A credit privacy number, often shortened to CPN, is a nine-digit number marketed by sellers as an alternative to a Social Security number for use on credit applications. Sellers typically claim that the CPN is legal, that it allows a consumer with poor credit history to apply for credit using a fresh file, and that the number is protected by the Privacy Act of 1974 or by consumer-privacy law more generally. None of these claims is accurate. Using a CPN on a credit application is, in nearly every documented case, a federal crime.
The use of a fabricated nine-digit number in lieu of a Social Security number on a credit application implicates several federal statutes, including 18 U.S.C. § 1028 (identification document fraud), 18 U.S.C. § 1029 (access-device fraud), 18 U.S.C. § 1344 (bank fraud), and Section 619 of the Fair Credit Reporting Act (15 U.S.C. § 1681q), which makes it a federal crime to obtain a consumer report under false pretenses. The Federal Trade Commission has issued repeated consumer warnings about CPN scams, and the Consumer Financial Protection Bureau has issued enforcement actions against sellers.
This guide covers what CPNs actually are, the federal criminal statutes that apply when a CPN is used, the source of the nine-digit numbers that sellers distribute (often the Social Security numbers of children or deceased persons, which compounds the offense), why the claimed privacy-law protection does not exist, and the legitimate alternatives available to consumers who want to repair damaged credit.
What does a CPN seller typically claim?
CPN sellers typically claim some combination of the following: that the CPN is a legal alternative to the Social Security number; that the CPN is issued by the IRS or another federal agency; that the CPN can be used on credit applications, mortgage applications, and rental applications; that the Privacy Act of 1974 protects consumers from being required to disclose their Social Security numbers; and that the CPN program is available to consumers who have been victims of identity theft, who are in witness-protection programs, or who simply want privacy.
Every one of these claims is false or materially misleading. No federal agency issues CPNs. The Privacy Act of 1974 applies only to federal-government use of Social Security numbers and does not restrict private creditors. A consumer in witness protection is provided a legitimately reissued Social Security number through the Social Security Administration under specific statutory authority, not through a private seller. Victims of identity theft have specific Fair Credit Reporting Act protections that do not require a substitute number.
Where do CPN numbers actually come from?
The nine-digit numbers that CPN sellers distribute are not randomly generated. Most are Social Security numbers issued by the Social Security Administration that are either currently active (often belonging to children whose limited credit history makes the misuse harder to detect), recently deceased persons whose numbers appear in publicly available death-master-file data, or persons in temporary identity-protection programs. The Federal Trade Commission and the Social Security Administration's Office of the Inspector General have documented this sourcing pattern in repeated enforcement actions.
The practical consequence is that a consumer who purchases a CPN and applies for credit using that number is, in nearly every case, committing identity theft against a real person whose Social Security number has been resold to the consumer. The original person is the victim of the identity theft and has legal remedies against the consumer who used the number, in addition to the federal criminal exposure the consumer faces directly.
Why is using a CPN a federal crime?
Using a CPN on a credit, loan, mortgage, or rental application implicates multiple federal criminal statutes simultaneously. The act of obtaining a CPN under the pretense that it is a legitimate alternative identification number can constitute fraud in the inducement. The act of submitting the CPN on a credit application makes a false representation to the creditor, which violates the bank-fraud and wire-fraud statutes when the application is transmitted electronically. The use of the resulting credit constitutes federal access-device fraud under 18 U.S.C. § 1029.
Federal sentencing guidelines for these offenses include substantial prison terms (typically up to thirty years for the underlying fraud, with enhancements for aggravated identity theft adding a mandatory two years consecutive under 18 U.S.C. § 1028A), restitution to the true holder of the misused Social Security number, and forfeiture of any property acquired with the fraudulent credit. The Consumer Financial Protection Bureau has separately pursued civil enforcement actions against CPN sellers, and several federal courts have held that CPN purchasers are jointly liable with sellers for the resulting harm.
What about the Privacy Act of 1974?
The Privacy Act of 1974, codified at 5 U.S.C. § 552a, restricts federal agencies from requiring disclosure of a Social Security number except where required by statute. The Act does not apply to private creditors. A bank, credit-card issuer, mortgage lender, or landlord is permitted to require disclosure of a Social Security number under federal banking statutes and Internal Revenue Service requirements for tax reporting. The Privacy Act provides no basis for a consumer to refuse to provide a Social Security number to a private creditor.
CPN sellers frequently misrepresent the scope of the Privacy Act to consumers, sometimes citing the language about federal agencies as if it applied to all institutions. The misrepresentation is a separate basis for federal Fair Credit Reporting Act and consumer-protection liability against the sellers. Consumers who have been told that the Privacy Act allows the use of a CPN should understand that the legal foundation of the claim is fabricated.
Do CPNs ever work to obtain credit?
A CPN can in some cases be used to obtain credit, particularly with smaller creditors who do not verify Social Security numbers against the Social Security Administration's verification systems. The temporary success of the application does not change the underlying criminal nature of the conduct, and the eventual detection of the fraud is virtually guaranteed because the major credit bureaus do verify identity-related fields against multiple sources during the file-establishment process.
On detection, the creditor reports the fraud to the Federal Bureau of Investigation, the Secret Service (which has jurisdiction over financial-identity crimes), or local law-enforcement agencies. The consumer is identified through the documentary record of the application, the IP address of the submission, the bank-account routing used for any approved funding, and the physical address used for card delivery. The detection-to-arrest timeline can extend over months or years, but the eventual prosecution exposure is substantial.
What are the legitimate alternatives to a CPN?
Consumers with damaged credit have multiple legitimate paths to improvement. The most important is the dispute process under Section 611 of the Fair Credit Reporting Act, which allows the consumer to dispute inaccurate, outdated, or unverifiable information on the credit report. The CreditRefresh dispute walkthrough covers the procedure in detail. Inaccurate adverse items removed through a successful dispute disappear from the report without any need to substitute a new identity.
Additional legitimate paths include validation requests on collection accounts under Section 1692g of the Fair Debt Collection Practices Act, goodwill deletion requests to original creditors, secured credit cards and credit-builder loans for active rebuilding, and the natural seven-year removal of adverse information under Section 1681c of the Fair Credit Reporting Act. The CreditRefresh secured-card guide and the credit-builder-loan guide cover the rebuilding tools.
Are CPNs the same as EINs?
An Employer Identification Number (EIN) is a nine-digit federal tax identifier issued by the Internal Revenue Service to business entities. EINs are legitimate identifiers for the business activities of corporations, partnerships, and certain other business structures. A CPN seller occasionally claims that the CPN being sold is an EIN. The claim is false: EINs are issued only to business entities and are not interchangeable with Social Security numbers for personal credit applications.
A business owner with a legitimate EIN may apply for business credit using the EIN, and the resulting business credit history is generally separate from the owner's personal credit. Business credit is not a substitute for personal credit, and using a business EIN on a personal credit application is itself a misrepresentation that creates liability for the applicant. The EIN-CPN conflation is a separate variant of the same underlying scam.
What should a consumer do if approached by a CPN seller?
A consumer approached by a CPN seller should decline the offer, document the seller's contact information, and report the solicitation to the Federal Trade Commission and the Social Security Administration's Office of the Inspector General. The Consumer Financial Protection Bureau also accepts complaints about CPN solicitations through its general complaint portal. Documentation of the solicitation supports both the consumer's own legal protection (in case the seller later attempts to claim the consumer was complicit) and the broader enforcement effort against the seller.
Consumers who have already purchased a CPN but have not yet used it on a credit application should consult a licensed attorney before any further action. Federal criminal liability generally attaches at the point of use rather than at the point of purchase, so a consumer who stops short of submitting the CPN on an application may have a reduced exposure profile compared to one who has actually submitted the number. The attorney consultation is essential because the specific exposure depends on the precise sequence of events.
How does CreditRefresh approach a CPN-affected credit file?
CreditRefresh is an application that pulls a consumer's credit reports from all three nationwide bureaus through a secure, authorized data feed. The application uses the consumer's true Social Security number and identifying information. CreditRefresh cannot and does not work with CPNs, with any other substitute nine-digit numbers, or with credit files created under fraudulent identity. Consumers who have used a CPN on a credit application should consult a licensed attorney about the specific consequences before engaging any credit-repair tool.
For consumers operating under their true Social Security number, the application identifies inaccurate, outdated, or unverifiable information on each tradeline and drafts dispute correspondence under Section 611 of the Fair Credit Reporting Act. The consumer reviews each letter before approving submission. CreditRefresh does not provide attorney review or legal advice; consumers facing identity-fraud exposure should consult a licensed consumer-protection or criminal-defense attorney.
Why do CPN scams persist despite the legal exposure?
CPN scams persist because the sellers earn substantial revenue (typically a few hundred to a few thousand dollars per CPN sold) while the legal exposure falls primarily on the purchaser who uses the number. Sellers operate behind layers of anonymized online infrastructure, frequently change company names and websites, and rarely interact with purchasers in person. The asymmetry of exposure produces a stable scam economy in which sellers profit at the expense of vulnerable consumers facing credit difficulty.
The Federal Trade Commission and Consumer Financial Protection Bureau have brought enforcement actions against sellers, but the pace of new seller formation generally exceeds the pace of enforcement. The Federal Trade Commission consumer-alert series on CPN scams documents the enforcement history and the recurring pattern of seller claims.
Can a CPN be removed from a credit report?
If a CPN has been used on credit applications and the resulting tradelines have been reported to the bureaus under the CPN rather than the consumer's true Social Security number, the resulting credit file may exist as a 'fragmented file' that is not associated with the consumer's true identity in the bureau's records. Disentangling the fragmented file generally requires direct contact with each bureau's fraud-resolution department, with full documentation of the consumer's true identity and a sworn statement of the facts of the CPN use.
The procedural complexity is substantial, the consumer's federal criminal exposure may complicate the disclosure, and the bureau is under no obligation to merge a fraud-affected file back into the consumer's legitimate file. The path forward in any CPN-affected case requires legal counsel and a careful evaluation of disclosure consequences. A consumer in this position should not attempt to resolve the situation independently through standard Section 611 disputes.
Are there state laws against CPN sales specifically?
Several states have enacted statutes that target CPN sales as a specific offense, in addition to the general federal-fraud statutes that apply. California Penal Code Section 530.5, Texas Penal Code Section 32.51, and similar provisions in roughly two dozen other states make it a state criminal offense to use the personal identifying information of another person without consent to obtain credit, goods, or services. The CPN-sale transaction, when it involves the resale of a real person's Social Security number, falls squarely within these state statutes.
State enforcement is in addition to, not in lieu of, federal enforcement. A consumer who uses a CPN in any state that has enacted identity-misuse statutes faces concurrent state and federal exposure, and the federal exposure cannot be eliminated by resolving the state matter. Several states have also enacted civil-remedy provisions that allow the true holder of a misused Social Security number to recover damages directly from the consumer who used the number, separately from any criminal prosecution.
How does CPN use affect future credit applications?
A history of CPN use creates ongoing problems for future credit applications, even after the original CPN use has stopped. A creditor that detects the prior CPN use during a subsequent application will typically deny the application and may file a Suspicious Activity Report with the Financial Crimes Enforcement Network, which adds the consumer's identifiers to financial-industry fraud-screening databases. The resulting denials cascade across institutions for an extended period, often several years.
Consumers who have used a CPN in the past and want to clear the resulting application history should consult a licensed attorney about the disclosure path. The CreditRefresh guide on identity theft and credit reports covers the parallel situation in which the consumer is the victim rather than the user of misappropriated identification; the procedural mechanics are similar in some respects but the legal exposures are different.
How can a consumer verify that a credit-repair service is legitimate?
Legitimate credit-repair services operate within the boundaries of the Credit Repair Organizations Act (CROA), codified at 15 U.S.C. §§ 1679 through 1679j, which requires written contracts, a three-day cancellation window, no payment in advance of services performed, and a prohibition on advising consumers to make false statements to credit bureaus or creditors. Any service that offers to create a 'new credit identity,' that sells CPNs or other substitute identification numbers, or that recommends false statements on credit applications is operating outside the boundaries of federal consumer-protection law.
Three verification steps help confirm whether a credit-repair service is legitimate. The first is a written contract that complies with CROA disclosure requirements, including the consumer's three-day cancellation right. The second is the absence of any advance-payment requirement; CROA prohibits payment before services are performed. The third is the absence of any reference to CPNs, EINs used as Social Security number substitutes, or 'new credit files'; legitimate services work with the consumer's true Social Security number and existing credit file.
This article is for educational purposes only and does not constitute legal or financial advice. The Fair Credit Reporting Act and related regulations are complex, and outcomes depend on individual circumstances. Consumers with specific questions about their credit reports or rights under federal law should consult a licensed attorney or contact the Consumer Financial Protection Bureau directly.
