It’s a Sign: Key Takeaways from FinCEN’s Ransomware Report
October 20, 2021
Last Friday, in a report mandated by the new Anti-Money Laundering Act of 2020, FinCEN offered a glimpse into the black box of SAR data by publishing some of its analysis on the reporting of ransomware activity. FinCEN’s report shows a substantial increase in the prevalence of ransomware attacks in the broader marketplace and signals the agency’s likely focus for the year to come. The report provides some clear signs of regulatory expectations and compliance priorities in key areas. “Privacy” tokens, referred to by FinCEN as AECs or anonymity enhanced cryptocurrencies, remain in the spotlight while the activity of foreign-based exchanges is subject to greater focus. And, digital forensic incident response (DFIR) firms receive special attention for their growing role in ransomware response.
What the Data Shows
Section 6206 of the Anti-Money Laundering Act (“AMLA”) of 2020 requires FinCEN to periodically publish analytical reports based on SARs filed by financial institutions. This report on trends in ransomware-related SAR data is the first report issued by FinCEN under the AMLA requirement. According to the data, companies filed substantially more ransomware-related SARs in 2021, with 635 SAR filings reporting an aggregate US$590 million in suspicious activity in the first half of the year alone. Bitcoin was the currency of choice for ransomware demands. FinCEN also highlighted the use of AECs, though the report shows that privacy coin Monero was noted in only 17 SARs, and cryptocurrency mixers in only approximately 1% of ransomware transactions. Additionally, the report detailed that just a handful of DFIR firms accounted for 63% of SARs filed in the first-half of 2021.
Based on its analysis of SAR data, FinCEN identified six money laundering characteristics of ransomware transactions:
- threat actors are increasingly requesting payments in AECs (namely Monero);
- threat actors typically avoid reusing wallet addresses;
- centralized cryptocurrency exchanges (primarily foreign exchanges) are preferred as cash-out points;
- chain hopping is used to obfuscate financial trails on blockchains;
- mixing services are prevalent in 2021; and
- decentralized exchanges are likely being used to convert illicit proceeds.
Compliance Messages, Expectations, and Risks
FinCEN’s report offers clear compliance priorities for blockchain-based financial institutions, and also signals the areas likely to receive the most enforcement scrutiny.
- AECs (Privacy coins) – Despite only identifying a modest increase in the use of Monero for ransomware payments between 2020 and 2021, FinCEN highlights the risks of AECs in its continuing crusade against privacy coins. A compliance program that does not either exclude transactions with AECs or have customized controls for this category of transaction risks being considered in violation of AML requirements.
- Ransomware variants – Through SAR data and blockchain analytics, FinCEN determined that the top ten ransomware variants (“variant” generally reflects the strain of ransomware favored by particular threat actors) received ransomware payments involving primarily 177 different digital addresses. In making this determination, FinCEN would have utilized industry-available blockchain analytics in conjunction with available SAR data and noted instances where a financial institution that was connected to the payment may not have filed a SAR. Blockchain-based financial institutions should review ransomware alerts and activity from July 2018 to the present for potential reportable activity.
- Foreign exchanges – FinCEN’s analysis suggests that certain foreign exchanges are at increased risk of facilitating ransomware, which should increase compliance obligations of their US counterparties. Specifically, FinCEN identified that 51% of ransomware transactions involved a centralized exchange, primarily a foreign exchange.
- Under section 312 USA PATRIOT Act, US blockchain-based financial institutions organized as banks or state-chartered trusts must undertake specific due diligence on foreign financial institutions with whom they regularly do business. US blockchain-based financial institutions should be aware of data available from blockchain analytics firms, academia, and industry reporting that may indicate increased risk related to their foreign partners. The penalties for failing to conduct such diligence are as high as US$1 million per violation. While blockchain-based financial institutions organized as money services businesses do not have the same statutory requirement and penalty exposure, they are obligated to conduct similar due diligence for their foreign counterparties.
- Under section 311 USA PATRIOT Act, FinCEN can designate a foreign financial institution to be of “primary money laundering concern.” Then, FinCEN can prohibit domestic banks from doing business with any foreign bank that engages with that foreign institution. Because of the US banking system’s importance to international clearing, foreign banks would likely cut ties with any institution labeled a primary money laundering concern rather than risk losing their US correspondent accounts. (See our February 25, 2020 client alert for a detailed discussion on the potential use of 311s and GTOs in cryptocurrency.)
The Role of Digital Forensics Incident Response Firms
FinCEN’s report gives special attention to the role DFIR firms play in facilitating ransomware payments on behalf of victims, noting that over a third of all ransomware SARs filed in the first half of 2021 were filed by a small number of DFIR firms. These firms, with their central role in negotiating and facilitating ransomware payments, may have their own obligations under the Bank Secrecy Act (“BSA”) and money laundering statutes.
- Money services business regulation – FinCEN has already indicated that DFIR firms may be engaged in regulated money transmission and subject to BSA regulation as a money services business. However, firms providing money transmission as an integral part of another service may be exempt from these requirements. However, even where some activity falls within an integral exemption, if any part of the money transmission services is not integral to the entity’s underlying service then the business will be an MSB to the extent it engages in those services.
- Enforcement risks – Whether regulated as an MSB or not, a DFIR firm, like the target of the ransomware attack itself, must avoid payments that would facilitate money laundering, or payments to parties targeted pursuant to US economic sanctions laws, as we discuss here.
Ransomware continues to draw significant attention from enforcement agencies, lawmakers, political appointees, and industry. The pressure is mounting on regulators and law enforcement to take meaningful enforcement action consistent with recent published guidance. Blockchain-based financial institutions and DFIR firms that adopt sound compliance policies (including due diligence and transaction monitoring) will minimize the risk of being a target of such enforcement.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Greta Lichtenbaum, an O’Melveny partner licensed to practice law in the District of Columbia, Laurel Loomis Rimon, an O’Melveny partner licensed to practice law in the District of Columbia and California, and John Dermody, an O’Melveny counsel licensed to practice law in the District of Columbia and California, and Braddock Stevenson, an O'Melveny counsel licensed to practice law in the District of Columbia, California, New Jersey, New York, and Pennsylvania, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.