On March 7, 2022, the Financial Crimes Enforcement Network (FinCEN) of the US Department of the Treasury published guidance (Guidance) for US financial institutions warning about: (1) efforts of foreign actors to evade expanding US economic sanctions and trade restrictions related to the Russian Federation and Belarus and (2) increased risk of malicious cyber-attacks and related ransomware campaigns, following the invasion of and continued military action in Ukraine.  The Guidance provides instructive red flags and related advice for all US financial institutions to evaluate, and provides information of particular relevance for Money Services Businesses (MSBs) and other FinCEN-regulated institutions undertaking transactions in what the agency calls “convertible virtual currency” (CVC).

Most notably, FinCEN strongly encourages US financial institutions that have information about CVC flows, including exchangers or administrators of CVC to: (1) be mindful of efforts to evade expanded US sanctions and export controls related to Russia and Belarus, summarized by Steptoe here; (2) submit Suspicious Activity Reports (SARs) as soon as possible regarding such conduct; (3) undertake appropriate risk-based due diligence of customers, and where required, enhanced due diligence; (4) voluntarily share information with other financial institutions consistent with Section 314(b) of the USA PATRIOT Act; and (5) consider using tools to identify assets that must be blocked or frozen under applicable sanctions.

General Sanctions Evasion Guidance

As a result of restrictive financial and trade measures that have recently been imposed, the Guidance warns that sanctioned Russian and Belarusian actors may seek to evade sanctions, including via non-sanctioned financial institutions in Russia and Belarus, as well as financial institutions in third countries.  In particular, actions to evade or avoid US sanctions could be conducted by various CVC-related actors, including exchangers and administrators within or outside Russia with ties to the international financial system.

Therefore, all US financial institutions should be mindful of red flags, including information suggesting potential nexuses to corruption, money laundering, and sanctions evasion.  These risks may be heighted when dealing with a politically exposed person (PEP), which includes individuals such as government or political party officials, their family members, and representatives, and entities or charities associated with them, among other actors..  The following indicators, which have been set forth in previous publications by FinCEN, should be considered:

  • Use of corporate vehicles such as shell companies and legal arrangements to obscure (i) ownership, (ii) source of funds, or (iii) countries involved;
  • Use of shell companies to conduct international wire transfers, particularly involving financial institutions in jurisdictions outside the country of company registration;
  • Use of third parties to conceal the identity of sanctioned persons and/or PEPs seeking to hide the origin or ownership of funds, g., to hide the purchase or sale of real estate;
  • Accounts in jurisdictions or with financial institutions experiencing a sudden increase in value being transferred to their respective areas or institutions, absent a clear economic or business rationale;
  • Jurisdictions previously associated with Russian financial flows that are identified as having a notable recent increase in new company formations;
  • Newly established accounts that attempt to send or receive funds from a sanctioned institution or an institution removed from the Society for Worldwide Interbank Financial Telecommunication (SWIFT); and
  • Non-routine foreign exchange transactions that may indirectly involve sanctioned Russian financial institutions, including “transactions that are inconsistent with activity over the prior 12 months.” For example, the Guidance warns that the “Central Bank of the Russian Federation may seek to use import or export companies to engage in foreign exchange transactions on its behalf and to obfuscate its involvement.”

Sanctions Evasion, Money Laundering, and Ransomware Indicators involving CVC

The Guidance explicitly addresses actions to evade or avoid US sanctions that could be conducted by CVC exchangers and administrators and other actors in the blockchain ecosystem. and warns that US financial institutions face increase risk posed if dealing with CVC payments associated with Russian-related ransomware campaigns.

CFT In particular, the Guidance warns that sanctioned persons, illicit actors, and their networks or facilitators may attempt to use CVC and anonymizing tools to evade US sanctions and protect their assets around the globe, including in the US.  As a result of such conduct, CVC exchangers and administrators and other types of MSBs may observe attempted or completed transactions tied to CVC wallets or other CVC activity associated with sanctioned Russian, Belarusian, and other affiliated persons.  The following red flags should be considered in this context:

  • A customer’s transactions are initiated from or sent to the following types of Internet Protocol (IP) addresses: (1) non-trusted sources; (2) locations in Russia, Belarus, or other jurisdictions identified with AML or sanctions compliance deficiencies, and comprehensively sanctioned jurisdictions; or (3) IP addresses previously flagged as suspicious;
  • A customer’s transactions are connected to CVC addresses listed on the US Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons (SDN) List;
  • A customer uses a CVC exchanger or foreign-located MSB in a high-risk jurisdiction with AML/CFT deficiencies, particularly for CVC entities and activities, including inadequate “know-your-customer” or customer due diligence measures.

With regard to ransomware, FinCEN (and OFAC) have previously published guidance about compliance best practices (discussed here).  In this regard, indicators to help detect, prevent, and report potential suspicious activity include:

  • A customer receives CVC from an external wallet, and immediately initiates multiple, rapid trades among multiple CVCs with no apparent related purpose, followed by a transaction off the platform, which may indicate efforts to “break the chain of custody on the respective blockchains or further obfuscate the transaction;”
  • A customer initiates a transfer of funds involving a CVC mixing service; or
  • A customer has either direct or indirect receiving transaction exposure identified by blockchain tracing software as related to ransomware.

Suspicious Activity Reports (SARs)

The Guidance reiterates regulatory requirements for a US financial institution with respect to (1) determining the criteria for when a SAR must be submitted to FinCEN and (2) obligations to keep records and provide information at the request of FinCEN or US law enforcement.

For SARs involving potential evasion of Russian-related sanctions, the Guidance directs financial institutions to include the key term “FIN-2022 RUSSIASANCTIONS” in SAR field 2 (Filing Institution Note to FinCEN).  The narrative of the SAR should describe any connections between the suspicious activity being reported and the activities highlighted in the Guidance.

For SARs involving ransomware, the Guidance reiterates that it is critical that financial institutions (including CVC exchanges) identify and immediately report any suspicious transactions associated with such attacks. That is, suspicious transactions involving ransomware attacks require immediate attention with as much information available provided in an initial SAR, with amended SARs filed later, as warranted.  As part of such SARs, US financial institutions should include any relevant technical cyber indicators related to cyber-attacks or hacks and associated transactions within the available cyber event indicator fields (42-44) on the SAR, including but not limited to chat logs, suspicious IP addresses, suspicious email addresses, suspicious filenames, malware hashes, CVC addresses, command and control (C2) IP addresses, C2 domains, targeted systems, MAC address, or port numbers.

Financial institutions desiring to expedite a SAR that may involve Russian sanctions evasion or related cyberattacks and ransomware are also encouraged to call the FinCEN Financial Institutions Toll-Free Hotline at (866) 556-3974. The purpose of the hotline is to expedite the delivery of this information to US law enforcement.

Finally, the Guidance addresses when a blocked property report submitted to OFAC warrants a SAR filed with FinCEN.  More specifically, if the US financial institution is in possession of information not included on the blocked property report submitted to OFAC, then a separate SAR should be filed with FinCEN including this information.  FinCEN advises that this process does not affect a financial institution’s obligation to file a SAR, even if it has already filed a blocked property report or rejected transaction report with OFAC, when there are facts about the positive SDN match that are independently suspicious or otherwise are required to be reported under FinCEN’s regulations.  Should such circumstances arise, the OFAC blocked property/rejection report would not satisfy a US financial institution’s independent legal obligation to submit a SAR to FinCEN.  Finally, ransomware attacks and payments on which financial institutions file SARs should also be reported to OFAC at OFAC_Feedback@treasury.gov  if there is any reason to suspect a potential sanctions nexus with regard to a ransomware payment.

Other Obligations and Encouraged Practices

Although not specifically focused on Russian sanctions evasion or sponsored cyberattacks, the Guidance provides helpful information about the following AML/CFT obligations useful to FinCEN and US law enforcement:

  • Establishment of risk-based controls and procedures that include reasonable steps to ascertain the status of an individual as a foreign PEP and to conduct scrutiny of assets held by such individuals;
  • Customer Due Diligence Rule covering US banks, brokers or dealers in securities (B/Ds), mutual funds (MFs), and futures commission merchants and introducing brokers (FCM/IBs) in commodities to identify and verify the identity of beneficial owners of legal entity customers, subject to certain exclusions and exemptions;
  • Enhanced due diligence and programs for private banking accounts held for non-US persons that are designed to detect and report any known or suspected money laundering or other suspicious activity;
  • Correspondent account due diligence and AML programs covering US banks, B/Ds, MFs, and FCM/IBs under 31 CFR § 1010.610(a);
  • Establishment of adequate and appropriate policies, procedures, and controls by MSBs commensurate with the risk of money laundering and the financing of terrorism posed by their relationship with foreign agents or foreign counterparties;
  • Other reports required under the US Bank Secrecy Act, including: (1) Currency Transaction Report, (2) Report of Cash Payments Over $10,000 Received in a Trade or Business (Form 8300), (3) Report of Foreign Bank and Financial Accounts; (4) Report of International Transportation of Currency or Monetary Instruments, (5) Registration of Money Service Business, and (6) Designation of Exempt Person.

Finally, the Guidance encourages all US financial institutions and associations of financial institutions to share voluntarily information about sanctions evasion, ransomware/cyberattacks, money laundering, and proceeds of corruption or other malign activities related to Russia and Belarus. US financial institutions must “opt in” to FinCEN’s systems under the safe harbor as authorized by section 314(b) of the USA PATRIOT Act to share information with one another regarding individuals, entities, organizations, and countries suspected of possible terrorist financing, money laundering, or other illicit acts.

Should you have questions about this Guidance, please contact our AML Team.