top of page
Typographic Black and Blue.png

Meta Ad Account Flagged 'Unusual Login Activity' After Agency Handover: How to Recover Safely

You fired the agency on Friday. Took back admin access on Saturday. By Monday, Meta has flagged the account for 'unusual login activity from new locations' and paused all campaigns. Spend is frozen. The agency still has session cookies on their machines. Customer support is asking you to verify the agency that you just let go.


Agency handovers are the most common trigger for login-anomaly flags on Indian D2C accounts. Done wrong, they can lock you out for 7-14 days. Done right, you're back to live spend in 48 hours.


First: Confirm It's a Login Flag, Not a Policy Flag


Both look similar in Account Quality but require completely different responses.


  • 'Unusual login activity' — security signal, the account is paused for verification.

  • 'Account requires identity verification' — broader trigger, often unrelated to handover.

  • 'Suspicious payment activity' — financial flag, requires re-verifying the billing method.


Open Account Quality. The exact phrase determines your response. This article handles the first case.


The Root Causes of Handover-Triggered Flags


Seven patterns trip Meta's anomaly detector during handovers.


  1. Multiple admins logging in simultaneously from different cities — old agency in Bangalore, new team in Mumbai, founder in Hyderabad.

  2. IP address rotation — agencies often use VPNs or shared workspaces, founders use home connections.

  3. Device fingerprint mismatch — agencies use desktops, new team uses laptops/mobiles.

  4. Time zone anomaly — sudden change in active hours after the handover.

  5. Admin role changes — adding/removing admins inside 48 hours.

  6. Payment method changes combined with admin changes — Meta's highest-confidence fraud signal.

  7. Page access changes — un-linking and re-linking Facebook Pages during the handover.


The Safe 7-Day Handover Sequence


Run the handover slowly, in order. Don't compress the timeline.


Day 0 (Pre-handover): Document Current State


  • Export Business Manager admin list with roles.

  • Export ad account admin list.

  • Note Page ownership and roles.

  • Screenshot Account Quality, Business Verification status, and pixel ownership.

  • Note payment methods on file.


Days 1-2: Add New Admins, Don't Remove Old Ones


  • Add the new team as admins on the Business Manager.

  • Add the same individuals to the ad account at admin level.

  • Have them log in once and accept invitations from a stable Indian IP.

  • Do not touch the agency's access yet.


Days 3-5: Run Parallel


  • Let both teams have access. New team observes, runs no actions.

  • Continue normal campaign management with no disruption.

  • Build comfort with Account Quality, Events Manager, billing.


Days 6-7: Demote, Don't Delete


  • Downgrade agency admins to Analyst (read-only).

  • Wait 48 hours.

  • Then remove agency access entirely.

  • Change Business Manager 2FA settings to require admin approval for new logins.


If You Already Got Flagged: The Recovery Path


Don't panic-edit. Each rapid change adds another anomaly signal.


  1. Stop making changes. Freeze admin list, payment method, and Page settings for 24 hours.

  2. Re-verify the BM's identity owner through Business Settings > Security Center.

  3. Enable 2FA on every remaining admin if not already done.

  4. Submit identity verification if Meta is asking — government ID matches the BM's registered owner.

  5. Re-login from the same device + IP for 3-5 consecutive days to rebuild fingerprint trust.

  6. Wait for the flag to clear — typically 48-96 hours after the last admin change.


What Not to Do During Recovery


These actions often re-trigger the flag and extend the lockout.


  • Don't add new admins while flagged. Wait until clear.

  • Don't change the payment method while flagged.

  • Don't enable Advantage+ Shopping campaigns mid-recovery — they require fresh delivery permissions.

  • Don't reset Business Verification documents — submission resets the 30-day review clock.

  • Don't appeal repeatedly. One appeal, then wait.


The Long-Term Handover Hygiene


After every recovery, harden the account against future agency churn.


  • Make sure the founder is the BM owner, not just an admin. Owner role is unrecoverable if lost.

  • Use client BM with agency partner role, not the other way around. The agency should never own the BM.

  • Keep payment methods on the brand's bank account, not the agency's.

  • Document who has access to the Facebook Page and pixel — these are often forgotten.


How Wittelsbach AI Eliminates the Agency Handover Risk


Bach AI is your in-house operator. No agency access required. The founder owns the BM, Bach AI runs the campaigns. Two clicks to connect Meta, no handover handoffs, no admin churn. Bach AI is live at [app.wittelsbach.ai](https://app.wittelsbach.ai). Two clicks to connect Meta.


See our take on [replacing your growth team](https://www.wittelsbach.ai/post/replace-your-five-person-growth-team-with-one-ai-marketing-platform) for the structural argument.


Frequently Asked Questions


How long does the 'unusual login activity' flag take to clear on Meta?


Typically 48-96 hours once you stop making changes. The flag clears automatically when Meta's anomaly model sees stable login patterns for 3-5 days. If you keep modifying admins, payment methods, or pages, the clock resets each time. The fastest recovery is silence — make no changes for 5 days, log in only from one trusted device, and let the model recalibrate.


Can the old agency lock me out after I remove their access?


Only if they were the BM owner, which is the critical reason founders should always be the owner. If the agency held only admin or partner roles, removing them gives the founder full control. If the agency was the owner, recovery requires submitting an ownership dispute through Meta Business Help, which can take 30-60 days and requires GST documents, entity proof, and prior invoices. Avoid this by structuring owner roles correctly upfront.


Should I change my Meta ad account password right after the agency handover?


There is no shared password for an ad account — admins log in with their personal Facebook credentials. What you can do: revoke session tokens for the agency's Facebook users by removing them from the BM. They lose access instantly. Founder password rotation is unrelated to handover and shouldn't be triggered by it. Focus on access permissions, not passwords.


Do I need to inform Meta before an agency handover?


No, and informing them via a support ticket doesn't prevent the auto-flag. Meta's anomaly detection runs purely on signal patterns. The only way to soften it is by doing the handover slowly — parallel access for 5-7 days, gradual role downgrades, then removal. A clean, slow handover rarely flags. A fast cutover almost always does.


Can I use the same payment method when the agency is removed?


Yes, if the payment method is on the brand's card or bank account. If the agency was paying through their own card and billing back, change the payment method before removing their access, not after. Payment method changes plus admin removal within the same 48 hours is the strongest fraud signal Meta detects. Stagger by 7-10 days minimum.

Comments

bottom of page