First: understand what CIFAS holds
CIFAS operates two main databases. The National Fraud Database (NFD) holds cases filed by member organisations when they believe fraud has occurred. The Protective Registration database holds records filed by individuals to protect themselves against identity fraud (you file this one yourself, voluntarily, if you think someone has stolen your identity).
You can hold a record on both, and checking them requires separate requests. Most people are concerned about the NFD, because that is where markers placed against you by banks and lenders sit.
Step 1: Request your Subject Access Report
Under UK GDPR, you have the right to request a copy of all personal data an organisation holds about you. CIFAS offers a Subject Access Request (SAR) service specifically for this.
Go to cifas.org.uk and navigate to the Subject Access Request section.
Complete the online form with your personal details: full name, date of birth, current and previous addresses for the last six years.
Submit proof of identity. Acceptable documents include a passport, driving licence or recent utility bill. CIFAS will specify the exact requirements on the form.
There is no fee. The request is free under GDPR. CIFAS is legally required to respond within 30 days.
You will receive a report detailing any records held against your details.
Step 2: Read the report
The report will tell you whether any cases are held against your details and, if so: the filing organisation, the type of marker (e.g., Misuse of Facility, Fraud by False Representation), the date the case was filed, and how long it is due to remain.
If the report comes back clear, you have no active CIFAS markers. If it shows a case, note the type and the filing organisation. You will need this information for any challenge.
How long do markers last?
Standard NFD markers last up to 6 years from the date of filing. Protective Registration lasts 2 years (renewable). Victim of Impersonation markers last 13 months. The specific retention period should be shown on your report.
Step 3: If there is a marker, contact the filing organisation first
CIFAS itself does not file markers. Individual member organisations file them. Your first step in challenging a marker is to contact the organisation that filed it and request an explanation under GDPR. Ask specifically: what information was used to reach the decision; what right of review or appeal exists; and what evidence would be needed to support a challenge.
Some organisations will review the case on request and, if they find the marker was placed incorrectly, will remove it themselves. The Financial Ombudsman Service has found in multiple cases that banks placed markers without making adequate inquiries first, and has directed removal. Starting with the organisation gives them the opportunity to correct this without escalation.
Step 4: Escalate to CIFAS's complaint process
If the filing organisation does not resolve your complaint, you can raise a formal complaint with CIFAS directly. Set out your case clearly: what happened, why you believe the marker is incorrect, and what evidence you have. Include any correspondence with the filing organisation.
CIFAS will review the case with the filing member. If they uphold your complaint, the marker will be removed or amended. If they do not, they will explain the basis for that decision and inform you of your further rights.
Step 5: Escalate to the ICO or Financial Ombudsman
If the CIFAS complaint process does not resolve your case, you have two further routes. The Information Commissioner's Office (ICO) oversees data protection rights and can investigate whether CIFAS or the filing organisation has complied with UK GDPR in processing your data. A complaint to the ICO is free.
The Financial Ombudsman Service (FOS) can review complaints against the financial institutions that are CIFAS members, in relation to the impact of a marker on your account or application. The FOS upholds around 31% of CIFAS-related complaints that reach it. If the FOS finds the marker was incorrectly placed, it can direct the institution to remove it and pay compensation.
What to document throughout
Keep records of everything from the start: the date of your SAR, the report you receive, every letter or email with the filing organisation, the dates of any calls (and what was said). Challenge processes can take months. Documentation is the difference between a case you can pursue and one you cannot.
If the marker was placed because your account was used to receive or move money by a third party, gather any evidence you have of the circumstances: messages, emails, anything that establishes you were acting without full knowledge of what was happening. The FOS has found in multiple cases that institutions failed to consider whether an account holder was themselves a victim before filing a marker.
While you are challenging
A challenge can take months, and a marker remains active during that time. Practically, you may want to look at basic bank account options (required to be offered by the nine largest banks regardless of CIFAS status), credit union membership, and any providers specifically willing to consider applications from people with fraud markers and a supporting explanation.
Building verified evidence of your current financial behaviour is also worth starting now. A record that shows responsible financial management in the period since the marker was placed is relevant both for institutions making decisions today and for any formal review of the marker itself. The more evidence you can show of your current behaviour, the stronger your position.