FinCEN Advisory FIN-2026-A001: Health Care Fraud Risks

Reference: FIN-2026-A001

Official publication: Read the full FIN-2026-A001 on the agency website

FinCEN Advisory FIN-2026-A001, issued March 30, 2026, puts health care fraud squarely back into the anti-money laundering and suspicious activity monitoring discussion for banks, credit unions, money services businesses, and other covered institutions. The advisory concerns fraud schemes targeting Medicare, Medicaid, and other federal and state health care benefit programs. For legal and compliance teams, the significance is not limited to health care counterparties. The larger point is that payments linked to billing fraud, patient recruitment, kickbacks, shell entities, and rapid movement of public-benefit proceeds can create identifiable Bank Secrecy Act reporting and escalation obligations. Institutions that treat health care fraud as solely a claims-administration issue risk missing the proceeds side of the scheme.

Executive Summary

FinCEN has issued a formal advisory identifying health care fraud as a current illicit finance risk affecting federal and state benefit programs. The advisory signals that suspicious activity tied to medical billing, health care service providers, laboratories, pharmacies, telemedicine arrangements, durable medical equipment suppliers, home health actors, management companies, and related intermediaries should be evaluated through a BSA lens, not merely as customer due diligence anomalies.

From a practical compliance perspective, the advisory matters because it reinforces three expectations. First, institutions should calibrate transaction monitoring to detect financial patterns associated with program fraud and laundering of fraud proceeds. Second, investigators should connect customer profile information, account activity, and counterparties in a way that distinguishes legitimate high-volume reimbursement flows from activity suggestive of fabricated claims or kickback arrangements. Third, where facts support concern, SAR narratives should clearly describe the suspected scheme, the role of public-benefit funds, and the movement of proceeds through individuals and entities. FinCEN has therefore provided both a risk signal and an examination signal.

What the Regulator Issued

FinCEN published Advisory FIN-2026-A001 under the subject line FinCEN Advisory on Health Care Fraud Schemes Targeting Medicare, Medicaid, and Other Federal and State Health Care Benefit Programs. Even from the agency’s summary page alone, the scope is clear: the advisory is directed at financial institutions that may encounter proceeds generated by fraud against public health care programs.

That framing is important. FinCEN advisories are not regulations, but they routinely communicate enforcement priorities, typologies, red flags, and SAR-reporting expectations. In practice, they influence how examiners assess suspicious activity identification, escalation, and narrative quality. When FinCEN singles out a category of fraud in an advisory, institutions should assume that investigators, exam teams, and law enforcement partners will expect stronger sensitivity to related transaction patterns.

The title of this advisory also indicates a broad coverage model. It is not confined to one program or one scheme type. By referencing Medicare, Medicaid, and other federal and state health care benefit programs, FinCEN is signaling risk across multiple reimbursement channels and payment ecosystems. That breadth matters for institutions serving provider groups, physician organizations, telehealth companies, billing vendors, staffing firms, pharmacies, and businesses that may not initially appear to be health care companies but touch reimbursement flows indirectly.

Why It Matters

For attorneys and compliance officers, the advisory should be read as a reminder that health care fraud often has a recognizable financial footprint before, during, or after a criminal investigation becomes public. Fraud proceeds may arrive through government or managed-care reimbursements, then disperse rapidly to related parties, marketing firms, recruiters, consultancies, cash withdrawals, check activity, or international transfers. The operational challenge is that many of those payment types also exist in legitimate health care businesses. The legal challenge is making defensible risk distinctions without over-filing or under-escalating.

Several implications follow. Customer risk assessments may need to account more precisely for exposure to public health care program funds, third-party billing structures, and opaque ownership or control arrangements. Monitoring scenarios may need refinement where an institution banks entities with unusual reimbursement concentration, abrupt spikes in revenue, inconsistent payroll or operating expense patterns, heavy payments to individuals with unclear business purpose, or layered transfers among affiliated entities. Enhanced due diligence may also need to focus less on customer labels and more on actual payment mechanics, business lines, and counterparties.

The advisory is also relevant because it sits at the intersection of AML compliance, sanctions-style typology discipline, and ordinary fraud-risk governance. Institutions often separate fraud operations, AML investigations, and relationship management. That division can obscure the full picture. A suspicious billing-related pattern that appears modest in one system may become far more significant when combined with onboarding representations, beneficial ownership information, negative news, law enforcement requests, or repeated returns and chargebacks. FinCEN is effectively reminding institutions that proceeds tracing and suspicious activity reporting remain core responsibilities even where the underlying misconduct originates in the health care reimbursement process.

Practical Action Checklist

1. Map exposure. Identify customer segments that receive, process, or route funds connected to Medicare, Medicaid, or similar federal and state benefit programs.
2. Refresh risk assessments. Revisit product, customer, channel, and geographic risk factors for providers, billing companies, pharmacies, telemedicine participants, and management-service entities.
3. Review monitoring logic. Test whether current scenarios capture abrupt reimbursement spikes, pass-through behavior, rapid funds dispersion, related-party transfers, and payment patterns inconsistent with stated operations.
4. Strengthen investigative playbooks. Give AML investigators decision trees for analyzing health care reimbursement activity, including what business records or explanations are reasonably obtainable.
5. Improve customer understanding. For higher-risk health care customers, confirm business purpose, revenue sources, contracting structure, beneficial ownership, and use of third-party marketers or recruiters.
6. Coordinate internal functions. Align AML, fraud, operations, and relationship teams so unusual payment activity is not reviewed in silos.
7. Sharpen SAR narratives. When filing is warranted, describe the apparent scheme, the involved entities and individuals, the role of benefit-program funds, and the transaction path with specificity.
8. Document governance. Record advisory-driven tuning decisions, rejected alternatives, and training updates so the institution can explain its response during examination.
9. Train targeted staff. Relationship managers and investigators handling health care customers should understand common indicators of fraudulent billing and proceeds movement.
10. Escalate repeat patterns. Where multiple customers, common counterparties, or repeated payment routes suggest a network rather than an isolated anomaly, treat that as a higher-order risk issue.

Open Questions and Watch Items

Institutions should watch for further FinCEN or interagency materials that add red flags, keywords, or SAR-reporting instructions specific to this advisory. The advisory page confirms issuance date and subject matter, but institutions will want to monitor whether FinCEN, DOJ, HHS-OIG, CMS, or state authorities begin emphasizing coordinated enforcement tied to the same typologies. That could affect how aggressively institutions review historical activity, whether they expand lookback periods, and how they define escalation thresholds for health care-related accounts.

There are also unresolved implementation questions that matter in practice. How much transactional irregularity is enough before a legitimate but poorly documented provider relationship becomes a SAR matter? How should institutions treat businesses adjacent to health care delivery, such as marketing, staffing, management, and call-center companies, when those entities sit near reimbursement flows but do not submit claims themselves? And to what extent will examiners expect retrospective tuning validation after this advisory? Counsel and compliance leaders should address these questions now, because the difficult cases will arise at the margins, not in the obvious shell-company fact pattern.

My Law Tampa advises financial institutions, compliance teams, and other regulated businesses on the legal and operational consequences of federal anti-money laundering guidance, examination risk, and suspicious activity reporting expectations. In the context of FIN-2026-A001, the central task is translating a broad fraud warning into a concrete, documented compliance response that is proportionate to the institution’s customer base, products, and transaction profile.

This memorandum is provided for general informational purposes and does not create an attorney-client relationship. Institutions should evaluate FinCEN Advisory FIN-2026-A001 in light of their own risk assessments, customer populations, and existing BSA controls, and should obtain legal advice before making material changes to monitoring, escalation, or SAR-governance practices.

Source Materials

• Official publication: FIN-2026-A001
• Regulator archive: FINCEN memo archive
• Memo library: browse the full regulatory memo archive