than on individuals.

  • It established the Federal Trade Commission (FTC) as the Federal Government’s one central point of contact for reporting instances of identity theft by creating the Identity Theft Data Clearinghouse.

  • It increased criminal penalties for identity theft and fraud. Specifically, the crime now carries a maximum penalty of 15 years imprisonment and substantial fines.

  • It closed legal loopholes, which previously had made it a crime to produce or possess false identity documents, but not to steal another personal’s personal identifying information.

Over time, state legislative bodies also started to pass laws that helped victims, and these laws ended up being the basis for many national laws years later. As most crimes are prosecuted on the state level, these laws came to have a significant positive impact on victims.

Other federal laws have been enacted to address the growing complexities surrounding identity theft and fraud. These include the following:

Fair Debt Collection Practices Act (FDCPA)
The Fair Debt Collection Practices Act (15 U.S.C. §§ 1692-1692p, as amended by Pub. L. 109-351, §§ 801-02, 120 Stat. 1966) prohibits debt collectors from using unfair or deceptive practices to collect overdue bills that a creditor has forwarded for collection.

Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA) of 2003
FCRA is the law governing the accuracy and privacy of credit reports. FACTA amended the Fair Credit Reporting Act in 2003 to strengthen and add to the protections for victims of identity theft. These laws require consumer reporting agencies (CRAs) and creditors to help victims recover from identity theft, and allow consumers to place alerts on their credit files if they are or believe they may become victims of identity theft (fraud alerts). Consumers have the right to dispute inaccurate information, and CRAs and creditors must investigate the claim and correct information if it is inaccurate. The laws also entitle consumers to a free credit report once per year from each of the three credit reporting agencies. As part of the responsibilities under FACTA, the Federal Trade Commission and the federal financial agencies established "Red Flag Rules" requiring creditors and financial institutions to establish programs designed to address identity theft.

Identity Theft Penalty Enhancement Act of 2004
This act (Pub. L. 108–275 § 1028A) establishes penalties for "aggravated" identity theft, which is using the identity of another person to commit felony crimes, including immigration violations, theft of another’s Social Security benefits, and acts of domestic terrorism.

Identity Theft Enforcement and Restitution Act of 2008
This act amends 18 U.S.C. § 3663(b) to make it clear that restitution orders for identity theft cases may include an amount equal to the value of the victim’s time spent remediating the actual or intended harm of the identity theft or aggravated identity theft. The new law also allows federal courts to prosecute when the criminal and the victim live in the same state. Under previous law, federal courts only had jurisdiction if the thief uses interstate communication to access the victim’s PII.

Federal Privacy Laws

Driver’s Privacy Protection Act of 1994
The Driver’s Privacy Protection Act puts limits on disclosures of personal information in records maintained by state departments of motor vehicles.

Family Educational Rights and Privacy Act of 1974
The Family Education Rights and Privacy Act puts limits on the disclosure of educational records maintained by agencies and institutions that receive federal funding.

Gramm-Leach-Bliley Act of 1999
The Gramm-Leach-Bliley Act (Pub. L. 106-102, 113 Stat. 1338) includes a Financial Privacy Rule, which requires financial institutions to provide consumers with a privacy notice when the consumer relationship is established and annually thereafter. The privacy notice must explain what information the institution collects about the consumer, where that information is shared, how it is used, and how that information is protected. The notice must also identify the consumer’s right to opt out of the information being shared with unaffiliated parties and notify him or her if the privacy policy changes.

Health Information Portability and Accountability Act of 1996
The privacy rule regulates the security and confidentiality of patient information. The U.S. Department of Health and Human Services published a final Security Rule in February 2003, which sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.