Agency’s Focus on Cryptocurrency and Blockchain Continues
On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an updated advisory to “highlight the sanctions risks associated with ransomware payments”—almost one year after issuing the first such guidance—and simultaneously imposed sanctions on SUEX, a virtual currency exchange accused of facilitating illegal transactions related to ransomware attacks. These developments highlight OFAC’s continuing focus on sanctions violations that broadly involve virtual currencies and digital assets. We briefly describe the agency’s actions below.
OFAC’s updated ransomware advisory is thematically similar to its initial guidance on the topic from October 2020. It emphasizes U.S. national security interests in preventing ransomware payments to persons, entities, or jurisdictions subject to trade or economic sanctions programs. As in the original guidance, it also warns U.S. persons to be vigilant when considering such payments and encourages ransomware victims to consult with law enforcement agencies before taking any action.
The updated advisory goes further, however, explaining that OFAC will consider a company’s actions both before and after a ransomware attack in determining an appropriate response to sanctions violations that may occur. Specifically, and as part of an effective sanctions compliance program, OFAC emphasizes the importance of:
- taking proactive steps to “reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices”; and
- reporting ransomware attacks to “appropriate U.S. government agencies” and cooperating with them in responding to such attacks.
According to the updated advisory, OFAC will consider these actions as mitigating factors under its Economic Sanctions Enforcement Guidelines, giving “significant” weight to prompt reporting of a ransomware event to authorities as well as “ongoing cooperation” in any investigation or remediation that follows. This guidance highlights the importance of developing and implementing clear escalation procedures to ensure that reports regarding ransomware and other types of extortionate demands that may raise sanctions risks are timely reported internally and externally, as appropriate.
For the first time, OFAC designated virtual currency exchange SUEX as a specially designated national (SDN), meaning that U.S. persons and companies are broadly barred from direct or indirect transactions involving the exchange or any entity of which the exchange owns 50 percent or more, directly or indirectly, either alone or in the aggregate with other SDNs (e.g., its subsidiaries). SUEX was sanctioned under Executive Order 13694, which authorizes sanctions against persons or entities engaged in “malicious cyber-related activities.”
In taking this first-ever action against a virtual currency exchange, OFAC acknowledged that “most virtual currency activity is [legal],” but that cybercrimes often involve use of cryptocurrencies. To that end, the agency explained that more than 40% of SUEX’s transaction history involved “illicit actors.” OFAC did not, however, detail the specific activity leading to SUEX’s designation, nor did it identify customers or counterparties of SUEX for sanctions.
Perhaps in a sign of additional scrutiny to come, OFAC made clear that participants in the “virtual currency industry play a critical role in implementing appropriate AML/CFT and sanctions controls” and affirmed its support for multinational efforts to “inhibit cybercriminals’ exploitation of virtual assets.”
With these two significant actions, companies should consider taking the following steps:
- Improve Cybersecurity Practices to reduce the risk of a ransomware attack. This also will be considered a significant mitigation factor under OFAC’s Economic Sanctions Enforcement Guidelines.
- Revise the Company’s existing Sanction Compliance Program to specifically address the steps that Company personnel should take in the event of a ransomware attack, including a.) implementing escalation procedures in the event of a ransomware demand that may raise sanctions risks; and b.) promptly reporting ransomware attacks to law enforcement and/or OFAC.
- Digital currency trading platforms should review their user accounts to determine if SUEX has an account. They also should consider whether they have users who conduct multiple deposits and withdrawals with SUEX.
We will continue monitoring related developments and provide updates as warranted. Please do not hesitate to contact us with questions.