Weekly Fintech Focus

  • FinCEN and OFAC issue advisories on handling ransomware attacks, putting victims and those who help victims pay cybercriminals on notice that ransomware payments are risky and could result in violations of U.S. financial and sanctions laws.
  • California signs into law its new consumer protection law, creating an expanded agency and giving it new enforcement and licensing powers.

FinCEN and OFAC Issue Advisories Targeting Ransomware Attacks

On October 1, 2020, the U.S. Department of the Treasury’s Office of Terrorism and Financial Intelligence released two advisories (from FinCEN and OFAC). Both of these advisories explain that ransomware schemes typically involve convertible virtual currency as it is the “preferred payment method of ransomware perpetrators.” The FinCEN advisory reminds money services businesses of their obligations to monitor for red flags and file suspicious activity reports in connection with incidents of ransomware “conducted by, at, or through the financial institution,” including with respect to ransom payments made by financial institutions that are victims of ransomware. The OFAC advisory “encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus.” In short, victims of ransomware attacks or third-party companies that help victims to pay cybercriminals are put on notice that these payments could violate sanctions laws.

Ransomware is malicious software generally used by cybercriminals to infiltrate and block access to a computer system or other data. Once the cybercriminals have blocked access to the computer system, they use this control to extort the ransom payments from the victims. Often these ransom payments are demanded in the form of digital currency.

FinCEN’s advisory considers financial intermediaries to play a critical role in the collection of ransom payments. Financial institutions that are involved in ransomware payments generally include a depository institution and money services businesses. As ransomware payments are often made in digital currency, the victim will often transfer funds to a digital currency exchange, purchase the type and amount of cryptocurrency required by the ransomware perpetrator, and then send the digital currency to the perpetrator. The digital currency is generally held in a wallet hosted at the exchange and then transferred to the wallet of the perpetrator. The perpetrator then launders the funds through mixers, tumblers, or other means, in an effort to avoid detection or tracing.

An entity that engages with victims of ransomware attacks, including those that provide cyber insurance, digital forensics and incident response, and financial services for processing payments, may be considered a money services business depending on its role in the ransomware transactions, and also is subject to OFAC regulations discussed below.

FinCEN also identifies financial red flag indicators of ransomware-related illicit activity to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with these ransomware attacks. These red flags include a customer opening a new account or interacting with the financial institution and providing information that a payment is in response to a ransomware incident. For financial institutions handling digital currency transactions, a red flag would be a customer’s digital currency address or the address the customer is transacting with appearing on open sources, or being identified by commercial or government analysis to be linked to ransomware strains or payments. Certain sectors are greater targets for ransomware attacks, including governments, financial institutions, educational institutions, and healthcare providers, so if such an entity is engaging in a transaction with a digital forensics company or cyber insurance company, a financial institution should consider reviewing the transaction for suspicious activity. Other activity involving digital forensics or cyber insurance companies could also raise red flags, including the company quickly sending funds received from a higher risk institution to a digital currency exchange, or sending large digital currency transactions when the company does not have a history of such transactions. Finally, other types of suspicious transactions involving digital currency could be tied to ransomware activities, such as multiple rapid trades between multiple digital currencies, or transactions involving digital currency exchanges located in a high-risk jurisdiction.

OFAC’s advisory explains that OFAC sanctions programs prohibit U.S. persons from engaging in transactions with designated individuals and entities or with persons located in certain countries. OFAC has designated numerous individuals and entities under its cyber-related sanctions program and other sanctions programs that have used ransomware to attack governments and companies in the United States. Under OFAC regulations, financial institutions and other companies are encouraged to have risk-based compliance programs designed to mitigate exposure to sanctions violations.

Entities that make or facilitate ransomware payments to designated persons or entities, or sanctioned jurisdictions, can be subject to OFAC enforcement. OFAC’s Enforcement Guidelines state significant enforcement mitigating factors include a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement and the company’s cooperation with law enforcement during and after a ransomware attack.

California Expands Consumer Financial Protections

On September 25, 2020, California Governor Newsom signed into law AB 1864, a law that creates a new consumer financial protection department (the Department of Financial Protection and Innovation (DFPI)) and enacts the California Consumer Financial Protection Law (CCFPL). The DFPI replaces the current California Department of Business Oversight (DBO), and the state has already updated the agency’s website to reflect the name change. We discussed this bill’s passage on this blog a few weeks ago. The law goes into effect on January 1, 2021, and the DFPI will be hiring 90 additional employees over the next three years to focus on its new activities. This is a 13% increase in staffing.

To recap, the law expands the new agency’s powers from those of the DBO to allow it to license more industries and expands the agency’s UDAP powers to also cover abusive acts or practices. The DFPI will be empowered to create future registration requirements for a broader swath of consumer financial industry players, including entities that act as consumer reporting agencies and debt collectors, entities that the DFPI considers engaged in activities that attempt to evade consumer financial laws, or entities that are engaged in activities that are permissible for a bank to offer and will likely have a material impact on consumers. Presumably, future registration requirements could apply to credit reporting agencies or to buy-now-pay-later companies. Notable entity exemptions, including escrow agents, finance lenders or brokers, and check sellers and bill payers, are defined in the CCFPL.