- Key insight: Banks will not be required to confirm customers' citizenship status as part of the executive order, as some had feared, but new guidance on tagging undocumented worker red-flags may still shape compliance expectations in practice.
- Expert quote: "Once Fincen and the prudential regulators publish specific red flags and SAR-filing instructions, banks know those materials can become reference points in exams, enforcement reviews, and internal audits." — Anisha Steephen, former senior advisor at the Treasury Department.
- Forward look: How examiners interpret the guidance may prove crucial in determining how much of a compliance burden the guidance ultimately will be — and whether banks avoid that burden by dropping clients that look risky.
Banks were relieved when regulators scrapped customer citizenship verification in a recent guidance document issued as part of a May executive
But while the guidance is far more manageable than some had feared, experts and industry observers worry it could still create new pressures on institutions, particularly small ones.
The
Anisha Steephen, a former senior advisor at the Treasury Department under the Biden administration and current fellow at the Roosevelt Institute, said that even though the advisory may not impose explicit new requirements, banks may nevertheless feel pressure to adjust monitoring systems, revisit customer due diligence procedures and prepare to justify those decisions to examiners — at a time when regulators
"The statute and regulations have not changed [and] the advisory itself says the red flags do not alter independent regulatory obligations or supervisory expectations," Steephen said. "But once Fincen and the prudential regulators publish specific red flags and SAR-filing instructions, banks know those materials can become reference points in exams, enforcement reviews, and internal audits."
The guidance, issued jointly by Fincen, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, and the National Credit Union Administration, in coordination with the Internal Revenue Service, encourages banks to scrutinize activity connected to potentially unauthorized employment, as well as identity theft, payroll fraud, shell companies and the use of individual taxpayer identification numbers — nine-digit IRS-issued numbers often used by those required to file a return but not eligible for a Social Security number.
It argues that employers that hire undocumented immigrants gain an unfair advantage over law-abiding businesses and deprive federal and state governments of payroll taxes. The advisory identifies industries such as agriculture, construction and hospitality as presenting heightened risks and encourages banks to tag activity related to the advisory by referencing the executive order in their filings, helping identify potentially suspicious immigration-status-related employment activity.
Despite the nonbinding nature of an advisory, banks may feel pressure to make judgement calls about transactions that could involve undocumented customers. For smaller institutions with limited compliance resources, the immediate challenge may be determining how to document their response to the guidance without straying from the
Banks will be required to demonstrate they have considered the guidance, overlay that guidance onto their existing risk profiles and consider controls or they could face scrutiny during examinations, according to Steephen.
"Operationally, banks will still respond by adjusting monitoring, due diligence, documentation, and SAR processes," Steephen continued. "That is the familiar path from advisory to expectation to de facto rule."
Himamauli Das, Fincen's former acting director, said Fincen advisories are generally supposed to be more suggestions than stern regulatory expectations. Even so, they still shape how banks deploy compliance resources and how examiners assess those efforts, Das said.
"Advisories and alerts are not legally binding in the way the underlying [Bank Secrecy Act] requirements and regulatory obligations are," Das said, noting advisories are instructive in helping financial institutions understand government priorities and the risk environment. "I would expect that AML compliance teams will review the advisory and assess the institution's exposure to the risks identified and consider whether additional controls need to be put in place."
Das added that he expects examiners to take note of an advisory and the identified risks as part of the overall examination process.
For community banks in particular, distancing themselves from consumers that could be considered red flags for the administration may be the safest way to offload any potential risk.
"When a category of customer becomes a compliance-cost and exam-risk center, institutions often respond by avoiding the category rather than serving it carefully," Steephen said. "ITIN holders include people trying to participate in the formal tax and banking systems, and many are exactly the lower-income immigrant households that financial inclusion efforts have tried to bring into mainstream banking. If banks respond with tighter onboarding, more exits, or fewer approvals, the policy pushes people toward cash, check cashers, and informal finance. That is worse for households and, ironically, less transparent for law enforcement."
Steephen said large banks will likely need to incorporate the advisory's red flags into transaction-monitoring systems, update customer due diligence procedures, train staff and revise SAR protocols, including guidance on when to use the designated key term.
For community banks and credit unions with less complex systems, the burden is more operational, requiring additional manual review and documentation. The greater challenge, he said, is demonstrating to examiners that the institution took the advisory seriously and applied a documented, risk-based approach.
More fundamentally, the guidance has raised concerns over whether the administration is using existing anti-money-laundering authorities to advance broader immigration enforcement goals.
"The clearest tell is the combination of dedicated SAR-tagging instructions and the encouragement to report tips to ICE," Steephen said. "Banks are not being handed a new statutory mandate so much as being asked to aim existing financial-surveillance tools at a new screening target, while carrying the compliance cost, the customer-access risk, and the examination liability."
Consumer advocates echo that concern. Carla Sanchez-Adams, senior attorney at the National Consumer Law Center, said
Steephen said she does not expect examiners to treat the advisory as a formal checklist in name, but believes they could replicate a checklist-like approach in practice. That would likely mean asking whether banks reviewed the guidance, evaluated the impact of the red flags to their customer base and made any updates to programs.
"The biggest risk for banks is hindsight," Steephen said. "If suspicious activity later appears that resembles the advisory's typologies, examiners will ask why the bank did not detect it after the agencies had put those risks in writing."
