The U.S. government has officially put financial institutions on notice: It is watching and may impose anti-money laundering (AML) sanctions on payment facilitators if they violate federal laws on engaging in transactions, such as ransomware payments, with sanctioned individuals or entities – intentionally or otherwise.
For as long as ransomware incidents have occurred, the controversial issue of whether victims should make ransom payments to cybercriminals who hijack computer systems and data has been vigorously debated. Now, amid escalating ransomware attacks, the issue has expanded to involve financial institutions that process or facilitate ransom payments.
Specifically, the compliance risks for financial institutions over ransomware payments increased significantly following a pair of recent advisories from the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC). Questionable legality notwithstanding, the U.S. Treasury Department acknowledges in its guidance that victims of ransomware (or their insurers) do sometimes determine that making the ransom payment is the fastest and most cost-effective way to unencrypt their data, restore operations, or prevent the fallout of having their sensitive information released. It also recognizes that these decisions may be at odds with the policy objectives of the U.S. government, if, for example, the ransom transaction is with a sanctioned entity, an unregistered money services business (MSB), or other indicia for reportable suspicious activity. While the advisories do not impose any new legal or compliance obligation, they emphasize Treasury’s clear position that such payments through a financial institution may trigger AML and sanctions program controls under existing regulatory requirements.
Brass tacks: Today’s financial institutions need to put proactive policies and controls in place to ensure their compliance departments are not unprepared for a customer’s attempt to make or facilitate a payment in response to a ransomware attack.
Other highlights from the FinCEN and OFAC advisories are summarized below:
Trend – Based on an analysis of Bank Secrecy Act reporting, FinCEN concludes that the frequency and sophistication of ransomware attacks are on the rise, and that there is a market need for firms that specialize in preventing and responding to such attacks. Part of the response may include the facilitation of ransom payments on behalf of the victim to the perpetrator.
Typologies – Ransomware payments often involve elements of money transmission, currency exchange (fiat currency to/from virtual currency or between virtual currencies), structuring transactions to avoid detection or obscure the identity or ownership of funds, and other money laundering typologies. The guidance notes several red flags for ransomware payments, which generally include cryptocurrency transactions not in line with the customer’s profile or transactions with a firm specializing in ransomware response.
Unregistered MSBs –Third-party cybersecurity firms that arrange ransomware payments on behalf of customers may be engaging in MSB activity that requires registration with FinCEN, state licensing and AML compliance program obligations. The guidance provides notice to firms of these compliance obligation.
Suspicious Activity Reporting –Banks are also reminded of their longstanding obligation to report unregistered MSB activity. Regardless of the MSB status of the firm facilitating the payment, the guidance suggests that red flags indicative of a potential ransomware payment may provide sufficient cause for filing an SAR. Guidance is provided on the technical mechanics of filing out a SAR.
Sanctions –OFAC will continue to impose sanctions on perpetrators of ransomware attacks and entities providing material support to such illegal activities. Additionally, all U.S. persons, including ransomware victims, companies specializing in ransomware response, and financial institutions, must not process a transaction with an entity that has been designated by OFAC as a specially designated national (SDN) or covered by various comprehensive embargoes, within a country or region. Institutions and individuals are reminded that they face liability even in cases where they unknowingly transact business with a sanctioned entity.
What Can Financial Institutions Do Now?
The FinCEN/OFAC advisories clarify that existing regulatory requirements carry compliance obligations with respect to ransomware payments. Compliance departments should ensure that their sanctions and suspicious activity monitoring and reporting programs are appropriately tailored to the risks posed by the prevalence of ransomware attacks and the growing numbers of victims electing to resolve these incidents via ransom payments.
Additionally, firms providing ransomware response services should evaluate whether their business model constitutes MSB activity that would require registration with FinCEN and the development of an AML program. Finally, while the guidance from both agencies falls short of prohibiting a financial institution from facilitating a ransomware payment, it seems to make clear such payments are not in line with U.S. government policy objectives and do create substantial compliance risk for the organization. Unfortunately, this puts financial institutions in the awkward but familiar position of monitoring customer activity with the implied requirement to stop illicit transactions on the basis of limiting their compliance risk, rather than based on a clear-cut requirement to decline ransomware payment-related customer transactions.