OFAC Issues Sanctions Guidance on Virtual Currencies and Ransomware
In recent weeks, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) has issued guidance regarding both virtual currency and ransomware, demonstrating the agency’s enforcement priorities and compliance expectations in these areas. The guidance comes at a time that Deputy Attorney General Lisa Monaco recently called “an inflection point” in cyber criminality, and the Justice Department, OFAC, and other regulators are paying close attention. The guidance recommends tailoring long-standing sanctions compliance principles and practices to the specific risks raised by virtual currency and ransomware activities.
Virtual currency guidance
OFAC’s virtual currency guidance is directed at the entire industry, “including technology companies, exchangers, administrators, miners, wallet providers, and users.” It aims to “help the virtual currency industry prevent exploitation by sanctioned persons and other illicit actors,” according to the press release issued with the guidance.
In essence, the guidance emphasizes that anyone subject to U.S. sanctions laws and regulations must continue to abide by them when engaging with virtual currencies.
Recent OFAC enforcement actions reinforce the agency’s focus on sanctions applicable to virtual currency transactions, especially (but not only) when they relate to ransomware payments. For example, OFAC reached settlement agreements with (and imposed civil monetary penalties against) U.S. companies that processed transactions for individuals in sanctioned jurisdictions (see our prior OnPoint). It also designated a Russian virtual currency exchange as a sanctioned entity because the exchange facilitated transactions for ransomware actors.
The guidance provides several best practices that entities involved in virtual currency activities should follow to remain in compliance and to mitigate penalties in instances of compliance failures. These practices will be familiar to anyone well-versed in sanctions compliance best practices applicable to other industries. Still, the document notes, compliance solutions should reflect a risk-based approach and should be tailored to the type of business involved, its size and level of sophistication, the products and services it offers, its clients and counterparties, and the locations it serves. OFAC also expects companies to implement these practices early on in the company’s existence, before products and services are released. Although there is no single compliance program to suit all scenarios, implementing OFAC’s best practices, as follows, can prevent sanctions violations and serve as a mitigating factor should any violations occur:
- Management Commitment
Management should commit to enforcing a culture of compliance throughout the organization from the company’s earliest days. OFAC recommends specific actions that management can take to set an appropriate tone from the top, including reviewing and endorsing compliance procedures, allocating adequate resources to compliance, delegating autonomy and authority to the compliance department, and appointing an experienced sanctions compliance officer.
- Risk Assessment
Regular and ongoing risk assessments should be conducted to identify risks associated with sanctions compliance. Activities and relationships associated with foreign jurisdictions or foreign persons should be assessed for their potential to expose a company to sanctioned persons or places.
- Internal Controls
Internal controls should be able to “identify, interdict, escalate, report (as appropriate), and maintain records for” prohibited activities. Useful internal controls include sanctions screening, geolocation tools, know your customer (“KYC”) procedures, and transaction monitoring and investigation to identify virtual currency addresses and other data associated with sanctioned individuals, entities, or jurisdictions. OFAC includes virtual currency addresses as identifying information for designated persons, so these should be used in screening as well.
- Remedial measures
Where a sanctions violation has occurred, OFAC can consider the remedial measures a company has taken as a mitigating factor in a penalty determination. Remedial measures can include adding and/or strengthening the tools listed above to fill gaps and repair weaknesses in the compliance program.
- Testing and Auditing
Testing and auditing procedures can include ensuring that screening and IP blocking are working effectively.
- Training
Companies should conduct trainings for relevant employees at least annually.
The best practices for the virtual currency industry are not new, nor are they unique to the industry. However, the recent guidance from OFAC indicates that the industry will be a particular focus for enforcement, and companies in the industry should implement these measures as soon as possible to the extent they have not already done so.
Ransomware
In addition to its guidance for the virtual currency industry, OFAC has issued an updated advisory and a joint press release with the Financial Crimes Enforcement Network (“FinCEN”) on the risks of making or facilitating ransomware payments. Virtual currency and ransomware are often linked, as many ransomware attacks include demands for payment in virtual currency (see our Harvard Business Review article and Cyber Bits website).
Ransomware transactions have averaged $100 million per month in 2021 and involved many dozens of ransomware variants, according to the press release issued along with the virtual currency guidance. A bill titled the Ransom Disclosure Act was recently introduced in both houses of Congress to require ransomware victims to report ransomware attacks and related payments to federal authorities.
The advisory also notes that there has been an increase in ransomware attacks during the Covid-19 crisis and warns individuals and companies of the risks associated with giving in to payment demands. OFAC has added the perpetrators of ransomware attacks and entities that facilitate ransomware transactions to its Specially Designated Nationals list; a U.S. person who transacts with either would violate sanctions. Facilitating a transaction with a sanctioned entity or a sanctioned jurisdiction is also prohibited. Under OFAC’s strict liability principles, a company that makes a ransomware payment to or for the benefit of a sanctioned person could be held liable for sanctions violations even if the company did not specifically know that the malign actor was sanctioned.
OFAC advised, however, that cooperating with OFAC and other U.S. government agencies and taking meaningful steps to reduce the risk of extortion by sanctioned actors will be considered significant mitigating factors in any OFAC enforcement response involving ransomware payments to sanctioned parties. These steps can include maintaining offline backups of data, developing incident response plans, instituting cybersecurity/phishing training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others. OFAC’s advisory notes that even if a company makes a ransomware payment in violation of sanctions laws, any associated enforcement action is likely to result in a No Action Letter or Cautionary Letter (which are non-public and do not involve monetary penalties) if the company has taken these mitigation steps.
Conclusion
OFAC is placing greater scrutiny on the virtual currency industry, especially in connection with ransomware payments. Industry members should be mindful of implementing and maintaining robust compliance measures early and often.