[co-author: Kristen Bartolotta]
On October 15, 2021 the Financial Crimes Enforcement Network (FinCen) of the Treasury Department issued a financial trend analysis on ransomware relating to Bank Secrecy Act (BSA) reporting filed in the first half of this year. FinCEN examined ransomware-related Suspicious Activity Reports (SARs) filed between January 1 and June 30, 2021, which included a total of 635 reports and 458 confirmed transactions that, compiled, total over $590 million in suspected ransom payments. This number reflects a 42% increase from the total ransomware payments identified by FinCEN in all of 2020. If this trend continues, FinCEN estimates a higher ransomware-related transaction value in the SARs filed in 2021 than the last ten years combined. This likely reflects not only the increasing prevalence of ransomware year after year but also advances in detection and improved reporting of incidents by covered financial institutions. Notably, the Biden Administration has released various guidance and advisories with the goal of promoting reporting of ransomware-related events and stopping criminal activity.
FinCEN found that ransomware payments are often made using virtual currency – most commonly, Bitcoin. As such, Treasury’s Office of Foreign Assets Control (OFAC) released guidance in coordination with the FinCEN report addressing how financial institutions can incorporate virtual currencies in their sanctions compliance programs. In this guidance, OFAC reminds members of the virtual currency industry that they are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions. This includes avoiding all dealings with blocked persons or property, engaging in prohibited trade- or investment-related transactions, or dealing with comprehensively sanctioned countries. OFAC also highlights that appropriately managing and addressing sanctions risks will be significant in OFAC’s consideration of the appropriate outcome in enforcement actions should they occur. Even victims of ransomware attacks must therefore consider such risks when determining how to proceed in responding to ransomware attacks.