Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

FinCEN, OFAC issue ransomware advisories

Federal Issues FinCEN Department of Treasury OFAC Ransomware Of Interest to Non-US Persons Financial Crimes

Federal Issues

On October 1, the U.S. Treasury Department’s Office of Terrorism and Financial Intelligence issued two advisories to aid U.S. individuals and businesses in combating ransomware scams and attacks. In issuing the advisories, Treasury emphasized that “[e]fforts to detect and report ransomware payments are vital to prevent and deter cyber actors from deploying malicious software to extort individuals and businesses, and to hold ransomware attackers accountable for their crimes.” The advisory released by FinCEN, titled the Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, provides information on the role of financial intermediaries in payments, ransomware trends and typologies, and related financial red flags indicators. Among other things, the advisory urges financial institutions to file suspicious activity reports when handling any transfer of funds related to a ransomware-related activity, and provides information on effectively reporting and sharing information related to ransomware attacks.

The advisory released by Treasury’s Office of Foreign Assets Control (OFAC), titled the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, cautions that companies that facilitate ransomware payments to cyber actors on behalf of victims targeted by ransomware activities may face potential sanctions risks. Among other things, the advisory encourages financial institutions and other companies that engage with victims of ransomware attacks to implement risk-based compliance programs “to mitigate exposure to sanctions-related violations,” and to report such attacks to law enforcement. These sanctions compliance programs, OFAC emphasizes, “should account for the risk that a ransomware payment may involve [a specially designated national] or blocked person, or a comprehensively embargoed jurisdiction.” OFAC also cautions companies to consider whether they also need to comply with FinCEN’s regulatory obligations. Furthermore, the advisory provides U.S. government resources for reporting ransomware attacks, as well as guidance on factors OFAC generally considers when determining an appropriate enforcement response to an apparent violation.