The US Treasury’s Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) agencies both simultaneously released advisories warning of potential Bank Secrecy Act (BSA) violations and OFAC sanctions risks associated with ransomware payments related to malicious cyber-attacks.
Demand for ransomware payments has increased during the COVID-19 pandemic as cyber-threat actors successfully target more networks than in the past.
Banks face FinCEN, OFAC and BSA risks from their own actions, actions of their customers and in their role as a financial payment intermediary.
Action Required by Your Financial Institution
Determine if your institution has made any direct payments for ransomware related events. Beyond an individual financial institution paying a ransomware demand, institutions also have risks if their customers have a ransomware event and use the bank as a conduit to pay the ransomware directly; pay a third-party remediation firm who pays the ransom for them; or uses an account at the bank to purchase cryptocurrency through a cryptocurrency wallet for transmission to a cyber-threat actor. FI’s also have risks if they are banking entities that assist with making ransomware payments.
The FinCEN advisory has identified financial red flag indicators of ransomware-related activity to assist in detecting, preventing, and reporting suspicious transactions. Be aware that a Suspicious Activity Report (SAR) may need to be filed depending upon the nature of the incident.
For the FinCEN advisory visit here.
For the OFAC advisory here.
Banking regulators, FinCEN and OFAC all have regulatory enforcement responsibilities. Entities and persons involved in ransomware payments should be advised that OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC. BSA/AML examination findings in a safety and soundness exam are part of the Management component of the FFIEC CAMELS rating system.
The increased prevalence of ransomware attacks has led to the creation of companies that provide remediation services to victims of ransomware attacks, many times facilitating a ransomware payment on behalf of the victim. Many of the entities (digital forensics and incident response (DFIR) companies, cyber insurance companies (CICs) and audit and accounting firms) that offer remediation services may not be aware of the potential BSA, OFAC and FinCEN violations they are creating and the impact that may have on the financial institution.
FIs banking entities that assist with making ransomware payments should be aware that such activity could constitute money transmission. Entities engaged in money services business activities (such as money transmission) are required to register as an MSB with FinCEN (in addition to State regulators) and are subject to OFAC requirements and BSA obligations, including filing suspicious activity reports (SARs).
Additionally, OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program, SDN list and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions. Previous ransomware attacks targeting US institutions and government agencies have been used to funnel money to Iranian, Russian and North Korean organized cybercrime according to the OFAC advisory.
While some large consulting firms have recommended payment of ransoms, the FBI has for years recommended against paying. Paying emboldens cyber attackers and marks you as a target for future extortion (you are identified as someone who has the ability and willingness to pay). The FinCEN and OFAC advisories give more good reasons not to pay.