One of the biggest challenges for financial institutions and their customers during the COVID-19 pandemic has been managing the significant increase in online and digital transactions. These efforts have included increases in online shopping and the shift to remote work and school, as well as digital efforts to distribute pandemic relief to consumers and small businesses. While the economy has done a remarkable job of adjusting to the ecommerce environment, there has been a corresponding increase in cyberattacks, ransomware scams, and related fraud. The Department of Treasury, through the Financial Crimes Enforcement Network (FinCEN), has issued a number of advisories related to fraud, theft, and money laundering associated with the pandemic, which we have summarized in a series of client alerts.
Earlier this month, FinCEN and the Office of Foreign Assets Control (OFAC), also part of the Treasury, issued complementary advisories warning financial institutions (and businesses generally) on the risks of ransomware attacks, including the need for financial institutions to avoid knowingly or inadvertently facilitating payments to bad actors in connection with these scams. Together, the FinCEN and OFAC advisories fit squarely within Treasury's efforts to educate the public on fraud and money laundering risks associated with the pandemic, and build upon existing guidance that encourages financial institutions to monitor for and report on cyberattacks and related fraud. In this alert, we provide an overview of the FinCEN and OFAC guidance on ransomware attacks and explain how that guidance complements existing guidance for financial institutions relating to sanctions screening and monitoring for and reporting on suspicious activity involving cyberattacks and related fraud.
What Is a Ransomware Attack?
The FinCEN and OFAC advisories describe a ransomware attack as involving the use of malicious software ("malware") to block access to a victim's computer system or data (often through encryption) in order to extort payments from a victim in exchange for releasing the blocked information. These attacks also often include the capture of sensitive data and threats to release the data to the public unless the ransom payment is made. As explained in the OFAC advisory, there was a 37 percent annual increase in reported attacks between 2018 and 2019, along with a 147 percent increase in associated losses.
Any entity or individual with an online presence can be the victim of a ransomware attack. The OFAC advisory warns that these attacks are carried out against large corporations, small businesses, local government agencies, hospitals, nonprofits, school districts, and individuals. In particular, small organizations, which often do not have sophisticated cyber resources, are attractive targets for cyberattacks and related fraud.
How Do Financial Institutions and Payments Intermediaries Facilitate Ransomware Payments?
FinCEN highlights the increasing role that financial institutions (banks, credit unions, etc.) and payments intermediaries play in the collection and transmission of payments in response to a ransomware attack. For a victim looking to protect sensitive data, it can be tempting to give in to the extortion and direct a financial institution to make a payment to the ransomware perpetrator. In recent years, this process has increasingly involved demands for payments in convertible virtual currency (CVC). A CVC is defined by FinCEN as a type of virtual currency (often called a digital currency or cryptocurrency) that either has an equivalent value as currency or acts as a substitute for currency.
FinCEN details how the process often works: In connection with a ransom demand, the victim is directed to transmit funds through a payments network to a CVC exchange to purchase the type and amount of CVC specified by the perpetrator. Next, the victim is told to transfer the CVC to the perpetrator's designated account or CVC address. From there, the perpetrator will attempt to launder the funds through various means so that the funds can be used in the future without suspicion.
An additional twist, which FinCEN identifies as a growing trend, is the rise of digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs) that offer to provide protection and mitigation services to victims of ransomware attacks. Some of these firms may facilitate ransomware payments by assisting victims in the purchase and transfer of CVCs to perpetrators. As payment intermediaries, FinCEN warns that these companies may be money services businesses requiring registration and Bank Secrecy Act obligations, including AML programs and suspicious activity reporting.
What Are the Regulatory Considerations for Financial Institutions and Payments Intermediaries?
In addition to raising awareness of the risk of ransomware attacks, the FinCEN and OFAC advisories provide guidance to financial institutions and payment intermediaries on how to manage these challenges in a way that is consistent with regulatory expectations.
Potential Sanctions Violations. The OFAC advisory warns that facilitating a payment to a ransomware perpetrator may violate U.S. economic sanctions. The U.S. government maintains comprehensive economic sanctions against certain designated countries, entities, and individuals. In particular, U.S. persons, wherever located, are prohibited from engaging in transactions with persons on OFAC's Specially Designated Nationals and Blocked Persons List (SDN List). OFAC has designated numerous cyber actors on the SDN List, including some that have perpetrated ransomware attacks in the past. Thus, a financial institution that facilitates a payment to a ransomware perpetrator may unwittingly be making a payment to a prohibited entity in violation of U.S. sanctions. While OFAC's sanctions are "strict liability," OFAC has issued guidance encouraging financial institutions to implement risk-based approaches to compliance, which should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction.
Suspicious Activity Reporting. For its part, the FinCEN guidance focuses on providing red flag indicators of ransomware activity to help financial institutions detect, prevent, and report on suspicious transactions. Pursuant to the Bank Secrecy Act and FinCEN rules, financial institutions are required to file suspicious activity reports (SARs) to report potentially illicit transactions that flow through the financial institution or involve its customers. Over the years, FinCEN and the prudential banking regulators have issued several advisories encouraging banks to file SARs in connection with suspicious cyber-events. The most recent advisory on ransomware payments fits squarely within this precedent.
Going back to 2000, for example, the Office of the Comptroller of the Currency (OCC) issued guidance advising national banks to file SARs in connection with cyber intrusions and computer crimes. In 2016, FinCEN issued an advisory explaining that banks should file SARs for cyber-related events in most cases based on the view that most cyber-events or intrusions are associated with an intent to violate a law involving more than $5,000. In supplemental guidance also issued in 2016, FinCEN explained that a SAR should be filed for a cyber-event even if the event is unsuccessful: "An otherwise reportable cyber-event should be reported regardless of whether it is considered unsuccessful. A financial institution is required to file a SAR to report any cyber-event if the institution knows, suspects, or has reason to suspect the cyber-event was intended to or could affect a transaction conducted or attempted by, at, or through the financial institution."
AML Program Review. Pursuant to this OCC and FinCEN guidance, and FinCEN's recent advisory on ransomware, financial institutions should review their AML programs to ensure that suspicious cyber-related activity is tracked, investigated, and reported to FinCEN, when appropriate. Doing so can help minimize the risk of facilitating an unlawful transaction, such as an OFAC violation, while also helping to provide FinCEN and other law enforcement authorities access to information that can be used to investigate and prosecute cyber-related fraud.
* * * * *
Over the past several months, Treasury (particularly FinCEN) has issued several notices and an advisory related to Bank Secrecy Act (BSA) compliance during the pandemic. These advisories have covered risks ranging from unemployment and insurance fraud to coronavirus and pandemic relief scams. With Treasury focused on the need to combat fraud during the pandemic – including cybercrimes – be sure to stay on alert for future guidance and advisories.