FinCEN issued Advisory FIN-2026-A002 on June 5, 2026, jointly with FDIC, OCC, NCUA, and in coordination with the IRS

On June 5, 2026, the U.S. Department of the Treasury's Financial Crimes Enforcement Network, jointly with the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the National Credit Union Administration, and in coordination with the Internal Revenue Service, issued Advisory FIN-2026-A002. The advisory directs financial institutions, particularly banks, to be vigilant against fraud schemes and other suspicious activities involving the unlawful employment of illegal aliens and the associated risks to the integrity of the U.S. financial system. This is not a general awareness document. FinCEN has issued an explicit SAR filing request: financial institutions should reference this advisory by including the key term "FINANCIALINTEGRITY-2026-A002" in SAR field 2, Filing Institution Note to FinCEN, and in the SAR narrative.

The advisory carries an explicit SAR filing request: include the key term "FINANCIALINTEGRITY-2026-A002" in SAR field 2 (Filing Institution Note to FinCEN) and the SAR narrative

The advisory is part of a whole-of-government effort that began with Executive Order 14159, Protecting the American People Against Invasion, issued by President Trump on January 20, 2025. That order declared it the policy of the United States to faithfully execute immigration laws and ensure employment authorization is not provided to unauthorized aliens. The initiative was reinforced on May 19, 2026, by Executive Order 14406, Restoring Integrity to America's Financial System, which directed the Secretary of the Treasury to issue this specific advisory. FinCEN's advisory aligns with its AML/CFT National Priorities of Fraud, Terrorist Financing, Drug Trafficking Organization Activity, Transnational Criminal Organization Activity, and Human Trafficking and Human Smuggling.

Two primary typologies are identified: identity theft (using stolen SSNs and PII of U.S. citizens and lawful permanent residents) and payroll fraud schemes (complicit labor brokers using shell companies)

The advisory identifies two primary methodologies that financial institutions should understand and monitor for. The first is identity theft. Complicit employers, those who knowingly or through willful negligence hire unlawful alien workers, frequently accept fraudulent identification documents as evidence of authorized status. These documents include legal permanent resident cards, Social Security cards, and driver's licenses that belong to U.S. citizens or lawful permanent residents. The stolen Social Security numbers and PII are used to make Form I-9s appear legitimate, gain employment and wages, obtain employer- and government-provided health care benefits, and, critically for financial institutions, fraudulently access financial services and obtain credit for automobile and other types of loans. Victims of these identity theft schemes can face higher taxes and denial of benefits because illegal aliens are using their stolen identity to earn wages.

The payroll fraud scheme involves shell companies set up by labor brokers that operate as unregistered MSBs, cashing employer checks in structured transactions and paying workers off the books

The second methodology is payroll fraud, and it is the more operationally complex of the two. The advisory describes a multi-layered scheme in which complicit employers contract with complicit labor brokers to hire, house, transport, and pay unlawful alien workers through off-the-books payroll fraud schemes. The labor broker sets up a shell company, often with a generic name like ABC Construction or XYZ Logistics, purporting to be in agriculture, construction, domestic service, hospitality, or staffing. The shell company typically operates as an unregistered money services business providing off-the-books payroll or payment processor services. According to FinCEN analysis, financial institutions reported over $2.5 billion in suspicious activity associated with this type of scheme in 2025 alone.

Financial institutions reported over $2.5 billion in suspicious activity tied to this payroll fraud typology in 2025 alone

The transaction pattern follows a consistent structure. Complicit employers write checks payable to the labor broker's shell company for purported services or products related to their industry, a construction business sending checks for framing, drywall, stucco, or painting. The labor broker then launders the funds: cashing the checks through banks and MSBs in structured transactions below reporting thresholds, or depositing them into the shell company's bank account. After deducting a four to ten percent fee, the labor broker sends payments to the unlawful alien workers through cash couriers, checks, or peer-to-peer platforms. These payments are often structured to fall below BSA reporting and recordkeeping thresholds. Neither the labor broker nor the employer withholds federal or state payroll taxes, contributing to what the IRS identifies as a $127 billion employment tax gap. The employer evades FICA, FUTA, and state-level payroll taxes and premiums, undercutting legitimate businesses and defrauding insurance companies.

Account-opening red flags include: foreign identity documents or ITINs, CMRA addresses instead of real business addresses, generic business names with high cash flow, and no verifiable physical presence

The advisory includes a specific case study that illustrates the identity theft methodology. On July 31, 2025, the U.S. Department of Justice announced that Jose De La Cruz-Lopez, an illegal alien from Mexico, pleaded guilty to using a fraudulent Social Security number and false immigration identification documents. De La Cruz-Lopez obtained employment at Buckeye Fire Equipment using a driver's license bearing his image but the name of an individual eligible to work in the United States, along with a copy of that individual's Social Security card. Employed since 2022, he falsely attested on the I-9 that he was the person presented on the identification and that he was a U.S. citizen. Two additional individuals entered guilty pleas in the same case, and seven others faced immigration violations.

The advisory connects these schemes to broader national security threats, including financing of designated Foreign Terrorist Organizations and transnational criminal enterprises

The advisory outlines specific account-opening indicators that compliance teams should watch for. Complicit labor brokers may use foreign identity documents or Individual Taxpayer Identification Numbers to open accounts, listing themselves as "self-employed" or "laborer." They may attempt to evade Customer Identification Program requirements by using Commercial Mail Receiving Agencies instead of real addresses to obscure the fact that they have no legitimate business operations. The shell companies often have no verifiable physical presence, unusually high cash flow relative to their stated industry, and ownership structures designed to obscure beneficial ownership. Accounts may show repetitive structured transactions, known as microstructuring, that correlate to payroll cycles outside standard processing systems.

Compliance teams should update SAR procedures, calibrate transaction monitoring, train front-line staff on the advisory's indicators, and brief the BSA officer and senior management immediately

FinCEN explicitly connects these schemes to broader national security threats. The advisory notes that non-work authorized populations and their employers often rely on access to the U.S. financial system. In certain instances, access to financial services and unlawfully obtained wages can be leveraged to facilitate the financing of transnational criminal organizations, several of which have been designated as Foreign Terrorist Organizations, and their global criminal enterprises, including drug trafficking, human trafficking, and other illegal activity in the United States. The advisory cites the Proclamation Declaring a National Emergency at the Southern Border and the Executive Order on Designating Cartels as Foreign Terrorist Organizations.

For financial institutions, the operational implications are immediate. The SAR filing request, "FINANCIALINTEGRITY-2026-A002" in field 2 and the narrative means every SAR filed in connection with activity matching the advisory's typologies should include this reference. This is not optional language. FinCEN uses these key terms to track, aggregate, and analyze SAR filings related to specific advisories, and the inclusion of the term ensures the filing is routed to the appropriate analytical teams. Compliance departments should update their SAR filing procedures, train their SAR investigators on the specific typologies described in the advisory, and ensure that transaction monitoring systems are calibrated to detect the payroll fraud and identity theft patterns the advisory describes. Front-line staff should be trained to recognize the account-opening indicators, particularly the use of ITINs, CMRA addresses, and generic business names paired with high cash flow.

The advisory also identifies specific risk factors at the customer level that warrant enhanced scrutiny. Employers in agriculture, construction, domestic service, and hospitality industries should receive heightened attention. Accounts opened with foreign identity documents or ITINs paired with self-employment descriptions should trigger additional verification. Businesses with no verifiable physical presence that nonetheless process high volumes of check cashing or structured deposits should be evaluated against the shell company indicators. Multiple employees at the same business sending identical-amount remittances on the same date to high-risk countries. The advisory specifically references Southeast Asia, Eastern Europe, Latin America, and Africa, and these patterns should prompt consideration of whether the account holders may be trafficking victims whose earnings are being extracted through debt bondage.

This advisory sits within a rapidly intensifying enforcement environment around immigration-related financial crime. The Trump administration's whole-of-government approach means FinCEN is coordinating more closely with ICE, the IRS, and federal prosecutors than at any point in recent years. Financial institutions that identify activity matching the FIN-2026-A002 typologies and fail to file SARs referencing the advisory are operating with exposure that is both regulatory and reputational. The advisory explicitly states that complicit employers gain an unfair advantage over legitimate U.S. businesses, depress wages, facilitate identity theft of work-authorized individuals including American citizens, and steal millions in federal and state payroll tax revenue meant for government benefit programs. A financial institution that processes transactions connected to these schemes without detecting and reporting them is facilitating the very conduct the advisory is designed to disrupt.

The practical path forward for compliance teams is clear. First, read the full advisory. The typologies and indicators are detailed and specific. Second, update your SAR filing procedures to include the "FINANCIALINTEGRITY-2026-A002" reference in field 2 and narrative guidance for SAR investigators. Third, calibrate your transaction monitoring rules to flag the payroll fraud patterns: structured check cashing at shell companies, repetitive microstructured payments to individuals from the same employer, and remittance patterns consistent with debt bondage. Fourth, train front-line staff on the account-opening indicators: ITIN use, CMRA addresses, and generic business names paired with high cash volume. Fifth, brief your BSA officer and senior management on the advisory's implications and your institution's response. The advisory is effective immediately, and the examination cycle will not wait.