Overview

FinCEN & OFAC Issue Ransomware Guidance

Ransomware incidents continued to make headlines in 2021. In May, Colonial Pipeline suffered a ransomware incident, causing the company to suspend its operations. Millions of motorists on the East Coast were impacted as the shutdown caused widespread gas shortages. Colonial Pipeline ultimately paid a $4.4 million cryptocurrency ransom to the threat actors, a good portion of which was recovered by the Department of Justice.

East Coast commuters and the media were not alone in taking note of increased ransomware attacks. Some well-known companies have suffered widely publicized ransomware attacks, and the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) both issued guidance to financial institutions regarding their roles and responsibilities in facilitating ransomware payments. The takeaway:

Financial institutions may be held responsible for facilitating their clients' payments of ransomware.

Processing ransomware payments is typically a multi-step process that involves at least one depository institution, and one or more entities directly or indirectly facilitating victim payments. Most ransomware schemes involve some form of cryptocurrency, the preferred payment method of ransomware perpetrators. Following the delivery of the ransom demand, a ransomware victim will typically transmit funds via wire transfer, automated clearinghouse, or credit card payment to a cryptocurrency exchange or other third party, in order to purchase the type and amount of cryptocurrency specified by the ransomware perpetrator.

Movement of CVC1 in Ransomware Incidents

Although its role may be relatively limited, a financial institution is potentially liable if the customer ultimately transfers cryptocurrency purchased with funds from the institution to a threat actor on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), or to other blocked persons and those covered by comprehensive country or region embargoes. OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable, even if such person did not know (or have reason to know) that it engaged in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.

All Banks Should Implement A Risk-Based Compliance Program

OFAC encourages financial institutions and other companies to implement a risk-based compliance program, the existence of which may mitigate any potential civil penalty. When establishing a compliance program, financial institutions should focus on a few key areas, including:

  • Training: Advise management and/or the board of directors about potential sanctions risks, and train relevant compliance personnel about ransomware-related threats.
  • Policies & Procedures: Create internal policies and procedures that describe: (i) the necessary steps to identify potential ransomware payments; (ii) the information it will collect from the customer; and (iii) how to ensure that sanctioned individuals or entities are not involved. The financial institution should convey its policy to customers, and disseminate the questionnaire to customers suspected of making ransomware payments.
  • Reporting: Be prepared to file Suspicious Activity Reports (SARs) or report potential payments to OFAC. When doing so, be cognizant of both the OFAC and FinCEN guidance describing how to prepare and submit such reports.

We Can Help You

The Barack Ferrazzano Financial Institutions Group routinely advises our clients on OFAC and FinCEN regulations and compliance. We have prepared policies, procedures, and questionnaires to address these specific issues, and can help your institution assess its risks and identify potential ransomware payments. If you would like to discuss your ransomware and OFAC compliance program, our attorneys are happy to help.

Justin C. Steffen is a nationally recognized FinTech and cryptocurrency attorney who helps financial institutions navigate the legal and regulatory obstacles to innovation. Justin regularly advises clients on the intersection of technology and the law, including on issues related to cryptocurrency, licensing, and regulation.

John M. Geiringer is a nationally recognized banking attorney who advises financial institutions on regulatory, governance, and investigative matters. John regularly provides focused training sessions to boards and management on a wide range of legal and risk management topics.


1 “CVC” means convertible virtual currency, another term for cryptocurrency. Image Source: FinCEN Advisory FIN-2021-A004, “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” (November 8, 2021).

Jump to Page

Barack Ferrazzano Kirschbaum & Nagelberg LLP Cookie Preference Center

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek