Managing restrictions
This guide explains how to apply, update, and lift account restrictions using Griffin's API. Restrictions let you programmatically freeze or block accounts to manage financial crime, fraud incidents, law enforcement requests, and operational workflows with Griffin.
Overview
Griffin provides two types of account restrictions:
- Freeze: Prevents outbound payments. Inbound payments can still be received.
- Block: Prevents both inbound and outbound payments.
Restrictions can be applied to accounts at any point in their lifecycle (opening, open, closing, or closed), and accounts can be instructed to close even while restricted.
Prerequisites
- The user applying restrictions must have the Manage accounts role
- You must have the bank account URL for the account you want to restrict
Understanding restriction requirements
Every restriction action requires four pieces of information. Reason codes and legal statuses are important for managing operational workflows between Griffin and you, and determine how deposits are treated in the event of the FSCS process being run.
1. Restriction type
| Restriction type | Inbound payments | Outbound payments |
|---|---|---|
freeze | ✓ | ✗ |
block | ✗ | ✗ |
2. Reason code
This helps categorise and track why restrictions are applied and supports the management of SLAs.
| Code | Description | You can apply | You can remove | Visible to you |
|---|---|---|---|---|
customer-request | Account holder requested temporary restriction pending further instruction. | ✓ | ✓ | ✓ |
deceased | Account holder confirmed deceased. Restricted pending estate administration and legal authority verification. | ✓ | ✓ | ✓ |
dormant | Account holder has been inactive, no customer-initiated transactions for 2+ years. | ✓ | ✓ | ✓ |
fraud-1st-party | Account holder is suspected perpetrator committing fraud against Griffin or third parties. | ✓ | ✓ | ✓ |
fraud-3rd-party | Account holder is victim of account takeover by unauthorised party. | ✓ | ✓ | ✓ |
fraud-app-perpetrator | Account holder is perpetrator receiving fraudulent payments from victims they have deceived. | ✓ | ✓ | ✓ |
fraud-app-victim | Account holder is victim tricked into authorising payments to fraudulent recipient. | ✓ | ✓ | ✓ |
griffin-decision | Restriction applied following internal risk assessment, policy breach, or operational requirement. | ✗ | ✗ | Limited* |
law-enforcement | Account restricted following law enforcement request, court order, or legal obligation. | ✓ | If you applied it | Limited* |
money-laundering | Suspected money laundering detected. Restricted pending investigation and regulatory reporting obligations. | ✓ | If you applied it | ✓ |
other | Restrictions applied for reasons not covered by standard categories. | ✓ | ✓ | ✓ |
risk-appetite | Account activity exceeds risk appetite thresholds. Restricted pending review or remediation. | ✓ | ✓ | ✓ |
sanctions | Account holder or associated party identified on a sanctions list or subject to a sanctions designation. Restricted pending investigation. | ✓ | If you applied it | Limited* |
terrorist-financing | Account holder suspected terrorist financing. Restricted pending investigation and regulatory reporting obligations. | ✓ | If you applied it | Limited* |
* When restrictions use griffin-decision, or when law-enforcement, sanctions, or terrorist-financing are applied by Griffin, restriction details (type, reason code, and legal status) are withheld.
3. Legal status
Indicates the legal context of the restriction:
| Code | Description | When to use |
|---|---|---|
suspected | Restriction due to suspicion of offence. No formal charges filed. | Investigation stage before any charges |
formal-charge-filed | Customer formally charged with an offence. Legal proceedings active, no verdict reached. | Charges filed, awaiting verdict |
conviction-confirmed | Customer convicted of an offence. Legal proceedings concluded with a guilty verdict. Deposits connected with the conviction are ineligible for FSCS compensation. | After conviction |
not-applicable | Legal status not applicable. | Customer requests, dormant accounts, etc. |
4. Notes
Always required to provide context for the application, update and removal of a restriction to support investigation and provide a complete view of the restriction event.
Applying a restriction
To apply a freeze or block to a bank account, make a POST request to the account's restrictions endpoint:
curl "https://api.griffin.com/v0/bank/accounts/{account-id}/restrictions" \
-X 'POST' \
-H "Authorization: GriffinAPIKey $GRIFFIN_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"restriction-type": "freeze",
"restriction-legal-status": "suspected",
"restriction-reason-code": "customer-request",
"notes": "Customer requested account freeze while travelling abroad"
}'
A successful response will return the restriction details:
{
"bank-account-restriction-url": "/v0/bank/account-restrictions/restr.xyz789",
"restriction-type": "freeze",
"restriction-status": "active",
"restriction-legal-status": "suspected",
"restriction-reason-code": "customer-request",
"created-at": "2026-01-22T15:30:00Z",
"restriction-applied-by": {
"restriction-applied-by-type": "user",
"user-url": "/v0/users/ur.abc123",
"user-username": "jane.doe@example.com"
},
"account-url": "/v0/bank/accounts/ba.abc123",
"bank-account-restriction-events-url": "/v0/bank/account-restrictions/restr.xyz789/events",
"update-bank-account-restriction-url": "/v0/bank/account-restrictions/restr.xyz789/actions/update",
"lift-bank-account-restriction-url": "/v0/bank/account-restrictions/restr.xyz789/actions/lift"
}
Viewing restrictions
List all restrictions on an account
To view all restrictions (both active and inactive) on a bank account:
curl "https://api.griffin.com/v0/bank/accounts/{account-id}/restrictions" \
-H "Authorization: GriffinAPIKey $GRIFFIN_API_KEY"
Filter for active restrictions only
To view only active restrictions:
curl "https://api.griffin.com/v0/bank/accounts/{account-id}/restrictions?filter[restriction-status][eq]=active" \
-H "Authorization: GriffinAPIKey $GRIFFIN_API_KEY"
Check restriction status on account
When retrieving a bank account, the response includes restriction information:
{
"account-url": "/v0/bank/accounts/ba.abc123",
"account-status": "open",
"account-restricted": true,
"restrictions-url": "/v0/bank/accounts/ba.abc123/restrictions",
...
}
The account-restricted field indicates whether the account currently has any active restrictions.
Updating a restriction
As investigations progress, you can update restriction details. Notes are always required; you can also optionally change the restriction type, reason code, and legal status:
curl "https://api.griffin.com/v0/bank/account-restrictions/{restriction-id}/actions/update" \
-X 'POST' \
-H "Authorization: GriffinAPIKey $GRIFFIN_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"restriction-type": "block",
"notes": "Escalating from freeze to block following further investigation"
}'
Lifting a restriction
When an investigation concludes or the restriction is no longer needed, you can lift it:
curl "https://api.griffin.com/v0/bank/account-restrictions/{restriction-id}/actions/lift" \
-X 'POST' \
-H "Authorization: GriffinAPIKey $GRIFFIN_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"notes": "Customer returned from travel, restriction no longer needed"
}'
A successful response returns the restriction with its status updated to lifted:
{
"bank-account-restriction-url": "/v0/bank/account-restrictions/restr.xyz789",
"restriction-type": "freeze",
"restriction-status": "lifted",
"restriction-legal-status": "suspected",
"restriction-reason-code": "customer-request",
"created-at": "2026-01-22T15:30:00Z",
"restriction-applied-by": {
"restriction-applied-by-type": "user",
"user-url": "/v0/users/ur.abc123",
"user-username": "jane.doe@example.com"
},
"account-url": "/v0/bank/accounts/ba.abc123",
"bank-account-restriction-events-url": "/v0/bank/account-restrictions/restr.xyz789/events"
}
Restriction events
The bank account events API described in this section is not officially supported and will be replaced by the events API and webhooks in a future release. It is available for use but may change without notice.
Each restriction action (apply, update, lift) generates a bank account event. You can list events for a specific restriction or for an entire account.
List events for a restriction
Each restriction response includes a bank-account-restriction-events-url. Use it to list events for that restriction:
curl "https://api.griffin.com/v0/bank/account-restrictions/{restriction-id}/events" \
-H "Authorization: GriffinAPIKey $GRIFFIN_API_KEY"
List events for an account
To list all bank account events across all restrictions on an account:
curl "https://api.griffin.com/v0/bank/accounts/{account-id}/events" \
-H "Authorization: GriffinAPIKey $GRIFFIN_API_KEY"
Event types
Events have a bank-account-event-type field indicating the action that occurred:
restriction-applied— a restriction was created. Includesrestriction-type,restriction-reason-code,restriction-legal-status,notes, andrestriction-applied-by.restriction-updated— a restriction was modified. Always includesnotesandrestriction-updated-by. Only includesrestriction-type,restriction-reason-code, andrestriction-legal-statusif they were changed — omitted fields were left unchanged.restriction-lifted— a restriction was lifted. Includesnotesandrestriction-lifted-by.
For redacted restrictions (see the visibility rules above), events omit detail fields such as restriction-type, restriction-reason-code, restriction-legal-status, and notes.
Example restriction-applied event:
{
"bank-account-event-url": "/v0/bank/account-events/ev.abc123",
"bank-account-event-type": "restriction-applied",
"bank-account-restriction-url": "/v0/bank/account-restrictions/restr.xyz789",
"account-url": "/v0/bank/accounts/ba.abc123",
"system-time": "2026-01-22T15:30:00Z",
"valid-time": "2026-01-22T15:30:00Z",
"restriction-type": "freeze",
"restriction-reason-code": "customer-request",
"restriction-legal-status": "suspected",
"notes": "Customer requested account freeze while travelling abroad",
"restriction-applied-by": {
"restriction-applied-by-type": "user",
"user-url": "/v0/users/ur.abc123",
"user-username": "jane.doe@example.com"
}
}
Example restriction-updated event (escalating from freeze to block):
{
"bank-account-event-url": "/v0/bank/account-events/ev.def456",
"bank-account-event-type": "restriction-updated",
"bank-account-restriction-url": "/v0/bank/account-restrictions/restr.xyz789",
"account-url": "/v0/bank/accounts/ba.abc123",
"system-time": "2026-01-25T10:00:00Z",
"valid-time": "2026-01-25T10:00:00Z",
"restriction-type": "block",
"notes": "Escalating from freeze to block following further investigation",
"restriction-updated-by": {
"restriction-updated-by-type": "user",
"user-url": "/v0/users/ur.abc123",
"user-username": "jane.doe@example.com"
}
}
Example restriction-lifted event:
{
"bank-account-event-url": "/v0/bank/account-events/ev.ghi789",
"bank-account-event-type": "restriction-lifted",
"bank-account-restriction-url": "/v0/bank/account-restrictions/restr.xyz789",
"account-url": "/v0/bank/accounts/ba.abc123",
"system-time": "2026-02-01T09:15:00Z",
"valid-time": "2026-02-01T09:15:00Z",
"notes": "Investigation concluded, restriction no longer needed",
"restriction-lifted-by": {
"restriction-lifted-by-type": "user",
"user-url": "/v0/users/ur.abc123",
"user-username": "jane.doe@example.com"
}
}
Layering and control model
Multiple concurrent restrictions
- Both you and Griffin can apply separate restrictions to the same account simultaneously
- Each restriction operates independently — lifting one doesn't affect others
Control hierarchy
Griffin-only restrictions: Some reason codes (e.g., griffin-decision) can only be applied and lifted by Griffin
Shared control: Most restrictions can be lifted by either you or Griffin
Griffin ultimate control: Griffin maintains ultimate override authority on all accounts
Transitioning between states
You can transition an account restriction from freeze to block and vice versa as well as transition between reason codes as investigations or cases progress.