On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), issued an Advisory Notice highlighting sanctions compliance risks associated with ransomware payments involving malicious cyber-enabled activities. OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions. Ransomware payments with a sanctions nexus threaten US national security interests; as a result, facilitating ransomware payments on behalf of a victim may violate OFAC regulations.
The recent rise in the number of ransomware-related cyberattacks cited in the Advisory, especially during the COVID-19 pandemic, provides the backdrop to the October 1, 2020, OFAC Advisory on potential sanctions risks for facilitating ransomware payments.
Although no new compliance obligations are introduced, the Advisory amplifies the sanctions risk to companies that engage in business activities that help facilitate ransomware payments on behalf of victims to cyber-criminals in response to cyberattacks. Impacted business activities include “cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses).” Since digital assets are generally the currency of choice for ransomware payments, Money Services Business (MSB) registrants such as digital assets trading platforms and specialized incident response businesses typically are transmitters of the ransom payments to the cyber criminals-controlled wallet address.
The Regulatory Gordian Knot
The Advisory adds a complex and potentially unsolvable issue for victims and their advisors: victims of criminal cyberattack may be unable to pay ransom to cyber-criminals designated by OFAC as Specially Designated Nationals (SDN), without subjecting themselves to civil penalties by OFAC. Such penalties can be administered by OFAC even if said victims and their advisors did not know or have reason to know they were engaged in a transaction with a person designated by OFAC.
Typically, in the above scenario, Specific License requests will be reviewed on a “case-by-case basis,” however, OFAC has noted that in the above scenarios it will review such cases “with a presumption of denial.” OFAC’s concern is that such payments would “benefit illicit actors and [could] undermine the national security and foreign policy objectives of the United States.” Therefore, individuals should be cautious before engaging in this arena as the chances for OFAC approval of a Specific License will likely be rare.
The Advisory further supplements a November 2018 announcement from OFAC that for the first time included digital currency wallet addresses on the SDN list. OFAC recognizes that digital assets have been the currency of choice for ransomware payments, and that digital assets trading platforms and specialized incident response businesses typically have been transmitters of the ransom payments to the cyber criminal-controlled wallet addresses.
It also aligns with recent Financial Crimes Enforcement Network (FinCEN) Guidance, which clarified the requirement for key players supporting victims of ransomware attacks and payments ”including digital forensics and incident response companies (DFIRs) and cyber insurance companies (CICs)” may be engaged in money transmission and thus may be subject to regulation under the Bank Secrecy Act (BSA) and need to register as money services businesses.
OFAC’s Advisory underscores the importance of a financial institution’s (FI) due diligence and risk management processes in identifying DFIRs or CICs that are involved in the facilitation of payments to cyber criminals. This means that embedded in an FI’s procedures, FIs should: (1) subject DFIRs and CICs to Enhanced Due Diligence; and (2) determine whether the DFIR or CIC has proper controls commensurate with their risk and assess whether a DFIR or CIC needs to be registered with FinCEN.
Independent of the DFIR or CIC, FIs should make their own assessment of the risk of every ransomware payment, including filing Suspicious Activity Reports with FinCEN. An independent assessment of the risk may include stopping all ransomware transactions to ensure that the FI is not indirectly facilitating a payment to a sanctioned individual or entity.
DFIRs and CICs should be aware that the ransomware payment activity not only presents a very significant financial crime risk to themselves (and is strongly discouraged by OFAC), but also presents an existential threat to their current and future relationships with their FI partners (both bank and nonbank), who may sever banking ties or reject a relationship upon learning of this transactional activity. As such, DFIRs and CICs should be highly communicative with their FI partners to ensure that their partners are aware of and accept the risk presented by these transactions.
Any DFIR or CIC engaged in ransomware payments should establish an aggressive, risk-based compliance program. This includes maintaining open lines of communication with OFAC and law enforcement before sending any payment to a cyber criminal without certainty that the payment does not involve a sanctioned individual. To help avoid potential AML scrutiny, DFIRs and CICs should obtain permission via a Keep Open Request from law enforcement for themselves and their partners. DFIRs and CICs should be aware that OFAC will consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.
Finally, both before and after any payment to a cyber criminal, DFIRs and CICs are advised to conduct thorough research on the threat actor using Open Source Intelligence, conducting specialized cyber-intelligence research to identify links to those already on the SDN list, and, where payments are made in cryptocurrency, implementing blockchain analytics software. Blockchain software identifies wallet addresses on the SDN list, as well as potentially associated wallet addresses found through the clustering function of blockchain analytics.
How Guidehouse Can Help
Guidehouse can help financial institutions assess their compliance programs to navigate these regulatory risks, including developing and implementing updates to operations, policies, procedures, controls, and technology.
Its areas of relevant expertise include the following:
Anti-money laundering (AML)
AML and Sanctions program management outsourcing
Vendor sourcing and governance
Guidehouse can quickly review and assess your OFAC compliance program to determine whether it is sound, to identify gaps or weaknesses, or to conduct training on cryptocurrency-related AML and Sanctions compliance, including blockchain tracing and analytics.
Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.