On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) published advisories on the sanctions and anti-money laundering (AML) risks of facilitating ransomware payments.

Ransomware attacks have become increasingly common in recent years with malicious attacks targeting companies in a variety of industries, including healthcare, technology, and education, among others.  Ransomware attacks typically involve a hacker breaching a company’s information technology (IT) infrastructure and encrypting a company’s data or other systems. The attacker then typically demands the victim pay a ransom in exchange for a decryption key that allows the victim to unlock the IT systems or data.  Such attacks can have severe consequences for the victim, often preventing the victim from being able to conduct business operations in whole or in part, and, in the case of healthcare companies such as hospitals, can potentially lead to loss of life, as reportedly occurred recently with a ransomware attack on a hospital in Germany.  Such inability to conduct business can also have ripple effects on other companies or individuals whose data is affected.  In some instances, an attacker may also threaten to disclose private information or data unless the ransom is paid.

As a result, victims of ransomware attacks often choose to pay the ransom.  However, because ransomware attackers rarely, if ever, identify themselves, and often demand payment in cryptocurrency, victims making such payments are generally forced to do so without a clear understanding of the recipient.  Such conduct potentially exposes the victim, and third party service providers (including financial institutions and incident response consultants, among others), to violations of and obligations under US sanctions and/or AML laws.

The OFAC and FinCEN advisories provide information to the public regarding the sanctions and AML risks to victims and third party service providers, including US financial institutions, who assist victims in responding to ransomware attacks.  While in many respects the guidance does not break new regulatory ground, it is a stark reminder of the way that those trying to deal with the consequences of a ransomware attack can find themselves in trouble with the US government.  This puts victims and companies that assist them in a difficult conundrum: don’t pay the ransom and potentially watch the victim company’s business get destroyed, or pay the ransom and run the risk of violating US sanctions and AML laws.  It is therefore imperative that victim companies and those in the business of facilitating ransom payments carefully consider the legal risks and evaluate potential ways to avoid or minimize them.


Continue Reading Five Key Takeaways from OFAC and FinCEN’s Ransomware Advisories

On August 18, 2020, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) published a statement outlining the agency’s approach to enforcement of the Bank Secrecy Act (“BSA”), including anti-money laundering (“AML”) regulations issued by FinCEN pursuant to the BSA.  As described in a press release accompanying the statement, the document “aims to provide clarity and transparency to [FinCEN’s] approach when contemplating compliance or enforcement actions against covered financial institutions that violate the BSA.”

This relatively brief statement apparently represents FinCEN’s first published guidance that comprehensibly identifies the agency’s enforcement priorities and policies, and it may reflect an effort by FinCEN to place more emphasis on its enforcement function.   The statement lacks the details of enforcement guidance published by other agencies on issues of trade and financial regulation, such as Treasury’s Office of Foreign Assets Control (“OFAC”).  While many of the topics covered by the FinCEN statement will be familiar to covered financial institutions, there are also a few noteworthy clarifications in the statement.


Continue Reading FinCEN Publishes Statement Setting Forth Agency’s Approach to BSA Enforcement

Skirting over financial crime due diligence when considering a quick transaction in an emerging market can cost you dearly down the line when regulators or shareholders discover issues with regulatory compliance after your transaction. The safer and ultimately more cost-effective course may be an independent assessment of the financial crimes compliance risks before completing cross-border

The UK Financial Conduct Authority (FCA) has fined Commerzbank AG’s London branch (Commerzbank London) £37.8 million for failing to institute adequate anti-money laundering (AML) controls from 2012 to 2017 in violation of Principle 3 of the FCA’s Principles for Businesses.

Mark Steward, the FCA’s Executive Director of Enforcement and Market Oversight stated that “Commerzbank London’s failings over several years created a significant risk that financial and other crime might be undetected,” although the FCA did not identify any evidence of financial crime having been caused or facilitated by Commerzbank London’s AML control failings.

Financial institutions operating in the United Kingdom, such as Commerzbank London, are responsible for minimizing their risk of being used for criminal purposes, including the risk of being used to facilitate money laundering or terrorist financing.  UK firms are required to mitigate this risk by organizing and controlling their affairs responsibly and effectively, establishing and maintaining an effective, risk-based AML control framework and complying with the applicable Money Laundering Regulations.


Continue Reading UK Financial Conduct Authority Fines Commerzbank’s London Branch £37.8 Million for Anti-Money Laundering Control Failings

The ink may barely be dry on (most) Member States’ national legislation transposing the EU’s Fifth Anti-Money Laundering Directive but the European Commission is pressing ahead with ever-more ambitious plans to tackle money laundering and terrorism financing with the aim of ensuring EU anti-money laundering laws are enforced consistently across all Member States.  On 7 May, the Commission adopted a new action plan, together with a parallel public consultation, with a view to delivering on the proposed actions by early 2021.

The new action plan is built on six specified pillars:

  • Effective implementation of existing rules;
  • A single EU rulebook;
  • EU-level supervision;
  • A support and cooperation mechanism for financial intelligence units;
  • Better use of information to enforce criminal law; and
  • A stronger EU in the world.


Continue Reading Trust, but Supervise – European Commission Sets Out New AML/CTF Action Plan

According to the European Commission, fraud offences against the European Union (EU) budget cost the EU and its member states over €1 billion in losses in 2018, in addition to the annual losses of around €150 billion resulting from VAT fraud. With current criminal enforcement efforts across the EU apparently failing to effectively tackle such offences, the EU established the European Public Prosecutor’s Office (EPPO) to act as an independent and decentralized office with the power to investigate and prosecute crimes against the EU budget, such as fraud, corruption, misappropriation and cross-border VAT-related fraud.

Set to become fully operational in November 2020, based in Luxemburg, with its funding for 2020 increased by nearly 50%, the EPPO is expected to ramp up prosecutions of corporate crime concerning the EU’s financial interests and facilitate the recovery of misused EU funds. Previously, only national authorities could investigate and prosecute such offences within the scope of their own borders.


Continue Reading Client Advisory: European Public Prosecutor to Take EU Finance Fraudsters to Task?

Click here to read the full Client Advisory from Steptoe.

On March 4, 2020, the Financial Crimes Enforcement Network (FinCEN) of the US Treasury Department imposed a $450,000 civil money penalty against the former chief operational risk officer at US Bank National Association (US Bank), for his alleged role in failing to prevent violations of US anti-money laundering (AML) laws and regulations that occurred during his tenure.

FinCEN’s unprecedented individual enforcement action is the latest sign that US AML regulators intend to hold individual executives accountable for their roles in financial institutions’ violations of law. It serves as a reminder of the importance of strengthening compliance programs in order to minimize the likelihood of findings of individual liability. Meanwhile, authorities outside the United States, including in the UK, are increasingly focused on AML failings and individuals potentially liable for those failings.


Continue Reading Client Advisory: FinCEN Penalizes Compliance Officer for Anti-Money Laundering Failures

On 5 February 2020, the UK Court of Appeal dismissed a challenge to the UK’s first Unexplained Wealth Order (UWO). Mrs. Zamira Hajiyeva, wife of the former chair of the International Bank of Azerbaijan who was sentenced to 15 years in jail in 2016 for defrauding the bank out of £2.2 billion, launched a challenge against the UK National Crime Agency’s (NCA) first ever UWO, attempting to overturn the UWO against a property in Knightsbridge, London, purchased for £11.5 million. Her arguments that the NCA mischaracterized her husband’s status as a politically exposed person (PEP) and that her husband’s conviction was the result of a “grossly unfair trial” were rejected by the Court of Appeal. This decision will likely energise and provide a boost to the NCA and other law enforcement agencies in seeking UWOs to seize ill-gotten gains in the future.

Continue Reading UK Court of Appeal Rejects Unexplained Wealth Order Challenge

On October 11, the leaders of the Commodities Futures Trading Commission (CFTC), Financial Crimes Enforcement Network (FinCEN), and the Securities and Exchange Commission (SEC) issued a joint statement regarding anti-money laundering (AML) compliance for persons engaged in certain activities involving digital assets.  While the statement largely reaffirms known agency guidance and existing regulations, it is noteworthy for a number of reasons.

Continue Reading U.S. Regulators Issue Joint Statement on AML Compliance Involving Digital Assets

On May 9, 2019, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) published long-awaited guidance addressing how FinCEN regulations apply to what the agency calls “convertible virtual currency” (CVC), which covers most types of cryptocurrencies and crypto-tokens. The guidance focuses on:

  • Platforms engaged in exchange transactions involving securities, commodities, or futures contracts and fiat currency, CVC, or other value that substitute for currency;
  • Natural persons providing CVC money transmission as person-to-person (P2P) exchangers;
  • CVC wallets (differentiating among hosted, unhosted, and multiple signature wallet providers);
  • CVC provided through electronic terminals, kiosks, or automated teller machines;
  • CVC services provided through decentralized (software) applications (DApps), including anonymizing services;
  • Payment processing services;
  • Internet casinos;
  • Initial Coin Offerings (ICOs) and the status of creators of CVC;
  • DApp developers, users conducting financial activities, and DApps conducting CVC transactions; and
  • Mining pools and cloud miners.


Continue Reading FinCEN Issues New Advisory on BSA/AML Obligations Related to Virtual Currency