Banks are exposed to ransomware risks that extend beyond cyberattacks on their systems. Banks participating in ransomware payments by victims may expose the bank to penalties for violations of Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC) regulations. On Oct. 1, 2020, the United States Treasury, through FinCEN and OFAC, issued advisories related to the risks and obligations of those dealing with ransom demands.(1) The advisories apply to a variety of businesses and victims impacted by a ransomware event. This article focuses on considerations for depository institutions (Banks).
FinCEN defines ransomware as a form of malicious software (malware) designed to block access to a computer system or data, often by encrypting data or programs on information technology (IT) systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data. In some cases, in addition to the attack, the perpetrators threaten to publish sensitive files belonging to the victims, which can be individuals or business entities (including financial institutions). The consequences of a ransomware attack can be severe and far-reaching — with losses of sensitive, proprietary, and critical information or loss of business functionality.
The challenges of dealing with ransomware payments are not confined to large banks. It is increasingly likely that community Banks will be called upon to deal with requests to facilitate ransom payment. According to the Federal Bureau of Investigation, reported ransomware cases and losses are rapidly increasing. Also, cyber-actors are launching ransomware attacks against increasingly diverse targets.
Payment of ransom often involves transferring money through a chain of entities. Ransoms are generally paid in convertible virtual currency (CVC) such as Bitcoin. The payment may be initiated by the victim or a cyber insurance company, or other representatives of the victim. Money is transferred from a Bank to a CVC account provided by a money services business (MSB). From there, it may be transferred to accounts at other MSBs designated by the cyber-actor. The funds are then often laundered before being received by the cyber-actor.
There are two key concerns for Banks; identifying when a customer is requesting that it facilitate a ransom payment and avoiding direct or indirect participation in a transaction that violates OFAC regulations. FinCEN requires procedures to ensure that an appropriate suspicious activity report (SAR) is filed related to a ransomware transaction. OFAC requires banks to implement procedures to ensure that the Bank does not violate OFAC regulations.
The purpose of the OFAC advisory is to highlight the sanctions risks associated with ransomware payments. OFAC discourages payment of ransoms. OFAC’s concerns with ransom payments include encouraging further attacks and funding other illicit activities of the United States’ criminals and adversaries. OFAC continues to identify and sanction cyber-actors benefiting from ransomware attacks.
OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a Bank may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a prohibited person under sanctions laws and regulations administered by OFAC. However, OFAC will consider the existence, nature, and adequacy of a sanctions compliance program as a factor in determining an appropriate enforcement response. OFAC encourages Banks to implement risk-based compliance programs to mitigate exposure to sanctions-related violations.
It is possible to pay a ransom to a sanctioned person through a license issued by OFAC. But, the presumption is that OFAC will deny license requests.
The FinCEN advisory discusses the role of financial intermediaries in processing ransomware payments, trends of ransomware and associated payments, ransomware-related financial red flag indicators, and reporting and sharing information related to ransomware attacks. The advisory also provides helpful references to regulations, guidance, and resources.
The red flag indicators of ransomware-related illicit activity are provided to assist Banks in detecting, preventing and reporting suspicious transactions associated with ransomware attacks. The red flags address suspicious activity related to a Bank’s systems as well as financial transactions.
The advisory discusses SAR filing requirements related to both attempted and successful extortion transactions and suspicious cyber events. The advisory reminds Banks to incorporate all relevant information available in SAR reporting.
The advisories do not introduce new legal requirements, but they provide a clear statement of the agencies’ expectations regarding how Banks should address ransomware situations and transactions. Banks should review their anti-money laundering policies and procedures to ensure that their systems include adequate monitoring for ransomware transactions, enhanced risk management procedures when ransomware events are detected, and appropriate and detailed reporting procedures. Banks should also ensure they have clear response plans for ransomware attacks directed at the Bank. Well documented procedures can substantially decrease a Bank’s regulatory risk from ransomware events.
(1)Financial Crimes Enforcement Network, United States Treasury, FIN-2020-A006, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (2020); https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20508.pdf;
Office of Foreign Assets Control, United States Treasury, Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (2020); https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
Mark Mangano is counsel with Jackson Kelly PLLC. Mark is an attorney focusing on strategic planning and bank regulatory issues. He has 26 years of experience as the CEO and owner of a community bank. You can contact Mark at email@example.com or 304-284-4104.