Client Alert: Are You Unwittingly Facilitating Ransomware Payments? Take Steps to Help Your Institution Avoid Unintentional OFAC Violations
FinCEN & OFAC Issue Ransomware Guidance
Ransomware incidents continued to make headlines in 2021. In May, Colonial Pipeline suffered a ransomware incident, causing the company to suspend its operations. Millions of motorists on the East Coast were impacted as the shutdown caused widespread gas shortages. Colonial Pipeline ultimately paid a $4.4 million cryptocurrency ransom to the threat actors, a good portion of which was recovered by the Department of Justice.
East Coast commuters and the media were not alone in taking note of increased ransomware attacks. Some well-known companies have suffered widely publicized ransomware attacks, and the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) both issued guidance to financial institutions regarding their roles and responsibilities in facilitating ransomware payments. The takeaway:
Financial institutions may be held responsible for facilitating their clients' payments of ransomware.
Processing ransomware payments is typically a multi-step process that involves at least one depository institution, and one or more entities directly or indirectly facilitating victim payments. Most ransomware schemes involve some form of cryptocurrency, the preferred payment method of ransomware perpetrators. Following the delivery of the ransom demand, a ransomware victim will typically transmit funds via wire transfer, automated clearinghouse, or credit card payment to a cryptocurrency exchange or other third party, in order to purchase the type and amount of cryptocurrency specified by the ransomware perpetrator.
Movement of CVC1 in Ransomware Incidents
Although its role may be relatively limited, a financial institution is potentially liable if the customer ultimately transfers cryptocurrency purchased with funds from the institution to a threat actor on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), or to other blocked persons and those covered by comprehensive country or region embargoes. OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable, even if such person did not know (or have reason to know) that it engaged in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.
All Banks Should Implement A Risk-Based Compliance Program
OFAC encourages financial institutions and other companies to implement a risk-based compliance program, the existence of which may mitigate any potential civil penalty. When establishing a compliance program, financial institutions should focus on a few key areas, including:
- Training: Advise management and/or the board of directors about potential sanctions risks, and train relevant compliance personnel about ransomware-related threats.
- Policies & Procedures: Create internal policies and procedures that describe: (i) the necessary steps to identify potential ransomware payments; (ii) the information it will collect from the customer; and (iii) how to ensure that sanctioned individuals or entities are not involved. The financial institution should convey its policy to customers, and disseminate the questionnaire to customers suspected of making ransomware payments.
- Reporting: Be prepared to file Suspicious Activity Reports (SARs) or report potential payments to OFAC. When doing so, be cognizant of both the OFAC and FinCEN guidance describing how to prepare and submit such reports.
We Can Help You
The Barack Ferrazzano Financial Institutions Group routinely advises our clients on OFAC and FinCEN regulations and compliance. We have prepared policies, procedures, and questionnaires to address these specific issues, and can help your institution assess its risks and identify potential ransomware payments. If you would like to discuss your ransomware and OFAC compliance program, our attorneys are happy to help.
Justin C. Steffen is a nationally recognized FinTech and cryptocurrency attorney who helps financial institutions navigate the legal and regulatory obstacles to innovation. Justin regularly advises clients on the intersection of technology and the law, including on issues related to cryptocurrency, licensing, and regulation.
John M. Geiringer is a nationally recognized banking attorney who advises financial institutions on regulatory, governance, and investigative matters. John regularly provides focused training sessions to boards and management on a wide range of legal and risk management topics.
1 “CVC” means convertible virtual currency, another term for cryptocurrency. Image Source: FinCEN Advisory FIN-2021-A004, “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” (November 8, 2021).