On 15 October 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released detailed sanctions compliance guidance for the virtual currency industry (the Guidance).1 The Guidance provides an overview of OFAC sanctions requirements and lists several best practices for virtual currency industry participants to comply with OFAC regulations, based on the five components of compliance found in OFAC’s Framework for OFAC Compliance Commitments: management commitment, risk assessment, internal controls, testing and auditing, and training.2
On the same day, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) also released a Financial Trend Analysis Report3 focusing on ransomware patterns and trends found in ransomware-related suspicious activity reports (SARs) filed between January 2021 and June 2021 (the Report). The Report revealed that ransomware-related SARs filed during this period exceeded the number of ransomware-related SARs filed during the entire 2020 calendar year, which is consistent with the increasing number and severity of ransomware attacks threatening U.S. businesses and critical infrastructure.
- The Guidance is meant to educate those in the virtual currency industry about their sanctions compliance obligations and provides practical information for how those operating in the industry can implement sanctions compliance programs.
- The Guidance also serves as a warning that OFAC expects the industry to implement robust sanctions compliance programs. The Guidance notes that “in many cases, OFAC has observed that members of the virtual currency industry implement OFAC sanctions policies and procedures months, or even years, after commencing operations . . . [and that] [d]elaying development and implementation of a sanctions compliance program can expose virtual currency companies to a wide variety of potential sanctions risks.”
- The increase in the number of ransomware-related SAR filings coincides with a renewed effort by the United States to counter ransomware attacks along several lines of effort, including sharing information with financial institutions such as indicators and typologies of illicit virtual currency use.
- The Report aims to inform the public about ransomware-related money laundering typologies, provide ransomware detection and mitigation recommendations, and highlight the importance that financial institutions play in protecting the U.S. financial system from threat actors by reporting suspicious cyber activity.
Key Takeaways from the OFAC Guidance
The Guidance represents OFAC’s increased efforts to engage with the virtual currency industry and provides those operating in the sector with direction on how to comply with U.S. economic sanctions. The Guidance includes both new and previously published information and is designed to provide persons operating in the virtual currency sector with an understanding of their sanctions compliance obligations. In publishing this Guidance, OFAC is also signaling to virtual currency companies that they are expected to implement robust compliance programs as regulations and enforcement actions will increase.
- The Guidance recommends that persons in the virtual currency sector adopt sanctions compliance best practices based on the five essential components of an OFAC sanctions compliance program. These five pillars include: (1) management commitment, (2) risk assessment, (3) internal controls, (4) testing and auditing, and (5) training. Although OFAC has previously recommended that companies design their sanctions compliance programs along these five pillars, this Guidance clearly signals that OFAC likewise expects entities in the virtual currency sector adopt robust sanctions compliance programs that address these pillars. In addition, OFAC has included specific recommendations that apply to companies operating in the virtual currency sector. For example, OFAC stresses the importance of management’s commitment to developing and implementing a sanctions compliance program prior to the launch of new technologies and products in the virtual currency space and encourages a thorough risk assessment process tailored to the entity’s products and services, customers, and geographic exposure.
- The Guidance highlights internal controls that may be useful for mitigating potential sanctions exposure that virtual currency companies face. The Guidance highlights the importance of using geolocation tools and Internet Protocol (IP) blocking tools to identify and prevent persons located in comprehensively sanctioned jurisdictions from accessing virtual currency platforms or related services.4 In February 2021, OFAC announced a settlement with a payment-processing company for allowing persons located in sanctioned jurisdictions to transact using virtual assets as payment for goods and services and did not screen the location of buyers. The Guidance also highlights the benefit of screening virtual currency addresses associated with Specially Designated Nationals (SDNs) and using blockchain analytics to determine prior associations with virtual currency addresses blocked by OFAC.
- In conjunction with the publication of the Guidance, OFAC released two new Frequently Asked Questions (FAQs) that provide additional clarity to companies operating in the virtual currency space. FAQ 5595 defines key terms, including “digital currency,” “digital currency wallet,” “digital currency address,” and “virtual currency.” FAQ 6466 provides instructions to industry participants on how to block digital currency. Notably, virtual currency companies that maintain several virtual currency wallets in which a blocked person has an interest may choose to block each wallet or may consolidate wallets containing blocked virtual currency in a manner similar to an omnibus account. The FAQs further clarify that U.S. persons are not required to convert virtual currency into fiat currency and are also not required to hold blocked virtual currencies in an interest-bearing account.
Key Takeaways from FINCEN’s Financial Trend Analysis Report
The release of FinCEN’s Financial Trend Analysis Report builds upon FinCEN’s October 2020 ransomware advisory and highlights FinCEN’s commitment under the 2020 Anti-Money Laundering Act to provide periodic threat pattern and trend information related to the priorities it identified in its June 2021 statement, Anti-Money Laundering and Countering the Financing of Terrorism National Priorities.7 The priorities statement identified cybercrime such as ransomware as a “significant illicit finance threat” to the United States. FinCEN’s release of the Financial Trend Analysis Report is intended to inform the public, businesses, industries, and critical infrastructure sectors of the ransomware trends and patterns gleaned from ransomware-related SARs filed during the first six months of 2021. The Report also aims to inform financial institutions of the value of SARs they file and recommends several detection and mitigation methods to combat ransomware attacks.
- Centralized exchanges play a critical role in laundering ransom payments and exchanging virtual currency proceeds for fiat currency. Threat actors identified in SARs primarily relied on centralized exchanges operating outside of the United States, particularly in jurisdictions that do not effectively enforce know-your-customer (KYC) controls or beneficial ownership transparency for registered exchanges. At the same time, FinCEN also noted that some ransomware-related payments were being laundered through decentralized exchanges or similar decentralized finance applications.
- Ransomware threat actors most often request Bitcoin (BTC) for payments but are increasingly requesting anonymity-enhanced cryptocurrencies (AECs), such as Monero (XMR), to hide their trail. AECs like XMR have privacy enhancing features that make it difficult to trace transaction flows and attribute wallet addresses or transactions, making it likely that threat actors’ use of AECs will continue to increase as financial institutions improve ransomware detection methods and widely adopt advanced blockchain analytics.
- Ransomware threat actors use several convertible virtual currency (CVC) money laundering techniques to obfuscate the flow of funds after receiving a ransomware payment. In addition to increasingly requesting payment in AECs, ransomware threat actors use multiple single-use wallet addresses, mixing/tumbler services, and conduct “chain hopping” to launder ransom payments and make the financial trail more difficult for investigators to follow.
- Financial institutions filed more ransomware-related SARs in the first half of 2021 than in the entire 2020 calendar year. Between 1 January 2021 and 20 June 2021, financial institutions filed 635 ransomware-related SARs worth USD 590 million in suspicious transactions—exceeding the 487 ransomware-related SARs worth USD 416 million in suspicious transactions filed in the entire 2020 calendar year. Analysis of the SAR data also revealed that the median average payment by ransomware victims during the review period was USD 102,273, a modest increase from 2020’s average payment of about USD 100,000. If the trend continues, FinCEN estimates that the total USD transaction value of ransomware activity reported SARs filed in 2021 will surpass the total USD value of ransomware activity reported in SARs from the past 10 years. This increase in reporting coincides with an increase in ransomware attacks, suggesting that financial institutions have improved ransomware-related detection and reporting.8
Challenges and Considerations for the Private Sector
- Virtual currency exchanges and others operating in the virtual currency sector should consider designing their sanctions compliance programs along the five pillars. These pillars—(1) management commitment, (2) risk assessment, (3) internal controls, (4) testing and auditing, and (5) training—should be commensurate with the institution’s risk profile based on its products, services, customers, delivery channels, and geographical locations.
- Virtual currency exchanges should develop and conduct ongoing risk assessments to identify potential sanctions issues, especially as the industry continues to grow in scale, size, and operational jurisdictions. The Guidance highlights several key case studies and actions OFAC has taken against virtual currency payment services. Conducting routine risk assessments, especially during major growth periods of a company, can help identify risks and implement appropriate mitigation measures.
- Virtual currency exchanges should conduct a comprehensive screening of all available data fields on all sides of transactions. As highlighted in the Guidance, available customer data, such as counterparties, customers of customers, and parties’ locations and IP addresses should be screened during the transaction monitoring process. OFAC has previously signaled its expectations on this issue by penalizing several virtual currency exchanges for not screening relevant information.
- Financial institutions should adopt a managed risk-based approach to CVC transaction exposure. Exposure to CVC does not necessarily mean that illicit transactions are taking place. However, the variety of virtual asset products and lack of inconsistent applications of CVC AML/CFT standards present a significant money laundering and terror financing risk (ML/TF) to financial institutions. Financial institutions are encouraged to apply the Financial Action Task Force’s (FATF) recommendations for CVC.9
- Financial institutions should consider adopting blockchain analytic solutions to help manage risks associated with CVCs. Blockchain, the technology underpinning CVCs, serves as an immutable public ledger of every transaction conducted using a particular CVC. Information about every CVC transaction, such as public CVC addresses, amounts, date, and time, can be viewed by anyone. As such, several companies have utilized this feature to create commercial AML/CTF solutions that allow financial institutions the ability to view and track suspicious transactions originating or flowing to high-risk CVC entities.
- Financial institutions should remain vigilant about customers that are or that use foreign centralized CVC exchanges in countries with weak AML/CFT regimes or decentralized finance applications (DeFi) that do not require an account or custodial relationship. Ransomware threat actors use foreign CVC exchanges with lax KYC requirements and DeFi applications to launder ransomware payments. Known as “chain hopping,” ransomware threat actors exchange CVC ransomware payments for other types of CVCs, repeating this process several times across several different high-risk CVC exchanges and DeFi applications before ultimately exchanging the funds for a more fungible CVC.
- Institutions should be vigilant about ransomware threats and adopt detection and mitigation efforts to limit their risk exposure to ransomware attacks. Institutions should strengthen their intrusion detection and security alert systems and enable active blocking or reporting of malicious activity. Additionally, FinCEN has identified several financial red flag indicators for ransomware and associated payments and institutions should keep up to date on additional ransomware advisories due to the ever-evolving nature of ransomware threats.10
- Financial institutions are encouraged to share information regarding suspicious activity resulting from cyber crime, including cyber-enabled financial crime such as ransomware. On 20 December 2020, FinCEN released a fact sheet to encouraged covered institutions to voluntarily share information with one another related to cyber-enabled financial crime under a safe harbor provision of Section 314(b) of the USA PATRIOT Act.11 Under this provision, financial institutions or associations of financial institutions “may share information with each other regarding individuals, entities, organizations, and countries for purposes of identifying, and, where appropriate, reporting activities that may involve possible terrorist activity or money laundering.”12
1 The U.S. Department of the Treasury. “Sanctions Compliance Guidance for the Virtual Currency Industry” (October 15, 2021), https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.
2 The U.S. Department of the Treasury. “A Framework for OFAC Compliance Commitments,” https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.
3 “Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021.” Financial Crimes Enforcement Network, U.S. Department of the Treasury, Washington, 16. Accessed October 15, 2021. https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf.
4 K2 Integrity, Expert Insights “Virtual Assets and Sanctions: What Businesses Need to Know,” https://www.k2integrity.com/en/knowledge/expert-insights/2021/virtual-assets-and-sanctions-what-businesses-need-to-know.
5 The U.S. Department of the Treasury. Frequently Asked Questions, Accessed October 18, 2021. https://home.treasury.gov/policy-issues/financial-sanctions/faqs/559.
6 The U.S. Department of the Treasury. Frequently Asked Questions, Accessed October 18, 2021. https://home.treasury.gov/policy-issues/financial-sanctions/faqs/646.
7 The U.S. Department of the Treasury, Anti-Money Laundering and Countering the Financing of Terrorism National Priorities, June 20, 2021. Accessed October 18, 2021. AML/CFT Priorities (June 30, 2021) (fincen.gov).
8 “Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021.” Financial Crimes Enforcement Network, U.S. Department of the Treasury, Washington, 16. Accessed October 15, 2021. https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf.
9 These recommendations include (1) conducting and applying a risk-based approach towards CVCs; (2) conducting customer due diligence on customers with CVC exposure and CVC-related businesses; (3) record-keeping, such as information to identify parties, their CVC public addresses, and the nature, date, and amount of CVC transactions; (4) identifying and mitigating risks associates with new CVC technologies; (5) applying AML/CFT program requirements; and (6) reporting suspicious transactions to the financial intelligence unit (FIU).
10 “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments.” Accessed October 18, 2021. FinCEN Advisory, FIN-2020-A006.
11 The U.S. Department of the Treasury, Financial Crimes Enforcement Network, Accessed October 18, 2021. Section 314(b) Fact Sheet (fincen.gov).