Clifford Chance

The US Department of Treasury recently issued advisories aimed at financial institutions and corporates being extorted to make or process payments relating to ransomware attacks. The advisories are a reminder to consider money laundering and sanctions risks as part of ransomware crisis management.

The Financial Crimes Enforcement Network (FinCEN) advisory, "Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments" (FinCEN Advisory), and the Office of Foreign Assets Control (OFAC) advisory, "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments" (OFAC Advisory), both reinforce the responsibility of those dealing with such attacks to consider and comply with existing regulations. Neither the FinCEN Advisory nor the OFAC Advisory creates new obligations, but each contains important reminders regarding compliance risks and reporting requirements that companies who face ransomware attacks, or financial intermediaries who may process ransomware payments, cannot overlook.

The FinCEN Advisory highlights the role and obligations of financial institutions and other intermediaries, and provides guidance on ransomware typologies and red flags. FinCEN expects financial intermediaries to try to detect fund transfers that may be associated with ransomware attack demands and lists ten red flags that should be added to detection scenarios/algorithms. While the red flags are similar in some respects to those financial institutions should already be considering as part of general financial crime/money laundering detection, they focus specifically on certain types of third parties that often are involved in ransomware payments, such as digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs). The red flags further
highlight the fact that the payments often involve convertible virtual currency (CVC). FinCEN provides the following examples:

• "a transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare), and a DFIR or CIC, especially one known to facilitate ransomware payments"; and 
• "a DFIR or CIC customer receives funds from a customer company and shortly after receipt of funds sends equivalent amounts to a CVC exchange".

The FinCEN Advisory also includes a request relating to Suspicious Activity Report (SAR) filings, specifically, that financial institutions (i) reference "CYBER-FIN-2020-A006" in SAR field 2 (the field where financial institutions can include a note to FinCEN); (ii) select SAR field 42 (Cyber event) as the associated suspicious activity type, as well as select SAR field 42z (Cyber event - Other) and include “ransomware” as a keyword; and (iii) include any relevant technical cyber indicators related to the ransomware activity and associated transactions within the available structured cyber event indicator SAR fields 44(a)-(j), and (z).

The OFAC Advisory reminds companies, individuals, banks, and insurance companies subject to its broad jurisdiction and strict liability regime that one of the considerations, of many, when deciding to make a payment to a bad actor in a ransomware attack is whether the payment would create potential OFAC liability. Specifically, entities must consider whether the payment is to a Specially Designated National (SDN) or otherwise implicates the OFAC sanction programs, including OFAC's country-wide sanctions. OFAC has listed as SDNs several entities found to be perpetrating these types of cyberattacks. 

It is easy to see how in a moment of crisis a decision could be made to make a payment to save the company from imminent harm without necessarily conducting a sanctions risk review. However, the OFAC Advisory makes clear that enforcement consequences cannot be avoided simply because a payment was made under the duress of a ransomware attack. OFAC expects companies, including the victims of such attacks, to comply with its regulations, as would any financial institution processing any part of the payment. However, the OFAC Advisory does not provide any comfort that companies or financial institutions will be able to obtain an OFAC specific license for a ransomware payment even if they identify a sanctions risk because license applications involving ransomware payments "as a result of malicious cyber-enabled activities" are subject to a presumption of denial.

However, in the event an OFAC-prohibited payment has been made, the OFAC Advisory does include a clear message that OFAC will consider as "significant" mitigating factors a company's "self-initiated, timely, and complete report of a ransomware attack to law enforcement" as well as the company's "full and timely cooperation with law enforcement".