What to Do If You Have a CIFAS Marker You Don't Understand

CIFAS is a UK not-for-profit membership organisation that operates the National Fraud Database (NFD). It functions as a reciprocal data-sharing system: when a member organisation suspects fraudulent activity linked to an individual, it can place a fraud risk record — commonly called a "CIFAS marker" — on that individual's file. That marker is then visible to all other CIFAS member organisations whenever the individual applies for a financial product or service.

CIFAS has over 700 member organisations. These span banking, building societies, insurance, telecommunications, retail, and the public sector. CIFAS is designated as a Specified Anti-Fraud Organisation (SAFO) under section 68 of the Serious Crime Act 2007, which allows certain public authorities to disclose information to CIFAS for fraud prevention purposes, subject to statutory conditions.

This article explains what CIFAS markers are, how they are recorded, how long they last, and what processes exist for querying or challenging them.

A CIFAS marker is a fraud risk record held on the National Fraud Database. It is placed either by a CIFAS member organisation that suspects fraud, or by an individual who wants protective registration. Most markers last up to six years, though protective and victim markers have shorter durations. CIFAS markers are not the same as criminal records and do not appear on standard DBS checks.

Only victim markers (Victim of Impersonation and Victim of Takeover) appear on credit reports from credit reference agencies. All other marker types are held on the National Fraud Database and can only be discovered by submitting a free Data Subject Access Request (DSAR) directly to CIFAS.

If a marker has been recorded, the individual can complain to the member organisation that placed it, request an independent review by CIFAS, and — where the organisation is a regulated financial firm — escalate the matter to the Financial Ombudsman Service.

The National Fraud Database operates on the principle of reciprocity. Member organisations both contribute data to and draw data from the database. When an individual applies for a product or service from any CIFAS member, that member can check the NFD for existing markers. CIFAS states that, on average, new fraud risk cases are added to the database at frequent intervals (often cited as around every 90 seconds).

CIFAS members must operate within the terms of the National Fraud Database Handbook, which sets out eight Principles of use:

1. Reciprocity — members both share and receive data.
2. Purpose Limitation — data is used only for fraud prevention.
3. Transparency — individuals must be able to find out what is held about them.
4. Lawfulness (including Standard of Proof) — markers must meet a defined evidential threshold.
5. Fairness (Proportionality and Protection) — the response must be proportionate.
6. Accuracy — data must be correct and kept up to date.
7. Integrity (Security) — data must be held securely.
8. Data Minimisation — only necessary data should be processed.

These Principles are explicitly aligned with the requirements of UK data protection legislation, specifically the UK GDPR and the Data Protection Act 2018. The Information Commissioner's Office (ICO) has access to audit and inspect data sharing arrangements between public authorities and CIFAS as a condition of its SAFO status.

The Standard of Proof

Before a member organisation can record a CIFAS marker, the CIFAS Standard of Proof (Principle 4) must be met. This requires four conditions to be satisfied:

1. There must be reasonable grounds to believe that fraud or financial crime has been committed or attempted.
2. The evidence must be clear, relevant, and rigorous.
3. The conduct must fit one of the recognised CIFAS case types.
4. The organisation must have rejected, withdrawn, or terminated a product as a result of fraud (unless it was obliged to provide the product, or the benefit had already been received).

This standard is central to the legitimacy of any marker. It is the benchmark used by the Financial Ombudsman Service when adjudicating complaints about CIFAS markers placed by regulated firms.

Marker Types and Retention Periods

There are several recognised CIFAS marker types. Each serves a different purpose and has a defined retention period, after which the marker is automatically deleted with no action required from the individual.

Markers lasting up to 6 years:

• First-Party Fraud: Recorded when a customer fails to pay for goods or services with no intention of repaying.
• Application Fraud: Recorded when an application is made using correct personal details but false supporting information.
• Insurance Claims Fraud: Recorded when false information is provided in an insurance claim.
• Facility Takeover: Recorded when an account is taken over and used for unauthorised transactions.
• Asset Conversion: Recorded when hired, rented, or leased goods are illegally sold. This most commonly involves motor vehicles.
• Misuse of Facility: Recorded when an individual's account is used for fraudulent activity, such as money laundering.

Markers with shorter durations:

• Victim of Impersonation: A protective marker placed by a lender when an individual has been a victim of identity fraud. Duration: 13 months. This is not an adverse marker.
• Victim of Takeover: Also a protective marker. Duration: 13 months.
• Protective Registration: A voluntary marker that an individual can request when they believe they are at risk of fraud. Duration: 2 years. This is the only marker type initiated by the individual rather than a member organisation. The cost is £30.

Visibility on Credit Reports

Only the victim markers — Victim of Impersonation and Victim of Takeover — appear on credit reports obtained from credit reference agencies. All other CIFAS marker types are held only on the National Fraud Database. To find out whether any other type of marker exists, an individual must submit a Data Subject Access Request directly to CIFAS.

Key Timelines

• DSAR response: CIFAS must respond within one calendar month of receiving a fully completed form and supporting documentation.
• Firm complaint response: Under FCA Handbook DISP 1.6.2R, regulated financial firms must issue a final response within 8 weeks (56 days) of receiving a complaint. If the firm cannot meet this deadline, it must explain the delay and inform the complainant of their right to refer the matter to the Financial Ombudsman Service.
• CIFAS independent review: CIFAS aims to complete independent reviews promptly, often within a few weeks, though complex cases may take longer.
• FOS referral deadline: A complaint must be lodged with the Financial Ombudsman Service within 6 months of the date on the firm's final response letter, as set out in DISP 2.8.2R.
• Automatic marker deletion: Markers are automatically removed once their retention period expires. No action is required from the individual.

"A CIFAS marker is the same as a criminal record."

It is not. CIFAS markers are fraud risk records held on a private database. They do not appear on criminal records and do not appear on standard Disclosure and Barring Service (DBS) checks.

"I can see all CIFAS markers on my credit report."

Only victim markers appear on credit reports from credit reference agencies. Other marker types are held solely on the National Fraud Database. The only way to find out what is held is by submitting a free DSAR to CIFAS.

"CIFAS placed a marker on my file."

CIFAS itself does not place markers (except in the case of Protective Registration, which the individual requests). Markers are placed by CIFAS member organisations — the bank, insurer, or other entity that identified the suspected fraud. CIFAS maintains the database and sets the rules, but it is the member that makes the decision to record a marker.

"I can complain to the Financial Ombudsman about CIFAS."

The Financial Ombudsman Service cannot consider complaints against CIFAS itself. FOS can only adjudicate complaints about regulated financial businesses. If a bank placed a marker, the complaint is against the bank, not against CIFAS.

"A CIFAS marker will never go away."

All markers have defined retention periods. Most adverse markers last up to 6 years and are then automatically deleted. Victim markers last 13 months. Protective Registration lasts 2 years.

Employment screening

While CIFAS markers do not appear on standard DBS checks, employers in financial services and certain regulated sectors may conduct CIFAS checks as part of pre-employment screening, subject to the employer's lawful basis and the individual's role. CIFAS operates a separate Enhanced Internal Fraud Database (formerly the Staff Fraud Database) specifically for employment-related fraud screening. This is distinct from the National Fraud Database.

Business bank accounts

Complaints about CIFAS markers on business bank accounts and certain financial products may fall outside the jurisdiction of the Financial Ombudsman Service. In limited circumstances, referral to the Business Banking Resolution Service (BBRS) may be relevant, though BBRS eligibility criteria are strict and time-limited. This area involves complexity and variation, and the scope of FOS jurisdiction in business banking contexts is not straightforward.

FOS compensation limits

The FOS compensation limit — which varies by date of the complaint and is periodically updated by the FCA — was £430,000 for complaints about acts or omissions occurring from 1 April 2024. FOS decisions are binding on firms but not on the individual complainant — meaning the complainant retains the option of pursuing the matter through other routes if they do not accept the FOS decision.

The FOS cannot consider all marker-related complaints. FOS rules prevent consideration of many cases involving business bank accounts, markers relating to applications for financial products, or accounts opened without the person's knowledge. The boundaries of what FOS can and cannot look at in this area are not always clear-cut.

When a CIFAS marker is recorded against an individual, it becomes visible to all CIFAS member organisations. This means that when the individual applies for a product or service from any member — whether a bank account, mobile phone contract, insurance policy, or loan — that member will see the marker during its checks. The marker does not automatically prevent the application from being processed, but it does flag a fraud risk that the member organisation will assess according to its own policies.

The process for discovering what is held begins with a DSAR to CIFAS. This is free of charge. CIFAS requires the following documentation: full name, date of birth, address history for the last six years, contact details, and at least two proofs of identity (such as a passport or driving licence, along with a bank statement or utility bill). CIFAS must respond within one calendar month of receiving the completed form and documentation.

If an individual believes a marker has been incorrectly placed, the formal route begins with the member organisation that recorded it. If that organisation is a regulated financial firm, it must follow the FCA's DISP complaint-handling rules, including issuing a final response within 8 weeks. If the complaint is not upheld, the firm must issue a Final Response Letter (FRL). The individual can then request an independent review by CIFAS — though a DSAR must have been completed before CIFAS will consider a complaint — and, if the complaint relates to a regulated firm, refer the matter to the Financial Ombudsman Service within 6 months of the date on the final response letter.

CIFAS's independent review examines whether the member organisation followed the correct procedures when recording the marker. CIFAS does not have the power to make financial awards.

• Organisation: CIFAS is a not-for-profit organisation operating the National Fraud Database, with over 700 member organisations.
• Types: Markers are fraud risk records placed by members when fraud is suspected, or by individuals seeking Protective Registration.
• Duration: Most adverse markers last up to 6 years. Victim markers last 13 months. Protective Registration lasts 2 years.
• Visibility: Only victim markers appear on credit reference agency reports. A free DSAR to CIFAS is required to discover other marker types.
• Standards: Markers must meet the CIFAS Standard of Proof before they can be recorded.
• Process: Complaints follow a defined route: member organisation first, then CIFAS independent review, then (for regulated firms) the Financial Ombudsman Service.
• Employment: CIFAS markers are not criminal records and do not appear on standard DBS checks, though separate CIFAS employment screening databases exist.