CIFAS Protective Registration UK 2026

What CIFAS actually is

CIFAS (Credit Industry Fraud Avoidance System) is the UK's largest cross-sector fraud-prevention database. It's a not-for-profit company that sits between fraud victims and the organisations most likely to be targeted with stolen identity: banks, building societies, telecoms providers, insurers, credit-card issuers, online lenders, government services. CIFAS member organisations contribute confirmed fraud cases to the shared database and query it when assessing new applications.

If you've ever opened a UK bank account, applied for a phone contract, or taken out a credit card, the firm checked you against CIFAS as part of their KYC process. When the CIFAS Protective Registration marker is on your record, every check returns "this person has flagged themselves as a fraud victim — apply enhanced ID verification".

The marker doesn't prevent applications. It triggers extra verification: the firm will likely ring you to confirm before opening the account, ask you to attend a branch with photo ID, or send a verification letter to your registered address. For your own legitimate applications this adds 1-3 days of friction; for a fraudster trying to use your identity, it's typically the moment the fraud is detected and stopped.

When you should apply

Apply for Protective Registration if any of these apply:

• You've been a victim of identity theft. Someone used your name, DOB, or address to open accounts, take out credit, or apply for services without your knowledge. The CIFAS marker stops further misuse.
• You've been scammed via a route where you gave personal details. Romance scams, phishing-based account-takeover attempts, fake-bank impersonation calls where you confirmed your DOB or address, fake-employer scams where you sent ID documents — any of these gave the scammer information they could use for downstream fraud.
• Your phone, email, or cloud account has been compromised. Once a scammer has access to your communications, they have the means to intercept verification codes — the cornerstone of identity fraud.
• You're in a confirmed data breach. Equifax 2017, MOVEit 2023, NHS contractor breaches, retailer breaches — anything where your name + DOB + email is now circulating. CIFAS Protective Registration mitigates the downstream risk.
• You've lost your wallet or had documents stolen. Especially driving licence, passport, NI number on a payslip — these enable identity fraud weeks or months later.
• A family member or co-resident has access to your details and you have reason to suspect misuse. Domestic abuse, coercive control, or estranged-family financial abuse all qualify. CIFAS doesn't ask intrusive questions about why — concern is sufficient.

How to apply — step by step

Step 1: Decide whether you qualify for the free version

The standard fee is £30. CIFAS waives the fee in cases of financial hardship — typically when you can show benefit recipient status, recent bereavement, or other vulnerability indicator. There's no formal proof requirement; mentioning the circumstance on the application form is sufficient and CIFAS will process the fee-waiver request. If in doubt, apply with the fee-waiver request — worst case they ask for the £30 later.

Step 2: Apply online

Go to cifas.org.uk/services/identity-protection-services/protective-registration. The online form asks for:

• Your full name and any previous names (e.g. maiden name)
• Date of birth
• All addresses for the past 6 years (CIFAS need historical addresses because fraudsters often use old addresses you've forgotten about)
• Phone number and email
• The reason you're applying (free text — write briefly: "I was the victim of a romance scam in March 2026; the scammer obtained my full name, DOB, and address — see Report Fraud NF12345678")
• Report Fraud reference if you have one (optional but speeds review)

Step 3: Verify your identity

CIFAS will either accept your application directly or request supporting evidence. Typical evidence requested:

• Driving licence or passport (scan both sides)
• Recent utility bill or bank statement showing your address
• Report Fraud or police crime reference number (if available)
• Any other evidence of the fraud (email confirmations, bank statement showing fraudulent transactions, etc.)

Upload through the secure form. Don't email evidence as attachments — scammers know fraud victims are sending sensitive docs to CIFAS and have set up phishing emails that look like CIFAS verification requests.

Step 4: Activation (24-48 hours)

You'll receive an email when the marker is live. From that point forward, every CIFAS-member organisation queries your name + DOB will see the protective marker. The marker stays for 2 years from activation date.

Step 5: Update your bank's contact details

Critical: after activation, your bank will be applying enhanced verification on any future "you" interaction. Make sure they have your current phone number and email — otherwise the protective marker locks YOU out of your own account. Call your bank, mention you've just registered for CIFAS Protective Registration, and confirm contact details on file.

What actually happens when a lender sees the marker

Behind the scenes, when an organisation runs a CIFAS check on your name and sees the Protective Registration marker, their internal process kicks in. Different firms have different procedures, but typical steps are:

• Outbound phone call to your registered number asking you to verify you authorised the application. If you say "no, I didn't apply for this", the application is immediately closed and CIFAS gets a confirmed-fraud submission for the attempted application — strengthening the system.
• Letter to your registered address with a verification code that you have to read back over the phone. This catches the case where the fraudster has changed the application address to a different one — your registered address still gets the letter.
• In-branch identity verification for higher-risk products (mortgages, large personal loans, business accounts). You attend with photo ID and proof of address.
• Two-factor enhanced authentication for online applications — combining biometric ID check, knowledge-based questions, and document upload.

From your own perspective doing a legitimate application: it adds 1-3 days of friction. From a fraudster's perspective: the application is dead the moment the verification phone call comes through to the real account holder.

Alternatives and complements

Notice of Correction at the three credit reference agencies

Free with Experian, Equifax, and TransUnion. A Notice of Correction is a short statement (max 200 words) that appears alongside your credit report. When a lender pulls your credit file, they see your statement. Most lenders' internal procedures require manual review of any application with an active Notice of Correction.

Apply at each CRA separately — there's no single multi-CRA application. See the credit-file freeze guide for the exact wording and process.

National Fraud Database (CIFAS NFD) — different beast

The CIFAS NFD is the data-of-record for confirmed fraud cases (the fraudsters' side). Protective Registration is the victim side. The two databases are linked — when a fraudster's application is rejected because of your Protective marker, the rejected application gets logged in the NFD against the fraudster's identifiers, helping catch them on future applications elsewhere.

Bank-specific fraud markers

Your bank can place an internal fraud marker on your account that triggers extra verification on any internal changes (PIN change, password reset, address change, large transfer). Ask your bank's fraud team to "place a high-friction marker on my account due to identity-theft risk". This is separate from CIFAS and complements it.

Telecoms-specific protection

SIM-swap fraud is the most common identity-fraud attack vector. Even with CIFAS, a determined attacker can SIM-swap your mobile and bypass SMS verification. Ask your network (Vodafone, EE, O2, Three) for a "port-out protection PIN" — an extra password required for any SIM changes. CIFAS covers some telecom providers but not all telecom procedures.

What CIFAS Protective Registration does NOT do

• Doesn't refund money already stolen. Protective Registration is forward-looking. For refunds, see PSR Mandatory Reimbursement.
• Doesn't prevent all fraud, just credit-application fraud. SIM-swap, phishing, account takeover via stolen password are not prevented — those need different defences.
• Doesn't tell you when an application has been blocked. CIFAS doesn't notify you when the marker fires. You only know if the fraudster's attempted application triggers a verification call to you. For visibility, sign up for free credit-monitoring with Experian or ClearScore in parallel.
• Doesn't expire your liability for genuine debts. If you had real debts before applying, the marker doesn't make them go away. It only affects new applications going forward.
• Doesn't cover non-CIFAS organisations. Most major UK firms are members but not all. International firms operating in the UK may not check CIFAS.

Renewal and removal

The marker auto-expires after 2 years. You can renew at any point in the final 30 days for another £30 / 2 years. You can also remove the marker early by emailing CIFAS — typically takes 5 working days. Some people remove it after a year if they have a lot of legitimate applications coming up (mortgage, multiple credit checks); others extend it indefinitely because they prefer permanent friction.

If you've recovered from the initial fraud event and the original threat has passed, there's no harm in letting the marker lapse. If you're still actively dealing with the aftermath (e.g. ongoing court proceedings, ongoing recovery), renew.

Frequently asked questions

Will my employer see the CIFAS marker?

Some employer background-check services use CIFAS data. For most roles this is irrelevant — the marker simply says "this person has been a fraud victim", not "this person is dishonest". For roles in financial services or government with security clearance, declare the marker proactively in the background-check questionnaire.

Can I have CIFAS Protective Registration AND a Notice of Correction at the CRAs?

Yes — they complement each other. CIFAS covers a wider range of organisations; CRA markers are seen by every credit check. Doing both gives near-comprehensive coverage. The combined cost is just the £30 CIFAS fee (CRA notices are free).

I applied for CIFAS but my bank still let a fraudulent application through. What do I do?

File a complaint with the bank citing the CIFAS marker. The bank's failure to apply enhanced verification on a CIFAS-flagged account is a clear breach of their CIFAS membership obligations. This gives you strong grounds for a Financial Ombudsman complaint if the bank refuses refund — FOS treats failure-to-apply-CIFAS-procedures as a significant adverse factor.

Does CIFAS Protective Registration work for non-UK applications?

No. CIFAS is UK-only. If a fraudster uses your stolen identity to apply for credit in another country, CIFAS doesn't help. For cross-border protection, contact the equivalent fraud-prevention body in that jurisdiction (US: a credit freeze with Equifax/Experian/TransUnion; EU: country-specific bodies like SCHUFA in Germany or BIK in Poland).

Is there a free alternative?

The three CRA Notice of Correction markers are free and provide significant but narrower coverage. For most users they're sufficient. CIFAS Protective Registration adds depth, especially for non-credit identity-fraud risk (e.g. someone opening a phone contract or insurance policy in your name).

Can companies refuse to do business with me because of the CIFAS marker?

No. The marker requires enhanced verification — it doesn't authorise refusal. If a firm refuses you a service citing CIFAS, that's a misuse of the system. Complain to the firm and CIFAS directly.

Frequently asked questions

What is CIFAS Protective Registration?

CIFAS Protective Registration is a marker placed on your name and date of birth in the CIFAS fraud-prevention database. CIFAS members — including every UK bank, building society, telecoms provider, and many insurance and credit firms — see the marker when running a check on you. They are required to apply enhanced identity verification before approving any credit application, account opening, or service activation in your name.

How much does CIFAS Protective Registration cost?

£30 for 2 years. There is no automatic renewal — you must reapply at the end of the 2-year period if you still want the protection. CIFAS waives the fee for vulnerable customers in financial hardship; mention this on the application form.

Who should apply for CIFAS Protective Registration?

Anyone who has been a victim of identity theft, anyone who's been a victim of a scam where personal details (name, DOB, address, NI number, mother's maiden name) were given to the fraudster, anyone whose phone or email has been compromised, anyone whose data is in a confirmed data breach (Equifax, MOVEit, NHS, etc.), or anyone with reasonable concern that their identity may be misused for credit applications.

Does CIFAS Protective Registration affect my credit score?

No. CIFAS is a fraud-prevention database, not a credit-scoring agency. The CIFAS marker is not visible to credit scoring algorithms and does not reduce your credit score. It does cause your own legitimate credit applications to take longer because lenders apply extra ID checks — but the application outcome is unchanged once your identity is verified.

What's the difference between CIFAS Protective Registration and a credit freeze?

A credit freeze (also called a Notice of Correction marker, free with Experian/Equifax/TransUnion) is a separate marker on the credit reference agencies themselves. CIFAS is a different database used by a wider range of organisations (banks, telecoms, insurance). For full protection most fraud victims do both: CIFAS Protective Registration AND a Notice of Correction with each of the three UK CRAs. Together they cover the credit-application and the wider fraud-prevention surfaces.

How long does CIFAS Protective Registration take to apply?

Online application: ~10 minutes. Activation: typically 24-48 hours after CIFAS confirms your supporting evidence. CIFAS will email you when the marker is live. Once live, all CIFAS members see it on the next credit check they run on your name.

Related scam guides

• Identity Theft Recovery Walkthrough — guided 6-step wizard producing a full recovery plan
• Freeze Credit File UK — Experian / Equifax / TransUnion freeze process
• PSR Mandatory Reimbursement Scheme — claiming a refund after authorised-push-payment fraud
• Identity Stolen UK — Recovery Guide — broader identity-theft response
• Credit Report After a Scam UK — checking your file for unauthorised entries
• I've Been Scammed UK — Next Steps