Tag Archives: FinCEN

Treasury Takes Robust Actions to Counter Ransomware

As part of the whole-of-government effort to counter ransomware, the U.S. Department of the Treasury today announced a set of actions focused on disrupting criminal networks and virtual currency exchanges responsible for laundering ransoms, encouraging improved cyber security across the private sector, and increasing incident and ransomware payment reporting to U.S. government agencies, including both Treasury and law enforcement. Treasury’s actions today advance the United States government’s broader counter-ransomware strategy, which emphasizes the need for a collaborative approach to counter ransomware attacks, including partnership between the public and private sector and close relationships with international partners.

“Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy. We will continue to crack down on malicious actors,” said Treasury Secretary Janet L. Yellen. “As cyber criminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks.”

Ransomware attacks are increasing in scale, sophistication, and frequency, victimizing governments, individuals, and private companies around the world. In 2020, ransomware payments reached over $400 million, more than four times their level in 2019. The U.S. government estimates that these payments represent just a fraction of the economic harm caused by cyber-attacks, but they underscore the objectives of those who seek to weaponize technology for personal gain: to disrupt our economy and damage the companies, families, and individuals who depend on it for their livelihoods, savings, and futures. In addition to the millions of dollars paid in ransoms and recovery, the disruption to critical sectors, including financial services, healthcare, and energy, as well as the exposure of confidential information, can cause severe damage.

Some virtual currency exchanges are a critical element of this ecosystem, as virtual currency is the principal means of facilitating ransomware payments and associated money laundering activities. The United States has been a leader in applying its anti-money laundering/countering the financing of terrorism (AML/CFT) framework in the virtual currency area, including with the Financial Crimes Enforcement Network (FinCEN) publishing guidance regarding the application of Bank Secrecy Act rules in this area in 2013 and 2019. FinCEN has also taken important enforcement action against non-compliant virtual currency money transmitters facilitating ransomware payments, such as BTC-e in 2017 and the virtual currency mixing service Helix in 2020. In addition, the United States is taking steps to improve transparency regarding ransomware attacks and associated payments.

DESIGNATION OF FIRST VIRTUAL CURRENCY EXCHANGE FOR COMPLICIT FINANCIAL SERVICES

Today’s actions include the Department of the Treasury’s Office of Foreign Assets Control’s (OFAC) designation of SUEX OTC, S.R.O. (SUEX), a virtual currency exchange, for its part in facilitating financial transactions for ransomware actors. SUEX has facilitated transactions involving illicit proceeds from at least eight ransomware variants. Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors. SUEX is being designated pursuant to Executive Order 13694, as amended, for providing material support to the threat posed by criminal ransomware actors.

Virtual currency exchanges such as SUEX are critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity. Treasury will continue to disrupt and hold accountable these entities to reduce the incentive for cybercriminals to continue to conduct these attacks. This action is the first sanctions designation against a virtual currency exchange and was executed with assistance from the Federal Bureau of Investigation.

While most virtual currency activity is licit, virtual currencies can be used for illicit activity through peer-to-peer exchangers, mixers, and exchanges. This includes the facilitation of sanctions evasion, ransomware schemes, and other cybercrimes. Some virtual currency exchanges are exploited by malicious actors, but others, as is the case with SUEX, facilitate illicit activities for their own illicit gains. Treasury will continue to use its authorities against malicious cyber actors in concert with other U.S. departments and agencies, as well as our foreign partners, to disrupt financial nodes tied to ransomware payments and cyber-attacks. Those in the virtual currency industry play a critical role in implementing appropriate AML/CFT and sanctions controls to prevent sanctioned persons and other illicit actors from exploiting virtual currencies to undermine U.S foreign policy and national security interests.

SANCTIONS IMPLICATIONS

As a result of today’s designation, all property and interests in property of the designated target that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50% or more owned by one or more designated persons are also blocked. In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. Today’s action against SUEX does not implicate a sanctions nexus to any particular Ransomware-as-a-Service (RaaS) or variant.

OFAC UPDATES ADVISORY ON POTENTIAL SANCTIONS RISKS FOR FACILITATING RANSOMWARE PAYMENTS

OFAC today also released an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. The Advisory emphasizes that the U.S. government continues to strongly discourage the payment of cyber ransom or extortion demands and recognizes the importance of cyber hygiene in preventing or mitigating such attacks. OFAC has also updated the Advisory to emphasize the importance of improving cybersecurity practices and reporting to, and cooperating with, appropriate U.S. government agencies in the event of a ransomware attack. Such reporting, as the Advisory notes, is essential for U.S. government agencies, including law enforcement, to understand and counter ransomware attacks and malicious cyber actors.

OFAC strongly encourages victims and related companies to report these incidents to and fully cooperate with law enforcement as soon as possible to avail themselves of OFAC’s significant mitigation related to OFAC enforcement matters and receive voluntary self-disclosure credit in the event a sanctions nexus is later determined.

ADDITIONAL AUTHORITIES

FinCEN, in addition to the guidance and enforcement activities above, has also engaged with industry, law enforcement, and others on the ransomware threat through the FinCEN Exchange public-private partnership. FinCEN held a first Exchange on ransomware in November 2020 and a second Exchange in August 2021. FinCEN is taking additional action under its authorities to collect information relating to ransomware payments.

INTERNATIONAL COOPERATION AND IMPORTANCE OF AML/CFT MEASURES FOR VIRTUAL CURRENCIES AND SERVICE PROVIDERS

Countering ransomware benefits from close collaboration with international partners. At the Group of Seven (G7) meeting in June, participants committed to working together to urgently address the escalating shared threat from criminal ransomware networks. The G7 is considering the risks surrounding ransomware, including potential impacts to the finance sector. For example, the G7 Cyber Expert Group (CEG), co-chaired by Treasury and Bank of England, met on September 1 and September 14, 2021 to discuss ransomware, which remains a grave concern given the number and breadth of ransomware attacks across industry sectors. The participants considered the effects of ransomware attacks on the financial services sector, as well as the broader economy, and explored ways to help improve overall security and resilience against malicious cyber activity.

Given the illicit finance risk that virtual assets pose, including ransomware-related money laundering, in June 2019 the Financial Action Task Force (FATF) amended its standards to require all countries to regulate and supervise virtual asset service providers (VASPs), including exchanges, and to mitigate against such risks when engaging in virtual asset transactions. Among other things, countries are expected to impose customer due diligence (CDD) requirements, and suspicious transaction reporting obligations across VASPs, which can help inhibit cybercriminals’ exploitation of virtual assets while supporting investigations into these illicit finance activities. Because profit-motivated cybercriminals must launder their misappropriated funds, AML/CFT regimens are a critical chokepoint in countering and deterring this criminal activity. This magnifies the need for all countries to effectively and expeditiously implement and enforce the FATF’s standards on virtual assets and VASPs. The United States is committed to continued work at the FATF and with other countries to implement the FATF standards, and we welcome the FATF’s ongoing work on this issue.

The Financial Crimes Enforcement Network Proposes Rule Aimed at Closing AML Regulatory Gaps for Certain Convertible Virtual Currency and Digital Asset Transactions

The Financial Crimes Enforcement Network (FinCEN), a bureau within the U.S. Department of the Treasury, is requesting comments on proposed requirements for certain transactions involving convertible virtual currency (CVC) or digital assets with legal tender status (LTDA). Under the Notice of Proposed Rulemaking (NPRM) submitted to the Federal Register today, banks and money services businesses (MSBs) would be required to submit reports, keep records, and verify the identity of customers in relation to transactions above certain thresholds involving CVC/LTDA wallets not hosted by a financial institution (also known as “unhosted wallets”) or CVC/LTDA wallets hosted by a financial institution in certain jurisdictions identified by FinCEN.

The United States welcomes responsible innovation, including new technologies that may improve the efficiency of the financial system and expand access to financial services. Today’s action seeks to protect national security and aid law enforcement by increasing transparency in digital currencies and closing loopholes that malign actors may exploit.

“This rule addresses substantial national security concerns in the CVC market, and aims to close the gaps that malign actors seek to exploit in the recordkeeping and reporting regime,” said Secretary Steven T. Mnuchin. “The rule, which applies to financial institutions and is consistent with existing requirements, is intended to protect national security, assist law enforcement, and increase transparency while minimizing impact on responsible innovation.”

The proposed rule complements existing BSA requirements applicable to banks and MSBs by proposing to add reporting requirements for CVC and LTDA transactions exceeding $10,000 in value. Pursuant to the proposed rule, banks and MSBs will have 15 days from the date on which a reportable transaction occurs to file a report with FinCEN. Further, this proposed rule would require banks and MSBs to keep records of a customer’s CVC or LTDA transactions and counterparties, including verifying the identity of their customers, if a counterparty uses an unhosted or otherwise covered wallet and the transaction is greater than $3,000.

This includes collecting the following:

  1. The name and address of the financial institution’s customer;
  2. The type of CVC or LTDA used in the transaction;
  3. The amount of CVC or LTDA in the transaction;
  4. The time of the transaction;
  5. The assessed value of the transaction, in U.S. Dollars, based on the prevailing exchange rate at the time of the transaction;
  6. Any payment instructions received from the financial institution’s customer;
  7. The name and physical address of each counterparty to the transaction of the financial institution’s customer;
  8. Other counterparty information the Secretary may prescribe as mandatory on the reporting form for transactions subject to reporting pursuant to § 1010.316(b);
  9. Any other information that uniquely identifies the transaction, the accounts, and, to the extent reasonably available, the parties involved; and,
  10. Any form relating to the transaction that is completed or signed by the financial institution’s customer.

Comments from all interested parties will help inform the scope of any future regulatory actions and should be submitted within 15 days of the NPRM’s publicly display by the Federal Register.