Clifford Chance – The US Department of Treasury recently issued advisories aimed at financial institutions and corporates being extorted to make or process payments relating to ransomware attacks. The advisories are a reminder to consider money laundering and sanctions risks as part of ransomware crisis management.
The Financial Crimes Enforcement Network (FinCEN) advisory, “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” (FinCEN Advisory), and the Office of Foreign Assets Control (OFAC) advisory, “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (OFAC Advisory), both reinforce the responsibility of those dealing with such attacks to consider and comply with existing regulations. Neither the FinCEN Advisory nor the OFAC Advisory creates new obligations, but each contains important reminders regarding compliance risks and reporting requirements that companies who face ransomware attacks, or financial intermediaries who may process ransomware payments, cannot overlook.
The FinCEN Advisory highlights the role and obligations of financial institutions and other intermediaries, and provides guidance on ransomware typologies and red flags. FinCEN expects financial intermediaries to try to detect fund transfers that may be associated with ransomware attack demands and lists ten red flags that should be added to detection scenarios/algorithms. While the red flags are similar in some respects to those financial institutions should already be considering as part of general financial crime/money laundering detection, they focus specifically on certain types of third parties that often are involved in ransomware payments, such as digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs). The red flags further
highlight the fact that the payments often involve convertible virtual currency (CVC). FinCEN provides the following examples:
- “a transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare), and a DFIR or CIC, especially one known to facilitate ransomware payments”; and
- “a DFIR or CIC customer receives funds from a customer company and shortly after receipt of funds sends equivalent amounts to a CVC exchange”.
The FinCEN Advisory also includes a request relating to Suspicious Activity Report (SAR) filings, specifically, that financial institutions (i) reference “CYBER-FIN-2020-A006” in SAR field 2 (the field where financial institutions can include a note to FinCEN); (ii) select SAR field 42 (Cyber event) as the associated suspicious activity type, as well as select SAR field 42z (Cyber event – Other) and include “ransomware” as a keyword; and (iii) include any relevant technical cyber indicators related to the ransomware activity and associated transactions within the available structured cyber event indicator SAR fields 44(a)-(j), and (z).
The OFAC Advisory reminds companies, individuals, banks, and insurance companies subject to its broad jurisdiction and strict liability regime that one of the considerations, of many, when deciding to make a payment to a bad actor in a ransomware attack is whether the payment would create potential OFAC liability. Specifically, entities must consider whether the payment is to a Specially Designated National (SDN) or otherwise implicates the OFAC sanction programs, including OFAC’s country-wide sanctions. OFAC has listed as SDNs several entities found to be perpetrating these types of cyberattacks.
It is easy to see how in a moment of crisis a decision could be made to make a payment to save the company from imminent harm without necessarily conducting a sanctions risk review. However, the OFAC Advisory makes clear that enforcement consequences cannot be avoided simply because a payment was made under the duress of a ransomware attack. OFAC expects companies, including the victims of such attacks, to comply with its regulations, as would any financial institution processing any part of the payment. However, the OFAC Advisory does not provide any comfort that companies or financial institutions will be able to obtain an OFAC specific license for a ransomware payment even if they identify a sanctions risk because license applications involving ransomware payments “as a result of malicious cyber-enabled activities” are subject to a presumption of denial.
However, in the event an OFAC-prohibited payment has been made, the OFAC Advisory does include a clear message that OFAC will consider as “significant” mitigating factors a company’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement” as well as the company’s “full and timely cooperation with law enforcement”.
Source:
Clifford Chance LLP is a multinational law firm headquartered in London, United Kingdom, and a member of the “Magic Circle”. It is one of the ten largest law firms in the world measured both by number of lawyers and revenue.
- 5 Tips For Navigating Your First Personal Injury Case
Personal injury cases in the US are a common occurrence. Based on data from the Bureau… Read more: 5 Tips For Navigating Your First Personal Injury Case - Unlock the Full Potential of Your Law Firm Marketing: 7 Automation Tips for Law Firms
Benjamin Boman* – Marketing automation seems to be a popular but not well-defined topic outside the… Read more: Unlock the Full Potential of Your Law Firm Marketing: 7 Automation Tips for Law Firms - Finding the Right Environmental Lawyer for You: How to Choose the Best Fit for Your Needs
Environment law is one of the fastest-growing areas of legal practice, with specialist firms and boutiques… Read more: <strong>Finding the Right Environmental Lawyer for You: How to Choose the Best Fit for Your Needs</strong> - Key Steps To Obtaining The Best Branding Packages For Small Businesses
When selecting branding packages for a small business – including law firms and other professional firms… Read more: Key Steps To Obtaining The Best Branding Packages For Small Businesses - Everything You Need to Know About Condo Property Damage LawsuitsLaura Byers – Condo property damage lawsuits are not an uncommon occurrence unfortunately and dealing with… Read more: <strong>Everything You Need to Know About Condo Property Damage Lawsuits</strong>
- 5 Legal Transcription Companies Your Law Firm Should Consider UsingHow do you choose from all the legal transcription companies the one that you can work with? We have listed five top choices.
- 7 Factors That Can Make Personal Injury Lawsuits More Complicated than They Need Be
We are often asked about personal injury lawsuits in terms of the ‘risk factors’ and what… Read more: 7 Factors That Can Make Personal Injury Lawsuits More Complicated than They Need Be
