OFAC: Ransomware Payments May Violate Sanctions Laws
The Office of Foreign Assets Control (OFAC) issued an advisory to companies, DFIR providers, insurers, and money remitters reminding the business community that paying ransoms to sanctioned parties is prohibited by U.S. law.
OFAC notes that “[f]acilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.”
This advisory has created confusion within the industry as to when a ransomware payment is permissible, whether past ransomware payments were permitted, and what firms in the cyber security and digital forensics industry, as well as their clients, need to do to protect themselves. LIFARS has invited David Tannenbaum from Blackstone Compliance Services, a firm which focuses on sanctions compliance, to answer some of these questions.
Q: What actions and transactions does OFAC prohibit with this advisory, and has it always been this way?
U.S. sanctions laws, which are often called the OFAC regulations, generally prohibit the dealing in blocked property or with comprehensively sanctioned countries. What this means in practical terms is that U.S. persons cannot transact with, or facilitate a transaction, with someone who has been placed under sanctions (“designated”) or with persons located in comprehensively sanctioned countries (Iran, Syria, North Korea, Cuba, and the Crimean region of Ukraine).
This advisory is a reminder that U.S. persons cannot conduct any transactions including ransom payments, absent permission from OFAC, with a sanctioned person. These payments have always been prohibited, but OFAC wants to use this advisory to remove all doubt within the community.
Q: Are all ransoms prohibited, and if not, what do the OFAC regulations prohibit?
In recent years, OFAC has become more involved in combating malicious cyber activity, either by assisting other federal agencies such as the DOJ in targeting cyber criminals, or to support OFAC’s existing programs towards comprehensively sanctioned countries such as North Korea. For example, OFAC has designated North Korean groups which use ransomware to fund the regime’s other activities, such as nuclear proliferation, but has also designated non-state actors such as Cryptolocker, which engaged in more traditional criminal activity.
Importantly, OFAC has not designated all cyber criminals and its prohibitions only extend to ransom payments from designated persons. OFAC constantly updates its sanctions lists, including its Specially Designated Nationals (“SDN”) List. In general, your company should avoid facilitating or transacting in the following:
• Ransom payments from persons, or where an investigation leads to a nexus with a person who has been designated by OFAC; or
• Ransom payments from state actors, or where an investigation leads to a nexus with those actors, when they involve North Korea, Iran, Syria, Cuba, or the Crimean region of Ukraine.
It is also important to remember that OFAC prohibitions extend beyond the payment itself. The regulations generally prohibit the facilitation of payments which includes but is not limited to insuring the payment, advising that a payment should occur, or conducting any action which enables a payment to occur.
Q: What controls does OFAC expect from the business community.
OFAC regulations operate on strict liability, and consider any action prohibited regardless of whether a business or person had knowledge that it involved a sanctions nexus. However, OFAC takes into account the size and sophistication of a person when determining whether there should be a penalty or the severity of the penalty.
This advisory states that it “also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments.” OFAC considers these firms to be sophisticated, and because it has issued the advisory it will expect that the firms have developed the appropriate controls to prevent sanctioned payments.
The controls required will vary depending on the type of firm and their role in the ransom payment. As a best practice, OFAC notes that compliance programs generally incorporate five elements: a) effective policies and procedures to prevent sanctioned activity, b) a risk assessment, c) internal controls such as the ability to screen for sanctioned parties, d) training, and e) independent testing.
However, detecting a sanctions nexus with a ransomware attack may be much more complex than screening against a watchlist, and may require a firm to analyze the malware against known malware of sanction parties, trace the cryptocurrency address to which the payment is to be sent, and understand which malicious cyber actors are associated with sanctioned parties.
Companies such as LIFARS play a key role in helping their client understand the risks, and providing evidence to downstream firms such as insurers or the ransom payers that a ransom payment isn’t associated with a sanctioned party. A documented due diligence process goes a long way to demonstrating to OFAC that a firm takes the appropriate actions to prevent sanctions violations.
Q: What about involving law enforcement in the incident response?
Establishing a good line of communication with law enforcement who might be able to share intelligence about the ransomware group at issue is also beneficial since OFAC states that it “will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor” when OFAC is determining whether to bring an enforcement action should there be a sanctions nexus with the ransomware payment.
Q: You mentioned that OFAC may give permission for certain payments. How likely is this, and what does a firm need to do?
OFAC permits certain transactions which would be ordinarily prohibited through a licensing system. A “general license” from OFAC allows all firms to engage in a certain type of transaction, such as winding down prior business or sending food and medicine to a sanctioned country. Conversely, a “specific license” can be issued to OFAC to a firm directly to allow for a specific type of transaction.
OFAC’s advisory states that firms may apply for a license to pay a ransom to a sanctioned party, but that it will operate under a presumption that it will deny the license. This does not mean that all license requests will be denied, as OFAC may make an exception if the harm to national security interests for not paying the ransom outweighs the harm of the payment itself. These would be exceptional cases which should be adjudicated on a case by case basis.
Q: I think my company may need a robust OFAC compliance program in light of this advisory. Where did I even start?
OFAC lays out its expectations about each of the five elements I mentioned above (effective policies and procedures to prevent sanctioned activity, a risk assessment, internal controls, training, and independent testing) in A Framework for OFAC Compliance Commitments, which it released in 2019. If you have further questions, feel free to contact me at firstname.lastname@example.org.
Mr. Tannenbaum created Blackstone Compliance Services, a company specializing in sanctions compliance after leaving OFAC in 2013. As the director of Blackstone, Tannenbaum has led sanctions testing for three major monitorships on behalf of the US Department of Justice, Federal Reserve Board and New York Department of Financial Services. This testing has included a review of policies and procedures, compliance IT infrastructure and audits of high-risk branches and affiliates. Tannenbaum has provided advice and assistance in the implementation of multiple sanctions screening filters, has overseen model validation efforts of those systems, and is routinely called to tune and evaluate filtering systems to help banks tailor their approach.
David Tannenbaum has significant experience in assisting banks in developing their sanctions programs.
- SCP Development
Overseen the development and enhancement of five top-10 global banks’ sanctions compliance programs
- Responded to Regulators
Has represented both regulators and banks on issues involving the DOJ, banking regulators, and OFAC.
- Risk Monitoring
Established transaction monitoring scenarios which specialize in detecting sanctions risks in multiple jurisdictions.
- Policies and Procedures
Created procedures to monitor their filtering and list management program.