On December 22, 2021, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued three general licenses (GLs) to authorize additional activities involving the Taliban and the Haqqani Network in Afghanistan that would otherwise be prohibited under the Global Terrorism Sanctions Regulations, 31 CFR part 594 (GTSR), the Foreign Terrorist Organizations Sanctions Regulations, 31
On December 7, 2021, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), published a proposed rule to implement the Corporate Transparency Act (CTA), which was enacted as part of the Anti-Money Laundering Act of 2020 within the National Defense Authorization Act for Fiscal Year 2021. The proposed rule is intended to implement the CTA’s beneficial ownership reporting provisions, but does not yet have the force and effect of law. In short, the proposed rule would require certain business organizations and entities to report affirmatively information to FinCEN about the beneficial owners and controllers of such organizations and the individuals who have filed an application with state or tribal authorities to form the entity or register it to do business. Below we summarize a number of the proposed rule’s key provisions, for which interested persons may submit public comments before February 7, 2022.
Continue Reading FinCEN Issues Proposed Rule on Reporting of Corporate Ownership
On October 28, 2021, the House Rules Committee released the latest version of HR 5376, the Build Back Better Act. This draft reflects the most recent attempt to forge compromise among Democratic lawmakers, as Congress moves towards a vote on a comprehensive infrastructure bill. Section 138152 of the Build Back Better Act (the Act) would…
On December 11, 2020, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued a much-anticipated report under Section 5(b) of the Hong Kong Autonomy Act (HKAA) that—to the relief of non-US financial institutions, including those in Hong Kong—stated the Treasury Department had not identified any foreign financial institution (FFI) at risk of secondary sanctions under the HKAA at this time.
Under Section 5(b) of the HKAA, Congress directed the Treasury Department to identify any FFI that knowingly conducted a significant transaction with a person identified by the State Department in a report under Section 5(a) of the HKAA. The State Department issued its report on October 14, 2020, identifying ten individuals, including Hong Kong’s Chief Executive and other prominent government officials.
(For more information about the HKAA and the State Department’s Section 5(a) report, see our blog post of October 15, 2020, “Update: Hong Kong Financial Institutions Face US Secondary Sanctions after State Department Issues First Report under Hong Kong Autonomy Act.”)
Under the HKAA, FFIs identified in a Section 5(b) report could be subject to a “menu” of ten secondary sanctions described in Section 7 of the HKAA. Those sanctions would become mandatory after one year of the report’s issuance.
On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) published advisories on the sanctions and anti-money laundering (AML) risks of facilitating ransomware payments.
Ransomware attacks have become increasingly common in recent years with malicious attacks targeting companies in a variety of industries, including healthcare, technology, and education, among others. Ransomware attacks typically involve a hacker breaching a company’s information technology (IT) infrastructure and encrypting a company’s data or other systems. The attacker then typically demands the victim pay a ransom in exchange for a decryption key that allows the victim to unlock the IT systems or data. Such attacks can have severe consequences for the victim, often preventing the victim from being able to conduct business operations in whole or in part, and, in the case of healthcare companies such as hospitals, can potentially lead to loss of life, as reportedly occurred recently with a ransomware attack on a hospital in Germany. Such inability to conduct business can also have ripple effects on other companies or individuals whose data is affected. In some instances, an attacker may also threaten to disclose private information or data unless the ransom is paid.
As a result, victims of ransomware attacks often choose to pay the ransom. However, because ransomware attackers rarely, if ever, identify themselves, and often demand payment in cryptocurrency, victims making such payments are generally forced to do so without a clear understanding of the recipient. Such conduct potentially exposes the victim, and third party service providers (including financial institutions and incident response consultants, among others), to violations of and obligations under US sanctions and/or AML laws.
The OFAC and FinCEN advisories provide information to the public regarding the sanctions and AML risks to victims and third party service providers, including US financial institutions, who assist victims in responding to ransomware attacks. While in many respects the guidance does not break new regulatory ground, it is a stark reminder of the way that those trying to deal with the consequences of a ransomware attack can find themselves in trouble with the US government. This puts victims and companies that assist them in a difficult conundrum: don’t pay the ransom and potentially watch the victim company’s business get destroyed, or pay the ransom and run the risk of violating US sanctions and AML laws. It is therefore imperative that victim companies and those in the business of facilitating ransom payments carefully consider the legal risks and evaluate potential ways to avoid or minimize them.