FinCEN and Banking Agencies Issue Joint Advisory on Non-Work-Authorized Populations and ITIN-Based Account Due Diligence

On June 5, 2026, the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”), jointly with the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”), and the National Credit Union Administration (“NCUA”) (collectively, the “Agencies”), and in coordination with the Internal Revenue Service (“IRS”), issued an advisory addressing the unlawful employment of individuals without a valid work authorization and the associated risks to the US financial system (the “Advisory”).

The Advisory is the first concrete deliverable under President Donald Trump’s May 19, 2026 Executive Order, Restoring Integrity to America’s Financial System (the “Executive Order”), which we covered in a prior Legal Update. This Legal Update provides background on the Advisory, summarizes its key elements—including the typologies it describes, its treatment of Individual Taxpayer Identification Number (“ITIN”) use as a risk factor, and its red flag and reporting instructions—and discusses the implications for banks, non-bank financial institutions, and the fintechs that rely on them. It also notes a parallel statement issued by the Consumer Financial Protection Bureau (“CFPB”) the same day.

Background

The Executive Order directed the Secretary of the Treasury to issue, within 60 days, a formal advisory describing “red flags and typologies” of suspicious activity associated with non-work-authorized populations and their employers. The Advisory delivers on that mandate well ahead of the mid-July 2026 deadline.

The Advisory is framed as part of a “whole-of-government” effort and aligns with FinCEN’s existing AML/CFT National Priorities of fraud, terrorist financing, drug trafficking organization (“DTO”) activity, transnational criminal organization (“TCO”) activity, and human trafficking and smuggling.

What the Advisory Describes

The Advisory identifies identity theft and payroll fraud as the two principal mechanisms complicit employers use to conceal the hiring of unauthorized workers.

In the identity theft typology, unauthorized workers use the Social Security numbers (“SSNs”) and other personal information of US citizens, lawful permanent residents, and other individuals with employment authorization to complete the Form I-9 (Employment Eligibility Verification) requirement and to fraudulently access wages, benefits, financial services, and credit.

In the payroll fraud typology, employers make off-the-books cash payments and maintain “two sets of books” to evade federal and state payroll taxes and workers’ compensation premiums—frequently using complicit labor brokers and shell companies (often unregistered money services businesses, or “MSBs”) and structuring or “microstructuring” payments below Bank Secrecy Act (“BSA”) reporting thresholds. These shell-company accounts are commonly opened using a foreign passport or an ITIN, and brokers may use a Commercial Mail Receiving Agency in place of a real business address to evade Customer Identification Program (“CIP”) requirements.

Two data points underscore why Treasury is treating this as a priority. FinCEN reports that financial institutions filed more than $2.5 billion in suspicious activity associated with payroll tax fraud schemes in 2025 alone. In a case study the Advisory highlights, two Honduran nationals were sentenced in April 2026 for a years-long off-the-books payroll scheme—cashing roughly $89 million in checks—that caused a loss of more than $38 million to the United States.

The TCO and Money-Laundering Nexus

The Advisory’s repeated references to money laundering and TCOs are significant and track stated Administration priorities. FinCEN explains that complicit labor brokers may use shell companies not only for off-the-books payroll but also to launder money for DTOs and TCOs as part of broader, global money laundering networks. Several TCOs have been designated as Foreign Terrorist Organizations (“FTOs”), and the Advisory warns that unlawfully obtained wages and financial system access can finance their enterprises, including drug and human trafficking. In practical terms, it positions routine payroll- and identity-fraud reporting as an intelligence input into the Administration’s cartel- and fentanyl-focused enforcement agenda.

Enhanced Due Diligence for ITINs

The element of greatest practical consequence is the Advisory’s treatment of ITINs in the customer onboarding context. Under the CIP rule, banks and certain other financial institutions must form a reasonable belief that they know the true identity of each customer and collect an identifying number;¹ for non-US persons, that identifying number may include a taxpayer identification number, passport number and country of issuance, alien identification card number, or another government-issued document number and country of issuance. An ITIN is a nine-digit, IRS-issued taxpayer identification number available to resident and nonresident aliens who are not eligible for an SSN, solely for federal tax purposes. It does not evidence lawful status, authorize work, or serve as identification outside the federal tax system. ITINs are widely and legitimately used for tax compliance.

Notwithstanding that legitimate use, the Agencies state that banks’ use of an ITIN in the customer onboarding context in lieu of an SSN or valid employment authorization document “may be identified as a risk factor requiring enhanced due diligence,” and express “particular[] concern[]” about the use of an ITIN to obtain credit products or open depository accounts where the applicant lacks verified legal presence. The Agencies “encourage” banks to assess, in light of the totality of available information, whether ITIN use is a relevant risk factor when developing customer risk profiles and conducting ongoing monitoring. Separately, where an institution has risk-based concerns about an SSN’s authenticity, FinCEN encourages verification against Social Security Administration

Although the Advisory is framed in the permissive language of “encouragement” and reiterates that no single red flag is determinative, and that the indicators “do not convey or alter any independent regulatory obligations or supervisory expectations,” the combination of the “particular concern” framing and the express linkage to ITIN-based credit and deposit accounts leaves institutions potentially limited room to reach a contrary, risk-based conclusion. Institutions should anticipate that examiners will expect ITIN use to be addressed explicitly within customer due diligence (“CDD”) and enhanced due diligence frameworks. A financial institution may still conclude, based on the totality of facts and circumstances, that a particular customer presenting an ITIN does not warrant enhanced due diligence, but it should carefully document that risk-based rationale and be prepared to explain it. Operationally, that may mean ensuring ITIN status is captured as a potential input to customer risk scoring, onboarding, and credit underwriting review. Affected institutions should begin scoping that work now rather than awaiting the further rulemakings described below.

Red Flags and SAR Reporting

The Advisory sets out 18 red-flag indicators organized around individual customers and large and small companies in the targeted industries, many of which are carried forward from FinCEN’s 2023 notice on payroll tax evasion and workers’ compensation fraud in the construction sector. The indicators focus on mismatches or concerns with SSNs, use of ITINs or non-US passports in high-risk employment contexts, unusually large or repetitive cash withdrawals or check cashing, payroll activity inconsistent with the customer’s profile, limited payroll tax activity, shell company characteristics, and use of Commercial Mail Receiving Agencies rather than a business address. FinCEN cautions that no indicator is dispositive in isolation, and that institutions should weigh the totality of the facts and circumstances.

Institutions that file a suspicious activity report (“SAR”) in connection with this activity are requested to include a specified identifier in the SAR filing. FinCEN also encourages tips about complicit employers to ICE and highlights its BSA whistleblower program.

The CFPB’s Parallel Ability-to-Repay Statement

On the same day, the CFPB issued a statement, “Ability to Repay and Immigration Status,” reminding creditors that the Truth in Lending Act and Regulation Z require an assessment of the consumer’s ability to repay before offering mortgage loans and certain open-end credit products and creditors may under certain facts be obligated to consider information indicating that a borrower’s repayment ability could change due to immigration status, including reliance on an ITIN as a possible indicator of removal risk. As guidance, the statement has no binding legal effect, but it reinforces the same ITIN-as-risk-signal from federal regulators on the consumer lending side.

Recommended Next Steps

The Advisory does not impose new legal obligations, but the supervisory and enforcement posture it reflects is unmistakable: a coordinated, multi-agency framing, explicit references to conduct of “particular concern,” and an explicit nexus to TCO/FTO financing all signal that Treasury intends to scrutinize how financial institutions detect, monitor, and report ITIN-linked account activity and payroll fraud typologies associated with unauthorized employment. Institutions should evaluate relevant aspects of their AML compliance programs in light of the Advisory. With CDD and CIP rulemakings expected in the coming months, what agencies currently frame as “encouragement” may soon harden into regulatory expectation or an outright requirement. The following guidance addresses key considerations for affected financial institutions.

1. Document ITIN risk-based rationale now. Most institutions already capture ITIN status during onboarding and risk scoring. However, the Advisory’s “particular concern” framing means an institution may be required to articulate how it concluded a customer who presented an ITIN did not warrant enhanced due diligence, such as documenting the factors weighed (e.g., account purpose, source of funds, and consistency of activity with the customer profile). Institutions should also consider whether their written policies reflect this approach and whether existing risk-scoring models adequately weigh ITIN-related indicators.
2. Understand the limitations of Social Security numbers. A bank cannot determine lawful immigration status solely from the fact that a customer presented an SSN. The Social Security Administration issues SSNs to foreign nationals with temporary work authorization, and in limited cases to those applying for certain government benefits. Cards issued in these circumstances carry restrictive legends, but the duration of work authorization is not indicated on the card, and the number remains assigned regardless of any later change in work authorization or immigration status.
3. Consider the use of available identity verification tools to address fraud concerns. The SSA’s Consent-Based SSN Verification service confirms whether the SSN holder’s name, date of birth, and SSN match SSA records. Commercial services can also provide general information about an SSN, such as issuance location, year issued, and whether the number is valid.
4. Ensure enhanced procedures do not create fair lending exposure. The Advisory does not direct banks to request immigration documentation from customers. Institutions that choose to adopt additional verification procedures or apply enhanced scrutiny to ITIN-based accounts should ensure those measures are consistently applied across similarly situated customers, grounded in a written compliance policy, and structured to avoid discrimination claims under fair lending laws.
5. Prepare for increasing coordination among regulators. The Advisory signals that financial regulators, tax authorities, and immigration enforcement agencies are sharing information and coordinating enforcement in ways that connect bank compliance with worksite compliance. Both financial institutions and employers should consider whether their existing controls are sufficiently integrated to withstand scrutiny from multiple agencies simultaneously.

¹ The CIP rule applies to banks and certain other financial institutions, such as broker-dealers, futures commission merchants, and introducing brokers in commodities. Certain other financial institutions, such as money transmitters, are not subject to a formal CIP rule but address customer identification as part of a risk-based AML program. All of these institutions are subject to suspicious activity reporting requirements.