A New Executive Order Is Rewriting the AML/KYC Compliance Landscape
On May 19, 2026, the Administration issued an Executive Order titled "Restoring Integrity to America's Financial System." The Order directs the U.S. Department of the Treasury, federal banking regulators, and the Consumer Financial Protection Bureau to develop new guidance and proposed regulatory amendments on an accelerated timeline — targeting customer due diligence, customer identification programs, suspicious activity monitoring, and consumer lending standards for borrowers whose immigration or employment authorization status cannot be verified.
The Order does not immediately amend existing law or Bank Secrecy Act regulations. What it does is set agency action deadlines — 60, 90, and 180 days — that will produce new guidance, proposed rules, and supervisory expectations in rapid succession. Financial institutions that wait for final rules before assessing their AML KYC requirements will be behind the compliance curve when examiners arrive.
The institutions best positioned to respond are those whose customer identification, due diligence, and transaction monitoring workflows are built into a single, auditable operational platform — not assembled across disconnected systems that must be manually reconciled when supervisory expectations shift. Lenders using Salesforce-native compliance tools can adapt their KYC and CDD workflows as guidance arrives, without rebuilding from scratch. If you are evaluating where your institution stands against what is coming, a compliance discussion is the right place to start.
What the Executive Order Directs — and When
The Order establishes a phased timeline of agency actions across four compliance areas. Each deadline represents a point at which new supervisory expectations may begin to apply — and at which institutions without the right infrastructure will face catch-up risk.
| Agency Action | Deadline | Compliance Area | Potential Impact |
| Treasury suspicious activity red-flag advisory | 60 days (by ~July 18, 2026) | AML transaction monitoring, SAR escalation, enhanced due diligence | New red flags for ITIN accounts, payroll-related structuring, cross-border P2P payments |
| CFPB ability-to-repay clarification | 60 days | Consumer underwriting, Regulation Z | Deportation or loss of work authorization recognized as repayment risk factor |
| Federal banking agency credit risk guidance | 60 days | Consumer lending to non-work-authorized borrowers | Documentation standards, underwriting procedures, credit risk governance |
| Treasury BSA customer due diligence proposed rule | 90 days (by ~Aug. 17, 2026) | CDD requirements, beneficial ownership, immigration-related due diligence | Enhanced collection and verification obligations; potential immigration status inquiry requirements |
| CIP amendments — foreign consular ID cards | 180 days (by ~Nov. 15, 2026) | Customer identification program, onboarding, acceptable-ID policies | Changes to acceptable identification, exception handling, risk-rating for non-U.S. citizen customers |
The 60-Day Window: Suspicious Activity Red Flags
The most immediate operational impact will come from the Treasury's forthcoming suspicious activity red-flag advisory. The Order identifies six specific risk areas that the advisory is expected to address:
Payroll tax evasion involving unauthorized workers. Transaction patterns consistent with wage payments to individuals whose employment authorization cannot be verified, particularly where payroll flows through accounts that show no corresponding tax reporting activity.
Concealed ownership and payroll structures. Nominee accounts, shell companies, funnel accounts, and transactions involving foreign identity documents used to obscure beneficial ownership of business accounts or payroll operations.
Off-the-books wage payments. Payments routed through unregistered money services businesses, third-party processors, or peer-to-peer payment platforms in patterns consistent with unreported wage disbursements.
Structuring activity tied to payroll cycles. Repetitive sub-threshold cash transactions — amounts structured to avoid the $10,000 currency transaction report threshold — occurring on a cycle consistent with weekly or biweekly payroll.
Labor trafficking indicators. Commingling of legitimate revenue with proceeds from coerced labor arrangements, or recurring foreign transfers in patterns consistent with trafficking-related financial flows.
ITIN-based account and credit risk. Accounts or credit facilities established using Individual Taxpayer Identification Numbers where lawful immigration or work authorization status has not been independently verified.
Financial institutions should expect these red flags to directly influence SAR escalation thresholds, enhanced due diligence trigger criteria, and transaction monitoring rule configurations.
So what does this mean for your institution? The Treasury advisory is expected within weeks of this post's publication. Institutions whose transaction monitoring rules, SAR escalation procedures, and enhanced due diligence triggers have not been reviewed against these specific risk categories will face supervisory findings that could have been prevented by a policy review conducted now.
The 90-Day Window: Expanded Customer Due Diligence Requirements
Within 90 days, Treasury must propose amendments to BSA customer due diligence regulations. The existing CDD Rule — codified at 31 C.F.R. § 1010.230 and implemented through FinCEN's 2018 CDD final rule — already requires covered financial institutions to identify and verify beneficial owners of legal entity customers and to understand the nature and purpose of customer relationships. The forthcoming proposed amendments will expand on that baseline.
The Order directs Treasury to consider requiring institutions to collect and verify sufficient information to identify both nominal and beneficial account owners, and to assess risks involving illicit finance, sanctions evasion, fraud, and other unlawful activity. Where risk indicators or supervisory concerns raise material compliance issues, institutions may be expected to obtain additional information beyond what current CDD standards require.
The immigration-related due diligence element is the most operationally significant potential change. The Order directs Treasury to consider enhanced due diligence that could include requesting information relating to lawful immigration status and employment authorization where that information is relevant to assessing risks involving fraud, identity misrepresentation, sanctions evasion, or illicit financial activity. This is a significant potential expansion of the CDD framework — one that lenders with consumer or commercial portfolios serving immigrant communities must monitor carefully.
Critical compliance context: The Order explicitly directs that any agency response be calibrated against existing consumer protection requirements, fair lending considerations, and anti-discrimination laws. The Equal Credit Opportunity Act (15 U.S.C. §§ 1691–1691f) and Regulation B prohibit discrimination in credit transactions based on national origin. ECOA's prohibitions apply to the full credit process — including how institutions collect information, what information they use in underwriting, and how they communicate decisions. Any expansion of immigration-related due diligence that is not carefully calibrated against ECOA's requirements creates significant fair lending exposure.
Understanding how KYC timing and compliance accuracy intersect is directly relevant to this development: institutions that have built strong KYC documentation workflows will be better positioned to demonstrate compliance with whatever enhanced CDD standards the proposed rule establishes — because their current practices will already produce the documentation trail the new standard requires.
So what does this mean for your institution? Lenders should begin now — before the proposed rule is published — by assessing whether their current CDD workflows produce sufficient documentation to identify both nominal and beneficial account owners, and whether their transaction monitoring configurations would detect the six red-flag patterns the Treasury advisory will identify. The 90-day rulemaking window is not a grace period; it is the comment period during which institutions that have already assessed their gaps can submit informed comments on the proposed rule.
Why LASER for AML/KYC Compliance in a Shifting Regulatory Environment
The executive order's accelerated timeline — 60, 90, and 180 days — creates a specific operational challenge: lenders need to assess and adapt their KYC, CDD, and transaction monitoring workflows across multiple simultaneous agency actions, without the benefit of waiting for a single comprehensive rule. That is not a legal problem. It is an infrastructure problem.
Salesforce-native credit access, built-in compliance, and decisioning — unified in a single app, ready from day one.
LASER Credit Access is built natively inside Salesforce, connecting lenders to Equifax, Experian, and TransUnion for credit bureau access while providing built-in compliance workflow infrastructure through the COMPLY pillar. For AML and KYC compliance, the native Salesforce architecture means that customer identification, beneficial ownership documentation, risk-rating events, and enhanced due diligence triggers are all logged within the same loan and account records — not in a parallel compliance system that requires manual reconciliation.
When Treasury's red-flag advisory identifies new suspicious activity patterns and your compliance team needs to update transaction monitoring rules and enhanced due diligence triggers, that update happens in the same platform your operations team uses to originate and service loans. When examiners ask for evidence of how a specific account was risk-rated and what due diligence was conducted, the answer is in the same record — not extracted from three disconnected systems.
For lenders now evaluating whether their KYC and CDD infrastructure is positioned for the guidance that will arrive in the next 90 to 180 days, the federal AML and KYC requirements that create pre-account-opening verification obligations are the baseline against which the Executive Order's proposed expansions will be measured.
LASER brings built-in KYC and AML compliance tools for lenders on Salesforce together with Salesforce-native identity verification and credit bureau access for lender KYC workflows, so compliance and lending teams work from a single operational record rather than reconciling across disconnected systems.
The 60-Day Lending Window: Ability-to-Repay and Credit Risk Guidance
Simultaneously with the Treasury's red-flag advisory, the CFPB and federal banking regulators are directed to issue guidance specifically affecting consumer lending.
CFPB ability-to-repay clarification. The CFPB must consider clarifying that potential deportation or loss of wages resulting from the loss of work authorization may affect a borrower's ability to repay under existing Regulation Z standards (12 C.F.R. Part 1026). Regulation Z already requires lenders to make a reasonable and good-faith determination of a consumer's ability to repay before extending credit. If the CFPB clarifies that immigration status-related income risk is a factor that must be considered in that determination, it will affect underwriting procedures, income verification standards, and documentation requirements for consumer lenders.
Federal banking agency credit risk guidance. Separately, federal banking regulators must issue guidance regarding credit risks associated with lending to individuals who lack work authorization. For consumer and commercial lenders, this guidance may affect underwriting procedures, documentation standards, fair lending reviews, and credit risk governance frameworks.
The fair lending tension is real and requires careful management. The Butler Snow analysis of this Executive Order correctly identifies that any institutional response must be calibrated against existing BSA/AML obligations, consumer protection requirements, fair lending considerations, and anti-discrimination laws. Using immigration or work authorization status as a credit factor without explicit regulatory authorization to do so — or in a way that has disparate impact on a protected class — creates ECOA and Fair Housing Act exposure that may exceed any compliance benefit from the credit risk management objective.
Lenders should not make programmatic changes to underwriting procedures, documentation standards, or credit risk governance in advance of the actual CFPB and banking agency guidance. The appropriate response now is assessment: reviewing current ability-to-repay documentation standards, identifying where income verification processes currently account for employment stability risk, and ensuring that any forthcoming regulatory guidance can be incorporated into existing workflows without requiring a complete rebuild.
So what does this mean for your institution? The 60-day guidance deadlines for both the CFPB and the banking agencies are the same as the Treasury's red-flag advisory. Lenders are simultaneously managing new suspicious activity monitoring expectations, new ability-to-repay considerations, and new credit risk guidance — all on the same timeline. Institutions whose compliance, lending, legal, and operations teams are not already coordinating on this Executive Order are creating catch-up risk that will be difficult to close once the guidance is published.
What Lenders Should Do Before Each Deadline
Before the 60-day Treasury and agency guidance (by approximately July 18, 2026):
Before the 90-day BSA CDD proposed rule (by approximately August 17, 2026):
Before the 180-day CIP amendments (by approximately November 15, 2026):
So what does this mean for your institution? AML and KYC compliance for lenders has always been an operational function as much as a legal one — what matters is not only whether your policies say the right things, but whether your workflows produce the documentation those policies require. The executive order's accelerated timeline makes that operational question urgent.
Frequently Asked Questions
Q: Does the Executive Order immediately change what our AML/KYC program must do?
A: No. The Order does not immediately amend existing law or Bank Secrecy Act regulations. It directs agencies to develop guidance and proposed rules on an accelerated timeline. However, supervisory expectations can shift before final rules are published — particularly once the Treasury's red-flag advisory is issued, examiners will begin evaluating whether institutions' transaction monitoring programs address the identified risk categories. Financial institutions should treat the advisory as an effective compliance expectation date, not a proposed rule that can be ignored until finalized.
Q: Are we required to ask customers about their immigration or work authorization status under the new Executive Order?
A: Not yet, and possibly not at all in the form the Order describes. The Order directs Treasury to consider enhanced immigration-related due diligence as part of the BSA CDD proposed rule — it does not mandate it. Any such requirement would go through notice-and-comment rulemaking before taking effect, and would need to be calibrated against ECOA's anti-discrimination protections. Institutions should not begin collecting immigration status information for AML or credit risk purposes based on the Executive Order alone. Wait for the proposed rule and accompanying CFPB/banking agency guidance before making any programmatic changes to information collection procedures.
Q: How does the CFPB's ability-to-repay clarification affect our current underwriting process?
A: The CFPB is directed to consider clarifying that deportation risk or loss of work authorization may affect ability to repay under Regulation Z. This clarification has not been issued. When it is, it will interpret existing law — not create new requirements — which means its practical impact depends on how the guidance is framed. Lenders should ensure their income verification and employment stability documentation is current and complete under existing standards, and should track the CFPB guidance closely when published.
Q: What is the compliance risk of incorporating immigration status into credit underwriting decisions before regulatory guidance is issued?
A: Significant. Using national origin or immigration status as a factor in credit decisions creates direct ECOA and Regulation B exposure. ECOA (15 U.S.C. § 1691) prohibits discrimination in credit transactions on the basis of national origin. Regulation B's implementing rules govern what information may be collected from applicants and how it may be used. Making underwriting changes based on assumed immigration risk — without specific regulatory authorization to do so — is a fair lending violation that cannot be remediated by subsequent regulatory guidance. Coordinate with legal counsel before incorporating any immigration-related factor into credit underwriting.
Q: What should our SAR escalation procedures capture for the six identified red-flag categories?
A: Until the Treasury advisory is published, institutions should review existing SAR escalation guidance and assess whether current procedures adequately address: payroll-related structuring, nominee or shell account structures used for payroll, ITIN account activity inconsistent with stated business purpose, P2P platform payments in payroll-cycle patterns, and cross-border transfers with labor trafficking indicators. The six categories identified in the Order are not new concepts — they map to existing BSA/AML risk typologies. The advisory will provide more specific guidance on thresholds, patterns, and escalation criteria.
Ready to Build AML/KYC Compliance Into Your Salesforce Lending Workflow?
The May 2026 Executive Order is not the end of the compliance picture for AML and KYC requirements — it is the beginning of an accelerated agency action cycle that will produce new guidance, proposed rules, and supervisory expectations across the next six months. The lenders best positioned to respond are those whose compliance infrastructure is embedded in their operational platform, making adaptation the natural output of workflow updates rather than a crisis-response project.
LASER Credit Access delivers Salesforce-native credit bureau access, built-in compliance workflows, and identity verification tools in a single application. If your institution is assessing its AML/KYC readiness against what this Executive Order will produce — or needs to close gaps in your customer due diligence, ITIN account procedures, or transaction monitoring configurations — a compliance discussion is the right starting point.
→ Schedule a Compliance Discussion
