Clifford Chance – The US Department of Treasury recently issued advisories aimed at financial institutions and corporates being extorted to make or process payments relating to ransomware attacks. The advisories are a reminder to consider money laundering and sanctions risks as part of ransomware crisis management.
The Financial Crimes Enforcement Network (FinCEN) advisory, “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” (FinCEN Advisory), and the Office of Foreign Assets Control (OFAC) advisory, “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (OFAC Advisory), both reinforce the responsibility of those dealing with such attacks to consider and comply with existing regulations. Neither the FinCEN Advisory nor the OFAC Advisory creates new obligations, but each contains important reminders regarding compliance risks and reporting requirements that companies who face ransomware attacks, or financial intermediaries who may process ransomware payments, cannot overlook.
The FinCEN Advisory highlights the role and obligations of financial institutions and other intermediaries, and provides guidance on ransomware typologies and red flags. FinCEN expects financial intermediaries to try to detect fund transfers that may be associated with ransomware attack demands and lists ten red flags that should be added to detection scenarios/algorithms. While the red flags are similar in some respects to those financial institutions should already be considering as part of general financial crime/money laundering detection, they focus specifically on certain types of third parties that often are involved in ransomware payments, such as digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs). The red flags further
highlight the fact that the payments often involve convertible virtual currency (CVC). FinCEN provides the following examples:
- “a transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare), and a DFIR or CIC, especially one known to facilitate ransomware payments”; and
- “a DFIR or CIC customer receives funds from a customer company and shortly after receipt of funds sends equivalent amounts to a CVC exchange”.
The FinCEN Advisory also includes a request relating to Suspicious Activity Report (SAR) filings, specifically, that financial institutions (i) reference “CYBER-FIN-2020-A006” in SAR field 2 (the field where financial institutions can include a note to FinCEN); (ii) select SAR field 42 (Cyber event) as the associated suspicious activity type, as well as select SAR field 42z (Cyber event – Other) and include “ransomware” as a keyword; and (iii) include any relevant technical cyber indicators related to the ransomware activity and associated transactions within the available structured cyber event indicator SAR fields 44(a)-(j), and (z).
The OFAC Advisory reminds companies, individuals, banks, and insurance companies subject to its broad jurisdiction and strict liability regime that one of the considerations, of many, when deciding to make a payment to a bad actor in a ransomware attack is whether the payment would create potential OFAC liability. Specifically, entities must consider whether the payment is to a Specially Designated National (SDN) or otherwise implicates the OFAC sanction programs, including OFAC’s country-wide sanctions. OFAC has listed as SDNs several entities found to be perpetrating these types of cyberattacks.
It is easy to see how in a moment of crisis a decision could be made to make a payment to save the company from imminent harm without necessarily conducting a sanctions risk review. However, the OFAC Advisory makes clear that enforcement consequences cannot be avoided simply because a payment was made under the duress of a ransomware attack. OFAC expects companies, including the victims of such attacks, to comply with its regulations, as would any financial institution processing any part of the payment. However, the OFAC Advisory does not provide any comfort that companies or financial institutions will be able to obtain an OFAC specific license for a ransomware payment even if they identify a sanctions risk because license applications involving ransomware payments “as a result of malicious cyber-enabled activities” are subject to a presumption of denial.
However, in the event an OFAC-prohibited payment has been made, the OFAC Advisory does include a clear message that OFAC will consider as “significant” mitigating factors a company’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement” as well as the company’s “full and timely cooperation with law enforcement”.
Clifford Chance LLP is a multinational law firm headquartered in London, United Kingdom, and a member of the “Magic Circle”. It is one of the ten largest law firms in the world measured both by number of lawyers and revenue.
- Unlock the Full Potential of Your Law Firm Marketing: 7 Automation Tips for Law FirmsBenjamin Boman* – Marketing automation seems to be a popular but not well-defined topic outside the …
Unlock the Full Potential of Your Law Firm Marketing: 7 Automation Tips for Law Firms Read More »
- Finding the Right Environmental Lawyer for You: How to Choose the Best Fit for Your NeedsEnvironment law is one of the fastest-growing areas of legal practice, with specialist firms and boutiques …
Finding the Right Environmental Lawyer for You: How to Choose the Best Fit for Your Needs Read More »
- Key Steps To Obtaining The Best Branding Packages For Small BusinessesWhen selecting branding packages for a small business – including law firms and other professional firms …
Key Steps To Obtaining The Best Branding Packages For Small Businesses Read More »
- Everything You Need to Know About Condo Property Damage LawsuitsLaura Byers – Condo property damage lawsuits are not an uncommon occurrence unfortunately and dealing with …
Everything You Need to Know About Condo Property Damage Lawsuits Read More »
- 5 Legal Transcription Companies Your Law Firm Should Consider UsingHow do you choose from all the legal transcription companies the one that you can work with? We have listed five top choices.
- 7 Factors That Can Make Personal Injury Lawsuits More Complicated than They Need BeWe are often asked about personal injury lawsuits in terms of the ‘risk factors’ and what …
7 Factors That Can Make Personal Injury Lawsuits More Complicated than They Need Be Read More »
- Clifford Chance: The metaverse: When is real estate no longer real?Approximately US$2 billion worth of ‘land’ has changed hands so far this year without a single …
Clifford Chance: The metaverse: When is real estate no longer real? Read More »