Pub. 11 2020 Issue 4

Pub. 11 2020 I Issue 4 Winter 15 West Virginia Banker The purpose of the OFAC advisory is to highlight the sanctions risks associated with ransomware payments. OFAC discourages payment of ransoms. OFAC’s concerns with ransom payments include encouraging further attacks and funding other illicit activities of the United States’ criminals and adversaries. Mark Mangano is counsel with Jackson Kelly PLLC. Mark is an attorney focusing on strategic planning and bank regulatory issues. He has 26 years of experience as the CEO and owner of a community bank. You can contact Mark at mark.mangano@jacksonkelly.com or 304-284-4104. Bank to a CVC account provided by a money services business (MSB). From there, it may be transferred to accounts at other MSBs designated by the cyber-actor. The funds are then often laundered before being received by the cyber-actor. There are two key concerns for Banks; identifying when a customer is requesting that it facilitate a ransom payment and avoiding direct or indirect participation in a transaction that violates OFAC regulations. FinCEN requires procedures to ensure that an appropriate suspicious activity report (SAR) is filed related to a ransomware transaction. OFAC requires banks to implement procedures to ensure that the Bank does not violate OFAC regulations. OFAC Advisory The purpose of the OFAC advisory is to highlight the sanc- tions risks associated with ransomware payments. OFAC dis- courages payment of ransoms. OFAC’s concerns with ransom payments include encouraging further attacks and funding other illicit activities of the United States’ criminals and adver- saries. OFAC continues to identify and sanction cyber-actors benefiting from ransomware attacks. OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a Bank may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a prohibited person under sanctions laws and regulations administered by OFAC. How- ever, OFAC will consider the existence, nature, and adequacy of a sanctions compliance program as a factor in determining an appropriate enforcement response. OFAC encourages Banks to implement risk-based compliance programs to miti- gate exposure to sanctions-related violations. It is possible to pay a ransom to a sanctioned person through a license issued by OFAC. But, the presumption is that OFAC will deny license requests. FinCEN Advisory The FinCEN advisory discusses the role of financial intermedi- aries in processing ransomware payments, trends of ransom- ware and associated payments, ransomware-related financial red flag indicators, and reporting and sharing information related to ransomware attacks. The advisory also provides helpful references to regulations, guidance, and resources. The red flag indicators of ransomware-related illicit activity are provided to assist Banks in detecting, preventing and re- porting suspicious transactions associated with ransomware attacks. The red flags address suspicious activity related to a Bank’s systems as well as financial transactions. The advisory discusses SAR filing requirements related to both attempted and successful extortion transactions and suspicious cyber events. The advisory reminds Banks to incor- porate all relevant information available in SAR reporting. Conclusion The advisories do not introduce new legal requirements, but they provide a clear statement of the agencies’ expectations regarding how Banks should address ransomware situations and transactions. Banks should review their anti-money laun- dering policies and procedures to ensure that their systems include adequate monitoring for ransomware transactions, enhanced risk management procedures when ransomware events are detected, and appropriate and detailed report- ing procedures. Banks should also ensure they have clear response plans for ransomware attacks directed at the Bank. Well documented procedures can substantially decrease a Bank’s regulatory risk from ransomware events.  1 Financial Crimes Enforcement Network, United States Treasury, FIN-2020-A006, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (2020); https://www.fincen.gov/sites/ default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20 508.pdf; Office of Foreign Assets Control, United States Treasury, Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (2020); https://home.treasury.gov/system/files/126/ofac_ransomware_ advisory_10012020_1.pdf

RkJQdWJsaXNoZXIy OTM0Njg2