Financial Institutions to Remain Vigilant of Ransomware Attacks as they are Facilitators of Ransomware Payments

On October 1, 2020, the Financial Crimes Enforcement Network (FinCEN) issued an advisory to alert Financial Institutions (FI) relating to “predominant trends, typologies, and potential indicators of ransomware and associated money laundering activities”.  The FinCEN Advisory also makes reference to the Advisory from the Office of Foreign Asset Control (OFAC) on Potential Sanctions Risks for Facilitating Ransomware Payments.

The FinCEN Advisory goes into detail concerning the role that financial intermediaries play in facilitating Ransomware payments 

The Advisory illustrates how FIs play a critical role:

• Processing ransomware payments is a multi-step process that involves at least one depository institution and one or more money services businesses (MSB).
• Many ransomware schemes involve convertible virtual currency (CVC), the preferred payment method of ransomware perpetrators.
• Following the delivery of the ransom demand, a ransomware victim will typically transmit funds via wire transfer, automated clearinghouse, or credit card payment to a CVC exchange to purchase the type and amount of CVC specified by the ransomware perpetrator.
• The victim will send the CVC, often from a wallet hosted at the exchange, to the perpetrator’s designated account or CVC address.
• The perpetrator then launders the funds through various means, including mixers and tumblers to convert funds into other CVCs, smurfing transactions across many accounts and exchanges, and/or moving the CVC to foreign-located exchanges and peer-to-peer (P2P) exchangers in jurisdictions with weak anti-money laundering and countering financing of terrorism (AML/CFT) controls.

FIs protect the US Financial System from ransomware threats through compliance with their BSA obligations

Financial institutions need to evaluate their internal policy with respect to filing Suspicious Activity Reports (SARs) in connection to cybersecurity incidents.  Is filing a SAR required or appropriate when dealing with an incident of ransomware conducted by, at, or through the FI, including ransom payments made by financial institutions that are victims of ransomware?  FinCEN wants to remind FIs that they are required to file complete and accurate SARs that include all the information that is available, including cyber-related information.  FinCen states that: “When filing a SAR regarding suspicious transactions that involve cyber events (including ransomware), financial institutions should provide all pertinent available information on the event and associated with the suspicious activity, including cyber-related information and technical indicators, in the SAR form and narrative. When filing is not required, institutions may file a SAR voluntarily to aid law enforcement with protecting the financial sector. Valuable cyber indicators for law enforcement investigations for ransomware can include relevant email addresses, Internet Protocol (IP) addresses with their respective timestamps, login information with location and timestamps, virtual currency wallet addresses, mobile device information (such as device International Mobile Equipment Identity (IMEI) numbers), malware hashes, malicious domains, and descriptions and timing of suspicious electronic communications.”

Does your FI have a Corporate Governance Expert?

FIs have a responsibility to ensure that they have a response plan in place for cybersecurity incidents that include Ransomware within their Compliance function.  The response plan ought to consider how to engage law enforcement while a Ransomware incident is taking place and after.  Likewise, consideration for cybersecurity insurance as well as the selection of appropriate and experienced Corporate Governance Experts are critical to ensure an FI’s ability to navigate through cybersecurity threats.  ©