The agency’s focus on cryptocurrency and blockchain continues
On September 21, 2021, the US Treasury Department (Office of Foreign Assets Control, OFAC) issued an updated recommendation to “highlight the sanction risks associated with ransomware payments” – almost a year after the first such guidance was published – while imposing sanctions on SUEX, a virtual wallet accused of facilitating illegal transactions related to ransomware attacks. These developments underscore OFAC’s continued focus on sanction violations that largely affect virtual currencies and digital assets. In the following we briefly describe the measures taken by the agency.
OFAC’s updated Ransomware Advisory is thematically similar to its original October 2020 guidance on the issue. It emphasizes US national security interests in preventing ransomware payments to any person, organization, or jurisdiction subject to trade or economic sanction programs. As in the original guide, it warns US individuals to be vigilant when auditing such payments and encourages ransomware victims to consult with law enforcement before taking action.
However, the updated advisory goes even further, stating that OFAC will consider a company’s actions both before and after a ransomware attack in order to determine an appropriate response to any sanction violations that may arise. In particular, and as part of an effective sanctions compliance program, OFAC emphasizes the importance of:
- Take proactive steps to “reduce the risk of blackmail by a sanctioned actor through the introduction or improvement of cybersecurity practices”; and
- Reporting ransomware attacks to “appropriate US government agencies” and working with them to respond to such attacks.
According to the updated recommendation, OFAC will view these measures as mitigating factors in its economic sanctions enforcement policy, which gives “significant” weight to prompt reporting of a ransomware incident to the authorities and “ongoing cooperation” in any subsequent investigation or remedial action . These guidelines highlight the importance of developing and implementing clear escalation procedures to ensure that reports of ransomware and other types of extortionate claims that could pose sanctions risk are timely reported internally and, where appropriate, externally.
For the first time, OFAC has designated a virtual wallet, SUEX, as a Specially Designated Citizen, which means US individuals and businesses are largely excluded from direct or indirect transactions related to the exchange. SUEX has been sanctioned under Executive Order 13694, which authorizes sanctions against any person or entity involved in “malicious cyber activity”.
In this very first move against a virtual currency exchange, OFAC recognized that “most of the virtual currency activity” [legal]“, But that cybercrime often uses cryptocurrencies. To this end, the agency stated that more than 40% of SUEX’s transaction history was “illegal actors”. However, OFAC did not disclose the specific activities that led to the designation of SUEX, nor did it identify clients or counterparties of SUEX for sanctions.
Perhaps as a sign of further review to come, OFAC made it clear that participants in the “virtual currency industry have a crucial role to play in implementing appropriate controls to combat money laundering and terrorist financing,” and reiterated its support for multinational efforts, “the Preventing exploitation of virtual cyber criminals by cyber criminals ”. Financial assets.”
We will continue to monitor developments in this regard and provide updates as necessary.