October is National Cybersecurity Awareness Month, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) kicked off the month by issuing two advisories that aim to increase cybersecurity awareness, assist financial institutions in detecting and reporting ransomware activity, and highlight potential sanctions risks for facilitating ransomware payments.

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via Suspicious Activity Reports (“SARs”) and to fully cooperate with law enforcement during and after ransomware attacks.

The FinCEN Advisory

The FinCEN advisory—entitled Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments—discusses four topics: (1) the role of financial intermediaries in ransomware payments, (2) ransomware trends and typologies, (3) ransomware-related financial red flags, and (4) reporting and sharing of information related to ransomware attacks.

1. Financial Intermediaries and Ransomware Payments – The financial sector plays a crucial role in the collection and payment of ransomware demands by malicious cyber actors. The complexity and prevalence of ransomware attacks, as the advisory observes, has led to the creation of specialized companies such as digital forensic and incident response companies (“DFIRs”) and cyber insurance companies (“CICs”) that provide protection and mitigation services for ransomware victims, including paying convertible virtual currency (“CVC”) such as Bitcoin. Some DFIRs and CICs facilitate ransomware payments to cybercriminals by directly receiving customers’ fiat funds, exchanging them for CVC, and then transferring the CVC to criminal-controlled accounts. Depending on the particular facts and circumstances, this activity could constitute money transmission, which requires registration with FinCEN as a money service business (“MSB”) subject to Bank Secrecy Act (“BSA”) obligations, including the filing of suspicious activity reports (“SARs”). Moreover, FinCEN warns that facilitating ransomware payments on behalf of ransomware victims may implicate OFAC-administered sanctions.
2. Ransomware Trends and Typologies – FinCEN identifies trends and typologies of ransomware payments across various sectors. The advisory notes that cbyercriminals are increasingly engaging in sophisticated ransomware operations such as “big game hunting” schemes that target larger enterprises to demand bigger payouts, double extortion schemes that involve removing sensitive data from targeted networks and encrypting the system files and demanding ransom, and requiring anonymity-enhanced cryptocurrencies (“AECs”) to reduce transparency. FinCEN recommends proactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency as a best defense against ransomware attacks.
3. Financial Red Flags – The advisory highlights 10 financial red flags that evidence potential ransomware-related payments. Red flags include, among other things, a customer disclosing payment is being made as a result of ransomware, a DFIR or CIC receiving or sending funds, or a customer with little or no experience with CVC suddenly initiating a transaction with a CVC exchange. And financial institutions should not only be on the lookout for red flags associated with potential ransomware-related payments coming from victims. FinCEN also warns financial institutions that rapid trades between CVCs with no apparent purpose, especially if the CVC is an AEC, could be a red flag of a cybercriminal receiving and masking a ransomware payment. While no single red flag is determinative of ransomware activity, FinCEN states that each should be considered in the context of the facts and circumstances of a transaction.
4. Reporting Suspicious Activity – To assist in reporting ransomware attacks, FinCEN “strongly encourages” information sharing among financial institutions pursuant to section 314(b) of the USA PATRIOT Act where a transaction is suspected of involving terrorist financing or money laundering, and urges financial institutions to file SARs in order to protect the U.S. financial system from ransomware threats. To that end, FinCEN has asked financial institutions who believe a transaction relates to ransomware to include a note, “CYBER-FIN-2020-A006,” so that FinCEN can better track SARs reporting ransomware transactions.

OFAC Advisory

The OFAC advisory—entitled Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments— highlights the threat that ransomware poses to U.S. national security interests and details the sanctions risks associated with facilitating ransomware payments.

The International Emergency Economic Powers Act (“IEEPA”) and the Trading with the Enemy Act (“TWEA”) generally prohibit U.S. persons from engaging in transactions with persons on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”), other blocked persons, and persons covered by comprehensive country or region embargoes.

OFAC’s cyber-related sanctions program has been used to identify malicious cyber actors, including perpetrators of ransomware attacks. U.S. persons, including financial institutions, that facilitate payment of ransomware demands to sanctioned cyber actors are in violation of U.S. sanctions and may be subject to OFAC enforcement action. Non-U.S. persons facilitating such payments through the U.S. financial system may also be exposed to OFAC enforcement action.

The OFAC advisory makes clear that sanctions laws extend to financial institutions as well as companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses).” In other words, financial institutions, CICs, and DFIRs may be subject to civil penalties if they facilitate payments to blocked persons, whether on the SDN list or covered by an embargo. Although OFAC notes that it will consider licensing for ransomware payments on a case-by-case basis, but it reviews those requests “with a presumption of denial.”

OFAC encourages financial institutions and companies that engage with ransomware victims to adopt risk-based sanctions compliance programs that account for the risk that a ransomware payment may involve an SDN or blocked person, a comprehensively embargoed jurisdiction, or nation-state actors that have a nexus to U.S. sanctions, such as Russia or North Korea. Finally, OFAC encourages companies to provide law enforcement with a “self-initiated, timely, and complete report of a ransomware attack” and to fully cooperate with law enforcement during and after a ransomware attack. These steps not only help financial institutions, CICs, and DFIRs avoid unlawful payments, but—if a violation occurs—will also be considered favorably in OFAC’s determination of a “possible enforcement outcome.”