On April 1, 2025, FinCEN issued an Advisory to assist financial institutions in identifying and reporting suspicious activity related to the financing of the Islamic State of Iraq and Syria (ISIS). The Advisory outlines how ISIS funds itself through international support and various money transfer methods and also provides red flags for financial institutions to identify suspicious activity.
The Treasury’s 2024 National Terrorist Financing Risk Assessment notes that ISIS remains a regional and global threat. The Advisory issued by FinCEN is a continuation of the sustained effort of the Treasury, in coordination with the U.S. government interagency and foreign partners, to disrupt and eliminate ISIS’s revenue sources and financial networks.
FinCEN has listed the following red flag indicators to assist financial institutions in detecting, preventing, and reporting suspicious activity connected to the financing of ISIS:
One credit card or bank account is used to book travel to or accommodation and transportation in an area of known ISIS activity for several unrelated people at the same time for no known legitimate purpose.
Fundraisers are attached to social media profiles that show support for ISIS or display ISISrelated iconography or refer to supporting the “mujahideen” or the “war against kufar (non-believers),” especially if the fundraisers are soliciting donations to fund travel to an area of known ISIS activity. The fundraising appeal posted on social media references aid to imprisoned women and children in Iraq or Syria.
A customer collects small amounts through P2P transfers, social media, or virtual currency payments over a short period of time and then sends them in a lump sum to an individual located in a region where ISIS presence is prevalent.
A customer sends remittances with no known legitimate purpose from the United States to multiple individuals in jurisdictions, such as Türkiye, known for ISIS facilitation activity who do not appear to have any relation to the sender.
A customer attempts to purchase plane or other travel tickets after abruptly liquidating assets, closing accounts, cancelling subscriptions, or receiving large unexplained sums of cash. A period of account dormancy following these behaviors should also be regarded as suspicious, even if the customer eventually resumes transactions within the United States.
A customer abruptly appears to seek as many lines of credit as possible, for example, by acquiring several credit cards and taking out one or more loans for unclear reasons, especially if the customer has not used credit cards or taken out loans in the past. This behavior should be regarded as especially suspicious if the customer uses newly obtained credit cards either exclusively or almost exclusively for cash advances and purchases of virtual currencies but then fails to make loan or credit card payments when they come due.
A customer begins receiving a sudden influx of unexplained cash deposits, especially if that customer is unemployed or these deposits are in addition to a regular paycheck, or if the deposits come from ATMs in locations where ISIS is prevalent, but where the customer is not known to reside or have traveled.
A customer suddenly adopts or increases their use of financial methods that conceal the ultimate source or end use of funds, for example P2P transfers, ATM withdrawals, third party processors, prepaid cards, virtual currency, or wire transfers.
A customer makes deposits in an account locally which are then withdrawn from other locations, including from abroad, where the individual is not known to reside or have traveled but where ISIS is prevalent.
A customer places virtual currency in a virtual currency wallet using an IP address in one location which is then withdrawn from virtual currency kiosks or converted to fiat currency by users with IP addresses in different locations where the individual is not known to reside or have traveled but where ISIS is prevalent.
A customer’s account appears to have been accessed in multiple countries at the same time or within a very short time period, particularly if the account is accessed in countries where ISIS is prevalent.
Read FinCEN’s news release here.
The full Advisory can be found here.