Shearman & Sterling LLP
Issue link: https://digital.shearman.com/i/1422677
10 • Financial institutions, cyber insurance providers, digital forensics companies, and financial services firms that process ransom payments should implement a risk-based compliance program that accounts for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. • Consider any regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations if assisting victims in making ransomware payments. • Implement enhanced cyber-security practices such as back-up data maintenance, incident response plans, and training. • In cases of possible apparent violations, self-reporting of the conduct and cooperation will be considered mitigating factors. On September 21, OFAC imposed sanctions on SUEX OTC, S.R.O. (SUEX), a virtual currency exchange based in Russia, pursuant to Executive Order 13694, which targets supporters ransomware cyber-criminals. According to OFAC, SUEX facilitated transactions involving illicit proceeds from at least eight ransomware variants, with over 40 percent of SUEX's known transaction history alleged to be associated with illicit actors. SUEX is the first virtual currency exchange to be designated as an SDN, and its listing signals that U.S. authorities may expand the use of economic sanctions to combat cyberattacks, including those funded through cryptocurrencies. Virtual currency exchanges, OFAC noted, "are critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity." In contrast to some exchanges which are manipulated by illicit actors, OFAC declared that SUEX knowingly facilitates the conduct of malign cyber actors for its own illicit gain. In furtherance of the above, on October 15, 2021, OFAC released an industry-specific brochure, " Sanctions Compliance Guidance for the Virtual Currency Industry." Much of the guidance mirrors previous compliance guidance issued by OFAC and is broadly applicable to all U.S. persons. For example, the guidance illustrates best practices for sanctions compliance, including internal controls and risk assessment measures and reporting requirements. However, it also discusses virtual currency-specific issues including how to block virtual currency and how to incorporate geolocation tools and IP-address blocking controls to ensure, for example, that transactions are not conducted on behalf of persons in sanctioned jurisdictions. Finally, the guidance highlights case studies regarding sanctions involving virtual currencies in North Korea and Russia, and discusses enforcement actions resulting in settlement agreements with a U.S. company and a U.S. virtual currency payment service provider.