We have set our optional cookies. By clicking any link on this page you are giving your consent for us to do this. OR: leave cookies off Read about our cookies
NewsroomCareersContact Us

Subject Access Request

If an organisation has turned you down for a product, service or employment opportunity they might advise you to contact a credit reference agency and Cifas for more information about why your application has been declined.

There are a number of possible reasons for your application being declined, including:

To establish if your declined application is caused by something on your credit report, you can obtain a copy by contacting a credit reference agency. If you have a low credit score, you can ask the organisation who declined your application for a manual review and, if the decision remains unchanged, they will be able to tell you the reason why. 

Cifas is not a credit reference agency. We share information on confirmed frauds with our member organisations, including records of individuals who have committed fraud against one or more of those organisations. Find out more on our What is Cifas? page. 

To find out if you have been recorded to our database, you need to make a Subject Access Request – it will not show up on your credit report. We currently charge a £10 administration fee for a Subject Access Request. This is not refundable; even if it turns out we aren't holding any information about you. 

If you are looking to check whether you have been registered with us as a victim of fraud, you should check your credit report rather than make a Subject Access Request. Get in touch with any of the main credit reference agencies; your report will show Cifas 'victim markers' as well as lots of other useful information that will help you to spot if a fraudster is attempting to use your identity.

Victim markers – ‘Victim of Impersonation’ and ‘Victim of Takeover’ – remain in place for 13 months from the date of submission. Both will appear on credit reports.

Proof required for a Cifas warning

Before an organisation is able to place a warning about you on our database, they must be in a position to make a formal complaint to the police or other relevant law enforcement agency. They must have carried out checks of sufficient depth to satisfy this standard of proof. 
Typically, organisations will have found material falsehoods in the personal information supplied on an application, proposal or claim, or in the case of an account, policy or service, and will be able to demonstrate that the behaviour of the customer amounts to fraud. A criminal offence must be identifiable.

Cifas ‘first party fraud’ warnings remain in place for six years from the date of submission. Please note Cifas ‘first party fraud’ warnings will not appear on credit reports.

How to submit a Subject Access Request 

  1. Download and print a Subject Access Request form.
  2. Follow the instructions on the form.
  3. Post your completed form to:
    Consumer Affairs, Cifas
    6th Floor, Lynton House
    7-12 Tavistock Square
    WC1H 9LT

Unfortunately, we are unable to handle requests over email as we require originals of some documents in order to prove your identity before releasing information about you. We are required by law to respond to your request within 40 days of receiving a completed form, but we aim wherever possible to reply within a shorter timeframe.

Making a complaint

If you have received the results of a Subject Access Request and would like to make a complaint or dispute Cifas data recorded in your name, please follow the procedure outlined in your report, contacting the relevant organisations at the addresses provided.

Step One 

Formally complain to the organisation that registered the warning. If they uphold your complaint, they can remove the entry and it will be deleted from our system. In your email or letter of complaint to them, remember to:

•    Ask for the matter to be registered formally as a complaint;
•    Detail exactly what you're complaining about, including why you think the Cifas warning is unwarranted;
•    Include copies of any documents that support your case, and any correspondence you've received;
•    Keep copies of all your correspondence from this point.

In most cases, disputes are resolved at this stage. 

Step Two

If you are not satisfied with the organisation's response, ask them for a Final Response letter (if you haven’t received one), which confirms that they have investigated and that they are rejecting your complaint. 

Step Three

Share that letter with us and we will conduct an independent review on your behalf. Please include in your correspondence: 

We'll review your complaint with the organisation concerned and confirm whether it followed the right procedures. We aim to resolve all investigations within 14 days. We do not have the power to recommend financial awards but we will offer as much advice and guidance as possible. 

Further Steps

If, following our investigation, we believe the filing was correct, but you would like to continue disputing the case, the next step is to contact the relevant regulator or complaints scheme for the industry. 

In most of our cases the relevant scheme is the Financial Services Ombudsman but it does depend on the industry in question. For example, a case involving a telecoms company would be referred to the Communications and Internet Services Adjudication Scheme (CISAS). If you are not sure who to go to, just ask and our team will be able to direct you. 

If you're still not sure where to start, please send your complaint or enquiry to our Consumer Affairs Team and we will advise you. When contacting us, always include your name, current address (with postcode) and full details of your enquiry. Please do not send any identity documents or money unless we've asked you to.

Cifas and your data

We take the security of your data very seriously. Only trained staff within the organisations that share data through Cifas can access the data, and the database itself is hosted at a secure data centre, which has industry standard security software to prevent unauthorised access. Annual independent audits are undertaken to test the security, and the facilities are ISO 27001 accredited.


Latest blog posts