When you submit a Subject Access Request (SAR) to CIFAS, you will receive a response containing the data held about you on the National Fraud Database (NFD). Knowing how to read this document is essential before you can challenge any marker or take further action.
What CIFAS Will Send You #
CIFAS will typically send you a PDF or letter containing one or more of the following sections:
- Case Summary — The date the marker was filed, the CIFAS category (e.g. Misuse of Facility, Application Fraud), and the facility type (e.g. current account, credit card, personal loan)
- Recording Organisation — The name of the CIFAS member that submitted the marker (e.g. Barclays, HSBC, Nationwide)
- Data Fields — Your personal details as recorded: name, date of birth, address(es), email address, phone number
- Case Reference — The CIFAS internal case ID and the recording organisation’s reference
- Expiry Date — When the marker is due to be removed (6 years from the recording date for most markers)
Key Things to Check Immediately #
1. Is the marker category correct? #
Each CIFAS category has a specific definition under the CIFAS Handbook. Check whether the category matches the facts of what occurred. For example, if you were a victim of account takeover, you should see a Third Party Fraud marker — not a Misuse of Facility marker.
2. Is the personal data accurate? #
Check your name, date of birth, and address(es). If any data field is incorrect, you have a direct UK GDPR Article 16 right to rectification — this is one of the strongest grounds for a complaint.
3. Which organisation recorded it? #
Note the recording organisation carefully. Your formal complaint must go to that organisation first — not to CIFAS directly. CIFAS will refer you back to the member if you approach them first.
4. When was it recorded and when does it expire? #
The recording date is important: it determines both the 6-year retention period and when the underlying events are alleged to have occurred. If the recording date does not align with the events described, that is significant.
What the DSAR Does Not Contain #
Your CIFAS DSAR will not include:
- The full investigation file compiled by the recording organisation
- Witness statements, fraud analyst notes, or internal emails
- Details of why the specific category was chosen over another
To obtain this information, you must submit a separate SAR directly to the recording organisation (the bank or insurer named in the CIFAS response). Their investigation file is the key document you need to build a challenge.
Next Steps After Reading Your DSAR #
- Note any inaccuracies in personal data → grounds for immediate rectification request
- Identify the recording organisation → your complaint goes there first
- Submit a SAR to the recording organisation → request their full investigation file
- Cross-reference the marker category against the CIFAS Handbook definition → identify whether the standard was met
- Prepare a written complaint to the recording organisation → use the facts from both DSARs
