OFAC Issues Guidance and Updated FAQs on Virtual Currency Sanctions Compliance and FinCEN Issues Updated Advisory on Ransomware | Practical Law

OFAC Issues Guidance and Updated FAQs on Virtual Currency Sanctions Compliance and FinCEN Issues Updated Advisory on Ransomware | Practical Law

The US Treasury's Office of Foreign Assets Control (OFAC) issued guidance and updated FAQs on sanctions compliance for the virtual currency industry and Treasury's Financial Crimes Enforcement Network (FinCEN) issued an updated advisory on ransomware along with a report on ransomware trends and data.

OFAC Issues Guidance and Updated FAQs on Virtual Currency Sanctions Compliance and FinCEN Issues Updated Advisory on Ransomware

by Practical Law Finance
Published on 15 Nov 2021USA (National/Federal)
The US Treasury's Office of Foreign Assets Control (OFAC) issued guidance and updated FAQs on sanctions compliance for the virtual currency industry and Treasury's Financial Crimes Enforcement Network (FinCEN) issued an updated advisory on ransomware along with a report on ransomware trends and data.
On October 15, 2021, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) issued:
On November 8, 2021, US Department of the Treasury announced that its Financial Crimes Enforcement Network (FinCEN) released an updated advisory on ransomware and ransomware data and trends (see FinCEN Issues Updated Ransomware Advisory).

OFAC Issues Sanctions Compliance Guidance for VC

According to OFAC, the compliance guidance is designed to promote sanctions compliance within the VC industry, which, includes technology companies, exchangers, administrators, miners, and wallet providers, as well as more traditional financial institutions or their service providers that may have exposure to VC. The guidance notes that sanctions compliance requirements apply to the VC industry in the same manner as they do to traditional financial institutions and there are civil and criminal penalties for failing to comply. The OFAC guidance provides an overview of OFAC sanctions requirements and addresses four key issues for participants in the VC industry:
  • Evaluating sanctions-related risks in their lines of business.
  • Building a risk-based sanctions compliance program.
  • Protecting their business from sanctions violations and intentional misuse of VCs by malicious actors.
  • Understanding the OFAC recordkeeping, reporting, licensing, and enforcement processes.
The guidance encourages VC industry participants to consider incorporating the elements and controls outlined in the OFAC guidance into their sanctions compliance programs including OFAC best practices. The guidance sets out five compliance best practices for VC market participants, including:
  • Management commitment to:
    • consider sanctions compliance during the testing and review process so that sanctions compliance can be accounted for as technologies are being developed and prior to launching a new product; and
    • implement OFAC sanctions policies and procedures to cover a wide variety of potential sanctions risks.
  • Ongoing risk assessment to identify potential sanctions issues. OFAC recommends that VC companies develop a sanctions compliance program and conduct routine and ongoing risk assessment to identify potential sanctions issues the company is likely to encounter.
  • Internal controls to address transactions or activities prohibited by OFAC to strengthen internal sanctions compliance including the use of:
    • geolocation tools to enable VC companies to identify and prevent IP addresses from prohibited or otherwise unauthorized jurisdictions from accessing a VC company's website and services along with IP-address blocking controls to block access from countries subject to OFAC sanctions;
    • sanctions screening of customer and transactional data against OFAC-administered sanctions lists, including the Specially Designated Nationals and Blocked Persons List (SDN list) and Consolidated Sanctions List (CS list), to identify addresses, including physical, digital wallet, and IP addresses, and other relevant information with potential links to sanctioned persons or jurisdictions; and
    • know-your-customer (KYC) procedures to obtain information about customers during onboarding and throughout the lifecycle of the relationship and using this KYC information to mitigate the customer’s potential sanctions-related risk or identify any need for additional due diligence such as examining customer transactional history for connections to sanctioned jurisdictions or transactions with VC addresses that have been linked to sanctioned actors.
  • Remedial measures to identify weaknesses in internal controls and to implement new controls to prevent future violations including:
    • ongoing sanctions screening and risk-based re-screening;
    • identifying and fixing any internal root causes of OFAC violations; and
    • using risk indicators or "red flags" to identify any sanctions nexus.
  • Sanctions-specific training, testing, and auditing functions that include:
    • job-specific knowledge based on need and communication of sanctions compliance responsibilities for each employee that holds employees accountable for meeting training requirements through the use of testing assessments; and
    • frequent changes and updates to sanctions programs along with new and emerging technologies in the VC space.
The guidance provides detailed analysis of key issues related to ransomware through three case studies related to OFAC sanctions of two Chinese nationals involved in a North Korean state sponsored money-laundering scheme and a Russian VC exchange for facilitating financial transactions for ransomware actors involving VC, diagnosing risky relationships between a US company’s customers and persons located in sanctioned jurisdictions, and US companies' processing VC located in sanctioned jurisdictions of the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria.
OFAC notes in the guidance that as ransomware attacks have increased in recent years, so has the number of ransomware payments, which are typically paid in VC. OFAC guidance reports that the growing prevalence of VC as a payment method brings greater exposure of VC industry participants to sanctions risks, including the risk that a sanctioned person or a person in a sanctioned jurisdiction might be involved in a VC transaction. The guidance notes that the VC industry plays an increasingly critical role in preventing sanctioned persons from exploiting VCs.
The guidance notes that if sanctions risks are ignored or mishandled by VC industry participants, these risks could become vulnerabilities that can lead to federal violations and subsequent federal enforcement actions against those VC participants. According to OFAC, it has published the guidance as part of its commitment to engage with the VC industry to promote compliance with sanctions requirements.
OFAC administers over 35 different sanctions programs with each designed to respond to specific threats and to further US foreign policy and national security goals. Therefore, the types of sanctions employed in each program may differ. The guidance notes that most comprehensive sanctions programs that OFAC administers typically include several or all of the following types of sanctions, while other sanctions programs may only employ some of these options:
  • Broad trade-based sanctions or embargoes that prohibit dealings with an entire country or geographic region, unless exempt or authorized.
  • Government or regime sanctions that either:
    • require the blocking of all property and interests in property of a particular foreign government that are or come within the US or the possession or control of a US person; or
    • prohibit specific types of transactions and activities involving a particular foreign government.
  • List-based sanctions that target specific, listed individuals and entities and either:
    • require the blocking of all property and interests of those listed persons that are or come within the US or the possession or control of a US person; or
    • prohibit specific types of transactions and activities with listed persons.
  • Sectoral sanctions that target individuals and entities operating in specific sectors of a foreign country’s economy or prohibit specific activities within a foreign country’s economy.
The guidance notes OFAC maintains several public lists including:
  • the SDN list, which is a list of individuals and entities and their identified blocked property targeted by OFAC.
  • The CS list, which is a list that combines all other sanctions lists maintained by OFAC.
The guidance observes that both the SDN list and CS list are available for public use on the US Treasury's website. OFAC has also developed a free search tool, the Sanctions List Search, which can conduct searches across all of the sanctions lists administered by OFAC.

OFAC Releases Updated FAQs Regarding Sanctions Compliance for VC

OFAC updated two FAQs relating to OFAC sanctions compliance for VC:
FAQ 559 – definitions. OFAC FAQ 559 defines, for purposes of OFAC sanctions programs, what is meant by the terms "digital currency," "digital currency wallet," "digital currency address," and "virtual currency." For purposes of OFAC sanctions:
  • Digital currency includes sovereign cryptocurrency, virtual currency (non-fiat), and a digital representation of fiat currency.
  • VC is neither issued nor guaranteed by any jurisdiction and is a digital representation of value that functions as:
    • a medium of exchange;
    • a unit of account; and/or
    • a store of value.
FAQ 646 – obligations with respect to blocked VC. OFAC FAQ 646 provides instructional guidance on how VC that is required to be blocked under OFAC regulations Section 501 (31 C.F.R. 501) should be blocked by a US person. Under OFAC regulations, blocked VC must be reported to OFAC within 10 business days, and thereafter on an annual basis if the VC remains blocked. The FAQ explains that under OFAC regulations, a US person holding blocked VC must:
  • Deny all parties access to that VC.
  • Ensure compliance with OFAC regulations related to the holding and reporting of such blocked asset.
  • Implement controls that align with a risk-based approach related to VC.
Under the FAQ, US persons are not obligated to convert the blocked VC into traditional fiat currency (such as US dollars), and the US holders are not required to hold such blocked VC in an interest-bearing account.
OFAC notes that a US person or VC company may either opt to block each wallet that holds blocked VC or consolidate wallets that hold blocked VC in a manner similar to an omnibus account, and block that account. Either action is consistent with OFAC blocking requirements so long as there are controls that allow the VC to ultimately be unblocked and returned if OFAC authorization is provided or when the VC is no longer blocked.

FinCEN Issues Updated Ransomware Advisory

On November 8, 2021, FinCEN issued an updated advisory on ransomware and the use of the financial system to facilitate ransom payments, which replaces OFAC's prior October 1, 2020 advisory. The updated FinCEN ransomware advisory:
  • Includes information on current trends and typologies of ransomware and related payments.
  • Provides three examples of noteworthy ransomware attacks against critical US infrastructure conducted by cybercriminal groups in 2021.
  • Outlines a dozen financial red-flag indicators of ransomware-related activity to help financial institutions spot and report suspicious transactions.
The advisory notes that since no single financial red-flag indicator is indicative of illicit or suspicious activity, financial institutions should consider the relevant facts and circumstances of each transaction in keeping with their risk-based approach to compliance.
The updated advisory reflects information recently released by FinCEN in its Financial Trend Analysis Report, issued on October 15, 2021 showing ransomware trends in Bank Secrecy Act (BSA) data. This report was issued under FinCEN's mandate under the Anti-Money Laundering Act of 2020 (AMLA) (31 USCA §5318 et seq.), which requires FinCEN to publish threat-pattern and trend information derived from Suspicious Activity Reports (SARs) submitted to FinCEN by financial institutions (see Legal Update, Senate and House Override Veto and Pass 2021 National Defense Authorization Act With Significant AML Updates).
The October 15, 2021 FinCEN report revealed that:
  • SARs reports identified $590 million-worth of apparent ransomware-linked activity during the first half of 2021, exceeding the $416 million total for all of 2020.
  • The average amount of reported ransomware transactions per month filed in 2021 was approximately $100 million.
  • For ransomware actors who have developed their own variants of ransomware, FinCEN has identified 68 different ransomware variants reported in SAR data for transactions occurring between January 1, 2021 and June 30, 2021.
  • During the first six months of 2021, the most commonly reported variants in the SAR data were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos and among the costliest ransomware variants were ransomware variants DarkSide and REvil/Sodinokibi.
Several money laundering typologies or characteristics common among ransomware variants in 2021 were identified, including threat actors increasingly requesting payments in anonymity-enhanced cryptocurrencies such as Monero, avoiding reusing wallet addresses, chain hopping whereby money is moved from one cryptocurrency into another, cashing out at centralized exchanges, and using mixing services and decentralized exchanges to convert proceeds.