Financial Services

Subscribe to Financial Services

On December 11, 2020, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued a much-anticipated report under Section 5(b) of the Hong Kong Autonomy Act (HKAA) that—to the relief of non-US financial institutions, including those in Hong Kong—stated the Treasury Department had not identified any foreign financial institution (FFI) at risk of secondary sanctions under the HKAA at this time.

Background

Under Section 5(b) of the HKAA, Congress directed the Treasury Department to identify any FFI that knowingly conducted a significant transaction with a person identified by the State Department in a report under Section 5(a) of the HKAA. The State Department issued its report on October 14, 2020, identifying ten individuals, including Hong Kong’s Chief Executive and other prominent government officials.

(For more information about the HKAA and the State Department’s Section 5(a) report, see our blog post of October 15, 2020, “Update: Hong Kong Financial Institutions Face US Secondary Sanctions after State Department Issues First Report under Hong Kong Autonomy Act.”)

Under the HKAA, FFIs identified in a Section 5(b) report could be subject to a “menu” of ten secondary sanctions described in Section 7 of the HKAA. Those sanctions would become mandatory after one year of the report’s issuance.


Continue Reading Financial Institutions Spared, for Now, from Secondary Sanctions after Treasury Department Issues ‘Null Report’ Under Section 5(b) of the Hong Kong Autonomy Act

On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) published advisories on the sanctions and anti-money laundering (AML) risks of facilitating ransomware payments.

Ransomware attacks have become increasingly common in recent years with malicious attacks targeting companies in a variety of industries, including healthcare, technology, and education, among others.  Ransomware attacks typically involve a hacker breaching a company’s information technology (IT) infrastructure and encrypting a company’s data or other systems. The attacker then typically demands the victim pay a ransom in exchange for a decryption key that allows the victim to unlock the IT systems or data.  Such attacks can have severe consequences for the victim, often preventing the victim from being able to conduct business operations in whole or in part, and, in the case of healthcare companies such as hospitals, can potentially lead to loss of life, as reportedly occurred recently with a ransomware attack on a hospital in Germany.  Such inability to conduct business can also have ripple effects on other companies or individuals whose data is affected.  In some instances, an attacker may also threaten to disclose private information or data unless the ransom is paid.

As a result, victims of ransomware attacks often choose to pay the ransom.  However, because ransomware attackers rarely, if ever, identify themselves, and often demand payment in cryptocurrency, victims making such payments are generally forced to do so without a clear understanding of the recipient.  Such conduct potentially exposes the victim, and third party service providers (including financial institutions and incident response consultants, among others), to violations of and obligations under US sanctions and/or AML laws.

The OFAC and FinCEN advisories provide information to the public regarding the sanctions and AML risks to victims and third party service providers, including US financial institutions, who assist victims in responding to ransomware attacks.  While in many respects the guidance does not break new regulatory ground, it is a stark reminder of the way that those trying to deal with the consequences of a ransomware attack can find themselves in trouble with the US government.  This puts victims and companies that assist them in a difficult conundrum: don’t pay the ransom and potentially watch the victim company’s business get destroyed, or pay the ransom and run the risk of violating US sanctions and AML laws.  It is therefore imperative that victim companies and those in the business of facilitating ransom payments carefully consider the legal risks and evaluate potential ways to avoid or minimize them.


Continue Reading Five Key Takeaways from OFAC and FinCEN’s Ransomware Advisories