Virtual Currency Platforms and Ransomware Attacks: OFAC Highlights Overlap of Sanctions and Cybersecurity Risks

In the past month, the Office of Foreign Assets Control (OFAC) of the US Department of Treasury (Treasury) has issued two advisories that highlight the heightened US sanctions risk associated with cyber related activities, including ransomware attacks and the virtual currency platforms that ransomware payers often use to facilitate payments.

As the scale of cyber related—and, specifically, ransomware—attacks has steadily increased over the past several years, they are now at an all-time high, prompting the Biden Administration to make cybersecurity an increasing focus. According to Treasury, ransomware payments in the first half of 2021 totaled $590 million, exceeding the reported value of $416 million for the entirety of 2020. To this point, Treasury, in releasing its 2021 Sanctions Review, observed that “while sanctions remain an essential and effective policy tool, they also face new challenges” that include “rising risks from new payments systems, the growing use of digital assets, and cybercriminals.”¹

As virtual currency is often the principal means of facilitating these payments, and many virtual currency platforms allow users to operate anonymously, it may be difficult for victims of a cyber attack to even determine whether or not a sanctioned person or jurisdiction may be involved. Moreover, even where it is possible to determine that a sanctioned person or entity is involved in a cyber attack, a US business that has been crippled by a ransomware attack may conclude that it has no other choice but to engage with that sanctioned party.

In short, cyber related attacks pose an increasing source of risk—for victims themselves, for virtual currency exchanges, and even for third-parties, such as insurers, attorneys, and finance personnel—for violating US sanctions laws.

Treasury’s guidance attempts to put these actors on notice of such risks. It also provides specific guidelines aimed at mitigating or avoiding the risk of implicating US sanctions laws as an initial matter; as well as guidelines aimed at mitigating the risk—in the event that US sanctions laws are implicated—that OFAC will pursue a formal enforcement action. As Deputy Treasury Secretary Wally Adeyomo noted, “Treasury is helping to stop ransomware attacks by making it difficult for criminals to profit from their crimes, but we need partners in the private sector to help prevent this illicit activity.” These critical “partners in the private sector” include virtual currency platforms, which are not only being used to facilitate transactions by sanctioned parties, but are also vulnerable as direct targets of cyber-attacks themselves (i.e., where a sanctioned party may seek to take control of a virtual currency exchange mechanism as the target of a ransomware attack). In other words, as “sanctioned persons and countries become more desperate for access to the US financial system, it is vital that the virtual currency industry prioritize cybersecurity and implement effective sanctions compliance controls to mitigate the risk of sanctioned persons and other actors exploiting virtual currencies to undermine US foreign policy interests and national security.”²

Indeed, concurrent with the first of the two advisories discussed below, OFAC announced its first designation of a virtual currency platform pursuant to its cyber related sanctions program, citing the platform’s facilitation of transactions involving at least eight different ransomware variants. This action likely signals increased enforcement by OFAC in this area going forward, particularly against complicit actors within the virtual currency industry.

OFAC’s September 21, 2021 Updated Ransomware Advisory

Identifying Ransomware Attacks

Ransomware attacks, as explained by OFAC’s September 21, 2021 Updated Advisory,³ occur when a cyber-attacker encrypts the data or programs of a victim, rendering them inaccessible. In exchange for a digital “key” that decrypts these data or programs, cyber-attackers demand that victims provide a ransom payment, often in the form of virtual currency.

Individuals and entities in all business sectors are vulnerable to such attacks. Potential victims include school districts, hospitals, smaller businesses, and local government agencies, as well as operators of critical infrastructure facilities. Entities that have not yet implemented “resilience” measures, aimed at preventing a cyberattack as an initial matter, remain particularly vulnerable.

OFAC’s Updated Advisory clearly identifies the US national security risk implicated by ransomware attacks: payments to stop such an attack ultimately provide financial support to illicit activity. To the extent such payments implicate US sanctions laws, any persons or entities who made or facilitated the payment could be subject to civil penalties on a strict liability basis—that is, even without knowledge that such transactions involve sanctioned entities or jurisdictions—or criminal penalties to the extent the payment was made knowing it would violate US law. That said, OFAC’s recent guidance acknowledges that victims of cyberattacks may be left with no good options: decline to succumb to the attacker’s demands, thus avoiding any US legal violations but perhaps crippling one’s business; or meet the attacker’s demands, thus regaining control of one’s business but perhaps violating US law. OFAC’s guidance not only sets out best practices in this environment, but also reassures companies that—as long as they have implemented risk-based compliance programs and cooperate with law enforcement in the face of a cyberattack—OFAC will likely resolve any related sanctions issues with a (non-public) no-action or cautionary letter, rather than a public enforcement action and penalty.

OFAC Mitigating Factors to Avoid Enforcement Actions

Similar to the October 2020 advisory that it replaced,⁴ OFAC’s Updated Advisory stresses that persons and entities—including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response—that facilitate ransomware payments implicating US sanctions laws may be subject to OFAC enforcement actions. That said, the Updated Advisory provides greater detail on mitigating factors that the agency will consider in such a scenario. Specifically, OFAC identifies the following as mitigating factors, where a company has implicated US sanctions laws in connection with a cyberattack:

• Compliance programs. The company has implemented a risk-based compliance program to mitigate exposure to sanctions related violations.⁵ Importantly, this factor extends not only to the victims of ransomware attacks, but also third parties that might be engaged by the victim itself (such as insurers, financial services companies, etc.). In all cases, these companies should develop and implement compliance programs that account for the risk that a cyber-attack may involve a person or entity on OFAC’s list of Specially Designated Nationals (SDN List) or from a sanctioned country or region. Compliance policies should also address situations that may implicate anti-money laundering obligations under the Financial Crimes Enforcement Network’s regulations.
• “Defensive/Resilience Measures.” The company has undertaken “meaningful steps to reduce the risk of extortion” by a sanctioned actor, including various measures that will make the company less vulnerable to a cyber-attack as an initial matter.⁶ OFAC provides the following examples of baseline resilience measures: (1) maintaining offline backups of data; (2) developing incident response plans; (3) instituting cybersecurity training; (4) regularly updating antivirus and anti-malware software; and (5) employing authentication protocols.
• Cooperation. The company “report[s] the ransomware attack to law enforcement as soon as possible and provides ongoing cooperation.”⁷ OFAC emphasizes that in the case of ransomware payments with a potential sanctions nexus, OFAC will consider a company’s self-initiated and complete report of a ransomware attack to law enforcement or agencies like the Cybersecurity & Infrastructure Security Agency “to be a voluntary self-disclosure and significant mitigating factor in determining an appropriate enforcement response.”⁸

By outlining such mitigating factors and the possibility of such a response, the US government is attempting to incentivize businesses to adopt stronger cybersecurity, compliance, and cooperation programs. Critically, if they do, OFAC advises: “While the resolution of each potential enforcement matter depends on the specific facts and circumstances, OFAC would be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) when the affected party took the mitigating steps described above, particularly reporting the ransomware attack to law enforcement as soon as possible and providing ongoing cooperation.”⁹

Focus on Virtual Currency Platforms

OFAC’s increased focus on cybersecurity, generally, has also put a spotlight on the sanctions risks specific to the virtual currency industry. Indeed, concurrent with the release of its September 2021 Updated Advisory, OFAC added SUEX OTC, S.R.O. (SUEX), a Russian virtual currency exchange, to the SDN List for facilitating financial transactions for ransomware actors—the first such designation of a virtual currency exchange. According to Treasury, over 40% of SUEX’s known transactions were associated with illicit actors, and the exchange facilitated transactions involving at least eight ransomware variants. In designating SUEX, Treasury observed that the virtual currency sector plays a “critical role” in sanctions compliance.¹⁰

October 15, 2021 Guidance on Sanctions Compliance for the Virtual Currency Industry

Less than a month after OFAC issued its Updated Ransomware Advisory and added SUEX to the SDN List, the role of virtual currency platforms in potential US sanctions violations was front and center again. On October 15, 2021, OFAC issued Sanctions Compliance Guidance for the Virtual Currency Industry (Virtual Currency Guidance), calling upon the virtual currency industry to help ensure that their platforms are not used as a vehicle to violate or evade US sanctions laws. OFAC’s Virtual Currency Guidance also reminded those in the industry that they themselves are responsible for ensuring they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions, including: (1) dealings with blocked persons or property, or (2) engaging in prohibited trade- or investment related transactions. For example, OFAC emphasized, if a US person determines that they are in possession of virtual currency that is blocked pursuant to OFAC regulations, the person must deny all parties access to that virtual currency, comply with OFAC regulations related to the holding and reporting of blocked assets, and implement controls to isolate the blocked property going forward.

Similar to OFAC’s September 21 Updated Advisory, the Virtual Currency Guidance not only reiterated US sanctions prohibitions for the virtual currency industry but also highlighted best practices and compliance measures—in order to “help members of the virtual currency industry navigate and comply with OFAC sanctions” and “in keeping with OFAC's commitment to engage with the virtual currency industry to promote an understanding of, and compliance with, sanctions requirements.”¹¹ The five areas that OFAC views as “best practices” for sanctions compliance in this industry are as follows:

• Management Commitment. The company’s senior management has a demonstrated commitment to sanctions compliance, generally; and to a sanctions compliance program, specifically. OFAC’s Virtual Currency Guidance indicates that management may make such a showing by, for instance: (1) reviewing and endorsing compliance policies and procedures; (2) ensuring adequate resources for compliance functions; (3) delegating sufficient authority to any compliance unit; and (4) appointing a dedicated sanctions compliance officer.¹²
• Risk Assessment. The company administers routine risk assessments to identify potential sanctions issues it is likely to encounter. According to OFAC, risk assessments allow companies to identify potential areas in which it may, directly or indirectly, engage with OFAC-sanctioned persons, countries, or regions—for instance, by taking a complete inventory of the entity’s “touchpoints to foreign jurisdictions or persons.” Such assessments are also “integral to developing effective sanctions compliance policies, procedures, internal controls, and training in order to mitigate exposure to sanctions risks.” As for the virtual currency industry, specifically, OFAC’s guidance states that risk assessments “should reflect a company’s customer or client base, products, services, supply chain, counterparties, transactions, and geographic locations, and may also include evaluating whether counterparties and partners have adequate compliance procedures.”¹³
• Internal Controls. The company’s sanctions compliance program includes controls to identify, interdict, and report transactions or activities prohibited by OFAC-administered sanctions, including due diligence on customers, business partners, and transactions.¹⁴ As part of such a program, the guidance sets forth additional best practices, including:
  • Geolocation tools and IP address controls to block IP addresses that originate in sanctioned jurisdictions.
  • Know Your Customer (KYC) procedures, including gathering names, IP addresses, and other identifying customer information.
  • Transaction monitoring and investigation software to identify transactions involving virtual currency addresses or other information associated with sanctioned individuals, entities, and jurisdictions.
  • Implementing remedial measures to address weaknesses in internal controls, including IP address blocking; screening KYC information; updating end-user agreements to include sanctions information; conducting retroactive batch screening; implementing training; and hiring compliance staff.
  • Sanctions screening, including screening customer information against OFAC-administered lists.
• Testing and Auditing. The company subjects its sanctions compliance program to ongoing testing and auditing to ensure that it works as expected and planned. Basic testing and auditing functions include: ensuring any screening and blocking measures are functioning properly; procedures for investigating transactions identified through the screening process as having a sanctions nexus; and procedures for blocked property or rejected transaction reporting to OFAC.¹⁵
• Training. The company provides periodic (at a minimum, annual) OFAC training to all appropriate personnel, including compliance, management, and customer service personnel, where the scope of such training is “informed by the size, sophistication, and risk profile of the company.”¹⁶ In the Virtual Currency Guidance, OFAC makes clear that “training for the virtual currency industry should account for frequent changes and updates to sanctions programs, as well as new and emerging technologies in the virtual currency space.” Finally, OFAC expects that, as part of a company’s sanctions compliance program as a whole, companies will “hold employees accountable for meeting training requirements through the use of assessments.”

As in the Updated Ransomware Advisory that OFAC released last month, the Guidance notes that, in considering whether to pursue a potential enforcement action against a virtual currency platform, OFAC will consider as mitigating factors the company’s implementation of a risk-based OFAC compliance program; remedial measures taken in response to an apparent violation; and whether the company voluntarily self-discloses the issue to OFAC.¹⁷

Several recent enforcement actions illustrate OFAC’s consideration of such factors. For example, on December 30, 2020, OFAC announced a settlement with BitGo, Inc.—a US company that offers digital asset custody, trading, and financing services internationally—for processing virtual currency transactions on behalf of individuals who appeared to be located in sanctioned jurisdictions.¹⁸ Though BitGo tracked its users’ IP addresses when users logged in for security purposes, BitGo failed to prevent use of its service by individuals whom it had reason to know were located in sanctioned regions, such as Cuba and Syria. Given the number of transactions that OFAC identified as apparent violations, BitGo could have been subject to a civil penalty as high as $53,051,675.¹⁹ Yet OFAC agreed to settle the claims for $98,830, noting that the following mitigating factors, among others, were present: BitGo cooperated with OFAC’s investigation and invested in significant remedial measures in response (including hiring a compliance officer and implementing IP address blocking and SDN List screening). Likewise, a February 2021 settlement with BitPay, Inc.—a US virtual currency payment service provider that had processed virtual currency transactions between the company’s customers and persons in sanctioned jurisdictions—involved similar aggravating and mitigating factors.

In short, OFAC’s Virtual Currency Guidance is yet another example of the US government’s ongoing efforts to incentivize cooperation with US law enforcement (including by virtual currency exchanges) in the face of a cyberattack, as well as encourage companies to preemptively analyze whether their systems are adequately protected against cyberattacks—including the risk that any cyber-attack (such as a ransomware attack) may cause a company to implicate US sanctions laws.

*          *          *          *          * 

OFAC’s September and October 2021 advisories provide a number of key takeaways for all companies dealing with cryptocurrency and other cybersecurity issues, including the corresponding potential sanctions risks. Most importantly, they highlight OFAC’s heightened focus on cybersecurity issues as a general matter, and put financial institutions, virtual currency platforms, and other companies on notice of OFAC’s expectations for how the private sector should deal with these issues. Companies should strongly consider heeding OFAC’s calls to implement preemptive compliance measures (such data backup, incident response plans, screening and blocking protocols, and company training) and/or to cooperate with US law enforcement in the face of an attack—the best ways to mitigate today’s increasing number of cybersecurity related landmines.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.