FinCEN issues joint advisory with 18 red flags and a SAR key term for payroll-fraud and identity-theft schemes involving unauthorized workers
Financial institutions' AML and suspicious-activity-monitoring teams must incorporate FinCEN's 18 red flag indicators for payroll-fraud and identity-theft schemes involving unauthorized workers, apply enhanced due diligence to ITIN-based account and credit applications, and file SARs using the key term 'FINANCIALINTEGRITY-2026-A002'.
Change
On 5 June 2026, FinCEN — jointly with the FDIC, OCC and NCUA and in coordination with the IRS — issued an advisory providing 18 red flag indicators to help financial institutions detect and report payroll-fraud and identity-theft schemes connected to the unlawful employment of non-work-authorized individuals, encouraging enhanced due diligence on Individual Taxpayer Identification Number (ITIN) use and requesting that related Suspicious Activity Reports carry the key term 'FINANCIALINTEGRITY-2026-A002'.
Why it matters
The advisory translates a specified set of typologies — labor brokers operating shell companies and unregistered money services businesses, ITIN- or foreign-document-based account opening, and untaxed wage disbursement via cash couriers, checks and peer-to-peer platforms — into 18 red flag indicators that financial institutions are expected to fold into transaction monitoring and suspicious-activity detection. Because it is a joint advisory issued with the banking regulators and carries a designated SAR key term, it functions as a monitoring and reporting expectation against which institutions' AML/CFT programs can be examined, not merely informational guidance. It also directs banks to treat ITIN use, when presented in place of a Social Security number or valid employment authorization for account opening or credit, as a potential risk factor within risk-based customer due diligence.
Implications
- — Financial institutions' AML and suspicious-activity-monitoring teams must incorporate the 18 red flag indicators into transaction-monitoring and detection logic to identify payroll-fraud, shell-company and identity-theft typologies described in the advisory, and file Suspicious Activity Reports using the key term 'FINANCIALINTEGRITY-2026-A002' in SAR field 2 and the narrative.
- — Customer due diligence and onboarding functions must treat the use of an Individual Taxpayer Identification Number in place of a Social Security number or valid employment authorization, when opening an account or obtaining credit, as a potential risk factor within risk-based CDD, alongside other available information.
- — AML/CFT programs across the covered institution types — depository institutions, money services businesses, casinos, insurers, mortgage companies and brokers, precious-metals and jewelry dealers, and securities and futures firms — must reflect these typologies in their monitoring and escalation, given the advisory was issued jointly with the FDIC, OCC and NCUA and is subject to supervisory examination.
See full brief
Use 1 free preview to unlock implications, who’s affected, what to watch, and Clarify for this brief.
2 free previews left this month · Resets 1 Jul
Source