Papers, Please: White House Issues Order Pushing Immigration-Related Risk into Bank Compliance
The Executive Order is titled “Restoring Integrity to America’s Financial System.”
“Restoring Integrity.” Well, that’s one way of putting it. On May 19th, the current President issued Executive Order 14406. Like so many of the other recent edicts coming out of the Executive, it is framed as an anti-fraud, anti-abuse, and safety-and-soundness measure. It directs Treasury, federal financial regulators, NCUA, and the CFPB to examine risks allegedly posed by extending financial services and credit to “non-work-authorized individuals” and to what the order refers to as an “inadmissible and removable alien population.”
And, almost as if to lull the banking industry into a false sense of comfort, the order uses plenty of familiar compliance language: BSA, CDD, CIP, beneficial ownership, suspicious activity, ability to repay, safety and soundness. It even begins where a financial-crime order would be expected to start – pointing to payroll-tax evasion, nominee accounts, shell companies, funnel structures, unregistered MSBs, third-party processors, peer-to-peer platforms, structuring, labor trafficking, ITIN use, and foreign identity documents. But it then also expressly ties these issues to mortgage loans, auto loans, credit cards, and other consumer credit, asserting that lending to individuals without legal work authorization or with substantial wage-loss risk creates a structural “ability to repay” deficiency.
The problem, of course, isn’t that the order mentions financial crime. Banks already monitor for suspicious activity, verify customers, assess creditworthiness, and manage fraud risk – not merely because federal regulation tells them to, but because these are table-stakes functions for running a safe and sound financial institution. No, the problem is that the order takes seemingly legitimate compliance concepts and re-aims them toward a much broader – and far more fraught – proposition: that immigration status and work authorization should become embedded risk signals throughout the financial system.
Now, like every other Executive Order – this is not a final rule, and does not (nor cannot) immediately require every bank to collect proof of citizenship or immigration status from every customer. But it is, effectively, a set of marching orders to the agencies – one with a very quick turnaround time.
Within 60 days, Treasury is directed to issue a formal advisory to financial institutions identifying specific red flags and typologies associated with suspicious activity involving non-work-authorized populations and their employers. That advisory must address, among other things, payroll-tax evasion by employers or labor brokers; foreign identity documents, nominee accounts, shell companies, and funnel structures; unregistered MSBs, third-party processors, and peer-to-peer platforms used for off-the-books wage payments; sub-threshold cash activity tied to payroll cycles; labor trafficking and forced labor; and ITIN use to obtain credit products or open deposit accounts where the applicant lacks verified lawful immigration status.
Within 90 days, Treasury, in consultation with the federal financial regulators, is directed to propose changes to Bank Secrecy Act regulations to strengthen risk-based customer due diligence requirements. Those changes are supposed to ensure that institutions collect and verify sufficient customer identity information to identify nominal and beneficial owners and assess risks related to illicit finance, sanctions evasion, fraud, or other unlawful activity. But the order goes further – it says institutions should maintain authority, where warranted by risk indicators or supervisory concerns, to “obtain additional information […] relevant to whether account holders possess lawful immigration status and employment authorization” when that information is relevant to fraud, identity misrepresentation, sanctions evasion, or other illicit financial activity.
Within 180 days, Treasury and the federal financial regulators are directed to consider changes to BSA customer identification program requirements, including changes that account for the risks the order says are posed by foreign consular identification cards. And within 60 days, the CFPB is directed to consider clarifying that potential deportation and wage loss are factors that could adversely affect a non-work-authorized borrower’s ability to repay under Regulation Z’s ability-to-repay standards in 12 CFR Part 1026, while the federal financial regulators are separately directed to issue guidance on managing potential credit risks posed by the non-work-authorized population.
So, no, the Order may not change the federal rulebook today. But it tells the agencies what pages to start writing tomorrow – and it tells banks what kinds of customers, documents, transactions, and credit files may soon draw heightened scrutiny. Naturally, that leaves a few rather large problems standing in the middle of the room.
The first – and arguably largest – problem is that the order risks turning banks into quasi-immigration screeners – a role they are neither designed nor patently authorized to play. Banks are built to verify identity, monitor transactions, identify unusual patterns, assess creditworthiness, and file SARs when appropriate. However, notably: they are not immigration agencies. They aren’t trained to adjudicate lawful presence or work authorization. And they don’t really have some unchecked, freestanding legal authority to decide, as a general banking function, whether a customer’s immigration status creates a legally meaningful reason to limit account access, credit availability, or ordinary financial services.
Now, while existing customer identification rules require banks to form a reasonable belief that they know the true identity of the customer, they do not generally require banks to verify citizenship, lawful immigration status, or work authorization as a condition of ordinary account access. Knowing who a customer “is” is not the same as determining whether that customer is lawfully present, lawfully employed, or removable under federal immigration law.
If the agencies blur that line, banks may be left in an impossible position – expected to ask immigration-adjacent questions they are not equipped to evaluate, collect documents they may not know how to interpret, and make risk judgments that belong more naturally to immigration authorities than financial institutions. Worse, they may be second-guessed from both directions – criticized by examiners if they do too little, and exposed to fair lending, UDAP/UDAAP, privacy, and related risk if they do too much.
The second problem is that this could become a “debanking machine,” even if nobody calls it that. As has been well publicized, the administration has separately criticized politically motivated or categorical “debanking.” But this order could push banks toward a different form of categorical caution – heightened scrutiny of ITIN users, consular ID users, foreign-born customers, cash-heavy workers, remittance senders, immigrant-owned businesses, or borrowers whose documentation doesn’t fit neatly into a conventional SSN-and-W-2 underwriting file.
That doesn’t necessarily mean every one of those customers will be denied. But for all intents and purposes – in banking, “friction” such as this is often the first draft of exclusion. Throw in a few vague red flags, a few uncertain regulatory expectations, a few new documentation questions, and a few frontline employees who have not been trained to distinguish immigration law from identity verification, and the practical message eventually becomes “some customers may become more trouble than they are worth.”
That’s likely why much of the early backlash has centered on financial exclusion. Industry and consumer advocates alike have warned that the Order could push immigrants and ITIN users out of the mainstream financial system, restrict access to credit, limit the practical use of consular identification cards, increase the unbanked population, and create major operational burdens for financial institutions.
If a customer is inside a regulated institution, the institution can verify identity, monitor transactions, detect suspicious patterns, and escalate where appropriate; but if that customer is pushed into cash, informal remittance networks, prepaid workarounds, or unregulated intermediaries, the system may have less visibility, not more. Regulated accounts create records – but cash economies do not. Bank monitoring creates reporting channels – but informal workarounds do not. Ultimately, the order may create more of the very opacity it says it is purporting to fight.
A third problem is that the order treats ITINs and consular IDs as if they are inherently suspect, rather than as tools that often help bring people into the regulated financial system. Of course, any document can be misused. And, of course, banks should have risk-based controls. But treating ITIN use or foreign consular identification as a built-in warning sign risks sweeping legitimate customers into suspicion simply because their documentation is administratively inconvenient or politically disfavored.
That is especially troubling because ITINs exist, in part, so individuals without Social Security numbers can comply with tax obligations. Even putting aside the obvious UDAAP hallmarks – treating ITIN use as a quasi-red flag essentially inverts the policy logic, insofar as the person trying to operate within a documented system now suddenly becomes more suspicious precisely because they used the documentation available to them.
Another problem is the order’s credit-risk theory. To be sure, there’s a legitimate underwriting point buried in here, because if income is unstable, unverifiable, unlawful, or likely to end, repayment capacity matters. But the order goes further by suggesting that potential deportation and wage loss may be relevant to ability-to-repay analysis. Handled with the utmost care, that could potentially remain an individualized underwriting issue. Handled even slightly clumsily, and it could become a status-based presumption. It doesn’t take a law degree to see that this potentially has fair lending, UDAAP, and/or privacy considerations written all over it. A lender that treats two similarly situated applicants differently because one uses an ITIN, relies on a consular ID, sends remittances, has a foreign-sounding name, or is perceived as more likely to be non-work-authorized may not be making a careful credit decision; rather, it may be running a status-based assumption through the language of credit risk.
Threaded through all of this is the same compliance trap. If banks do too little, they may later be criticized for ignoring immigration-related BSA or credit-risk signals. If they do too much, they may exclude legitimate customers, invite fair lending scrutiny, create privacy problems, burden frontline staff, and contradict the broader anti-debanking message.
No one is likely to have “fun” complying with the reality this order might create, but arguably, larger institutions can throw lawyers, consultants, and centralized operations teams at the ambiguity. But smaller institutions cannot simply “flip a switch” and begin evaluating immigration-related documentation, retraining staff, reprogramming account-opening systems, revising policies, and adjusting monitoring rules without real (possibly back-breaking) cost.
To be clear, the issues the Order invokes are real, and serious – fraud, BSA compliance, identity verification, human trafficking, tax evasion, shell companies, and suspicious payment flows all deserve careful attention. But the integrity of the financial system is unlikely to be restored by making banks guess who is removable, and it is unlikely to be strengthened by forcing financial institutions into an immigration-screening role they were never designed, trained, or authorized to perform.
The EO can be found here: [91 FR 30479]
Its related Fact Sheet can be found here: [Fact Sheet]
The related EO, titled “Integrating Financial Technology Innovation Into Regulatory Frameworks,” can be found here: [91 FR 30475] and its fact sheet is here: [Fact Sheet]
Brett Goodnack, JD, CAMS
Compliance Advisor
I Can’t See Clearly Now (The Rain Isn’t Gone, and Neither Are the Loopholes): CLARITY Act Advances Despite Stablecoin and Illicit-Finance Concerns
The crypto industry chalked up a win last week when the Senate Banking Committee advanced the CLARITY Act, a broad digital asset market-structure bill intended to bring long-awaited rules to the crypto marketplace. The vote was bipartisan, but only in the most technical sense of the word – two Democrats joined Republicans to move the bill forward. Now, that arguably gives the legislation momentum, but it doesn’t give it inevitability – at least, thankfully, not yet.
Because while the bill may be called the CLARITY Act, the reaction from banks, law enforcement advocates, labor groups, and Senate Banking Committee minority staff has been anything but “clear.” Sure, everyone ultimately wants “clarity” – at least in theory. The trouble is that, in practice, many are worried that Congress is about to make the wrong things clear.
That is to say – for the crypto industry, the bill represents a chance to move digital assets out of what supporters describe as a regulatory gray zone. But for banks and other critics, the concern is that the bill may do more than clarify the law. In fact, it may go so far as to create statutory permission structures for risks that are already causing problems.
For the banking industry, the central concern is stablecoins – and, more specifically, whether the bill leaves room for stablecoin rewards to function like yield. In a joint letter, the American Bankers Association, Independent Community Bankers of America, Bank Policy Institute, Consumer Bankers Association, Financial Services Forum, and National Bankers Association warned that the current Section 404 language still may not clearly prohibit interest-like payments on payment stablecoins. Their well-documented concern is not just formal “interest.” It is rewards, rebates, incentives, balance-based benefits, staking returns, or other compensation that may function like yield even if – maybe especially if – they are not labeled that way.
Naturally, if stablecoin platforms can offer yield-like rewards, customers may move funds out of insured bank deposits and into digital wallets or exchange accounts. On a fundamental level, that’s not merely a “competitive” issue for (community) banks. Deposits are the funding base for loans to consumers, small businesses, farmers, ranchers, and local communities. Digital wallet providers may be able to attract funds, but they aren’t the ones making the outside-the-box community loans that relationship bankers make every day.
The fix, at least on the banking side, is not especially flashy (which may actually underscore its importance) – remove narrow wording that could be used to structure around the prohibition. Advocates are urging Congress to delete “solely,” remove limiting references to “payment stablecoin balance” and “interest-bearing bank deposit,” replace an “economically or functionally equivalent” test with a broader “substantially similar” standard, and eliminate language that would expressly allow rewards calculated by balance, duration, or tenure.
In essence, a ban on stablecoin yield is just a platitude if the statute also leaves a drafting roadmap for paying it under another name.
But there’s perhaps an even broader issue with the Act as currently written –concerns of national security and illicit finance. Senate Banking Committee minority staff released an advisory warning that digital assets are already being exploited by foreign adversaries, terrorist groups, cartels, ransomware actors, human traffickers, and other criminals. That advisory argues that the current draft fails to adopt a strong enough framework for deciding which crypto platforms must carry basic anti-money-laundering responsibilities, exempts certain DeFi-linked businesses from illicit-finance requirements, fails to close the Tornado Cash sanctions loophole (i.e. the legal gap around whether Treasury can block decentralized mixer smart contracts used to obscure the source and movement of funds), and leaves a stablecoin sanctions loophole that could allow non-U.S. actors to pay sanctioned parties in stablecoins rather than dollars.
It also points to North Korean hackers using DeFi tools, cross-chain bridges, decentralized exchanges, and mixers to launder stolen crypto; terrorist groups using stablecoins; cartels and Chinese money laundering networks using digital assets to move drug proceeds; and stablecoins becoming a preferred tool for sanctions evasion and illicit payments. Not exactly comforting bedtime reading!
Really, this all seems to be sensible skepticism, and not about whether digital assets should have rules; rather, it is logical discomfort and scrutiny about whether these rules are strong enough to prevent “clarity” from becoming regulatory cover for the very risks it was supposed to contain.
Where does the CLARITY Act sit as of publication? Through committee, but, of course, not through controversy. Even if there are the makings of a framework for innovation, there still are very patent unresolved loopholes that could drain deposits, weaken community lending, and leave serious illicit-finance risks intact.
The bill’s next stop is the full Senate. Meaning – the “fight” isn’t over – and unless Congress wants to spend the next few years watching bad actors and “creative” market participants walk through the gaps everyone warned about – the final bill needs to close the loopholes, not just describe them more clearly.
The CLARITY ACT itself can be found here: [Digital Asset Market Clarity Act of 2025]
The Senate Banking, Housing, and Urban Affairs Committee advisory can be found here: [National Security Advisory: Clarity Act Fails to Address Key Vulnerabilities Exploited by Criminals, Terrorists, and Foreign Adversaries]
And, for our Texas Bankers – you can use the TBA’s GRASSROOTS ACTION CENTER to send an email to urge Texas US Senators Cornyn and Cruz to oppose any market structure bill that does not unambiguously close the stablecoin yield and rewards loophole.
Brett Goodnack, JD, CAMS
Compliance Advisor
Section 1071…Final Again
On Friday, May 1, the Consumer Financial Protection Bureau (CFPB) issued a final rule revising the small business data collection and reporting rules implemented by Regulation B (commonly referred to as Section 1071, in reference to the section of the Dodd-Frank Act that mandates this amendment to the regulation). These revisions change the current rule in Regulation B. The original rule’s compliance dates had been on hold during a legal challenge. With the new, final rule, covered banks will have a compliance date of January 1, 2028.
The final rule closely mirrors the proposed rule published by the CFPB in November of last year. Proposed changes that have now been finalized include:
- Removing certain transactions from the definition of covered credit transaction, including agricultural loans;
- Raising the originations threshold for determining a covered financial institution;
- Reducing the gross annual revenue threshold in the definition of a small business;
- Eliminating certain discretionary data points from reporting requirements;
- Changing the requirements on how to collect information and what information to collect regarding the demographics of the owners of small businesses; and
- Eliminating the tiered compliance data system and requiring all covered financial institutions to begin compliance as of January 1, 2028, with coverage thresholds based on origination volumes in 2026 and 2027.
The proposed rule requested comment on whether to request disaggregated ethnicity and race data for each principal owner of a small business borrower, or simply require the collection of aggregated categories. The final rule did, in fact, eliminate disaggregated data in favor of aggregate categories only. For ethnicity, the aggregate categories will include Hispanic or Latino and Not Hispanic or Latino. For race, the aggregate categories will include American Indian or Alaska Native, Asian, Black or African American, Native Hawaiian or Other Pacific Islander, and White.
The final rule does not resolve the question of how the data collected will be publicly disclosed. Data modification and deletion standards would help to alleviate privacy concerns. With this final rule, the CFPB kicks that can down the road, stating they will release a notice of proposed rulemaking, with proposed modifications and deletion decisions for specific data points, after they have analyzed one year of the rule’s data. Bankers who have become used to waiting for further rule changes surrounding Section 1071 may be interested to put that date on their calendars in anticipation of a coming notice of proposed rulemaking. Until then, the big date to keep in mind will be January 1, 2028, for covered banks to begin compliance.
For any questions or concerns in the meantime, feel free to reach out to us on the Compliance Hub Hotline!
Elizabeth Holtrop, CCBCO, CBAP, FLE
Assistant Vice President and Compliance Advisor
Oops! All Answer Key: Lawmakers Challenge Fed Stress Test Changes
There’s been a recurring theme in many recent regulatory actions – the slogan on the front of the box sounds great: “Now with 100% more efficiency, flexibility, clarity, AND transparency!” The trouble, as usual, is when someone actually opens the box, and sees what’s inside.
At first glance, the Federal Reserve’s stress test transparency proposal has an entirely respectable pitch – make one of the Fed’s most important supervisory tools more understandable, more accountable, and less vulnerable to legal attack. After all, stress tests help determine how much capital the largest banks must hold, and when a supervisory model effectively drives a binding capital requirement, banks understandably want to know how the machinery works.
But a recent letter from senior members of the Senate Banking and House Financial Services Committees argues that this otherwise benign framing misses the real danger. Their concern is not that transparency is inherently bad. It is that this particular kind of transparency may convert the stress test from a supervisory shock exercise into something closer to an “open-book exam.”
And it isn’t as though this is the first time this kind of warning has been raised. The letter cites the Fed’s own prior position that “full disclosure” of supervisory models could make the financial system more vulnerable by allowing firms to change their stress test results “without materially changing their risk profile.”
In his dissent, Barr warned that disclosing the models and scenarios would make the stress test “weaker and less credible,” creating the risk of “illusory comfort” in the banking system’s resilience. He also warned that the proposal could invite gaming, produce overly optimistic projections, and result in weaker capital requirements.
To be fair, the industry’s position is internally coherent: if stress tests set capital requirements, banks want clarity, stability, and the ability to challenge errors. But from a supervisory perspective, that same clarity can quickly become optimization. The industry letter says firms should better understand “how their activities and exposures are modeled” so they can evaluate the “regulatory consequences of their business decisions.” And while you could certainly argue that is prudent capital planning, you could just as safely argue that may be exactly the kind of model-management critics are worried about.
Not to put too fine a point on it, but if large banks all learn the same model, optimize to the same assumptions, and reduce capital based on the same blind spots, the entire system may become more correlated, not less risky. In turn, that model disclosure could create a “model monoculture,” where banks rely on similar models and miss bank-specific vulnerabilities. Barr made the same warning, emphasizing that model disclosure could cause banks to manage to the Fed’s framework rather than develop independent risk-management capacity.
Furthermore, some argue that the Fed’s proposed model changes would make banks look stronger under stress while reducing capital cushions. The senior members’ letter estimates that stress capital buffer requirements would fall by 2.2 percent, reducing capital cushions at the riskiest banks by roughly $35 billion.
Ultimately, the issue isn’t whether transparency is good. The issue is transparency for whom, for what purpose, and at what cost.
Brett Goodnack, JD, CAMS
Compliance Advisor