The innovative use of virtual currencies is hotter than ever, but so is a dark side of these instruments: their exploitation in ransomware schemes. This year, since January 2021, ransomware attacks have increased dramatically in number and severity. In these attacks, cybercriminals deploy malicious code into the victim’s environment. They then generally demand payment in the form of virtual currencies—particularly anonymity-enhanced cryptocurrencies—in exchange for a decryption key to unlock the victim’s digital infrastructure. To address this problem, and the growing use of virtual currencies in general, several U.S. regulators and legislators have attempted to clarify regulatory requirements related to virtual currency and ransomware.
This alert discusses recent regulatory guidance about virtual currency and ransomware, specifically related to sanctions and anti-money laundering compliance, and the increased focus of the Federal Deposit Insurance Corporation (the “FDIC”), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (the “OCC”) (collectively, the “Federal Banking Regulators”) on virtual currency in general. After discussing the motivating factors for this regulatory activity, we make recommendations for mitigating risk and forecast what is next in this arena.
What are the new initiatives?
Why are these government actions important?
What should virtual currency companies and financial institutions engaging in activities related to virtual currencies do?
Who is paying attention?
1. What are the new initiatives?
Key activity by the U.S. government related to virtual currency and ransomware over the last several months has included the following:
September 21, 2021: The U.S. Department of Treasury (“Treasury”)’s Office of Foreign Assets Control (“OFAC”) published an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.As described here in our prior client alert, the publication announced several actions focused on: disrupting criminal digital finance infrastructure, including virtual currency exchanges, that are responsible for laundering cyberattack ransoms; and encouraging incident and ransomware payment reporting to U.S. authorities.The updated advisory also described potential sanctions risks associated with facilitating ransomware payments.
October 15, 2021: Treasury’s Financial Crimes Enforcement Network (“FinCEN”) released Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021. The FinCEN report noted an increase in ransomware attacks in general during the covered period and the commission of several recent large and disruptive ransomware attacks.
October 15, 2021: OFAC published Sanctions Compliance Guidance for the Virtual Currency Industry. The OFAC brochure offers practical advice for virtual currency companies seeking to implement policies and programs to mitigate sanctions risk and shares case studies identifying pitfalls to avoid.
November 8, 2021: FinCEN released an updated Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, drawing on the conclusions in its October 2020 report. On the same day, OFAC designated Chatex, a virtual currency exchange that reportedly has direct ties to the Russia-based cryptocurrency exchange SUEX OTC, and two companies that provided material support to Chatex’s operations, as Specially Designated Nationals and Blocked Persons (“SDNs”).
November 18, 2021: The OCC issued an interpretive letter that, among other things, followed up on previous guidance and clarified that it is legally permissible for banks to (1) provide cryptocurrency custody services; (2) hold dollar deposits serving as reserves backing stablecoin; (3) act as nodes on distributed ledgers to verify customer payments; and (4) “engage in certain stablecoin activities to facilitate payment transactions on a distrusted ledger.” The OCC permits these activities “provided the bank can demonstrate, to the satisfaction of its supervisory office, that it has controls in place to conduct the activity in a safe and sound manner.”
November 23, 2021: The Federal Banking Regulators issued a Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps. The statement focuses on the progress of the Federal Banking Regulators’ recent crypto-asset “policy sprints” and outlines areas on which they intend to focus in the crypto-asset space in 2022, including guidance on the legality of certain crypto-asset-related activities conducted by banks, and the regulators’ expectations for safety and soundness; consumer protection; compliance with existing laws and regulations related to certain crypto-asset-related activities; and evaluation of the application of bank capital and liquidity standards to crypto-assets.
2. Why are these government actions important?
The $590 million in ransomware payments FinCEN recorded from January 1 to June 30 of this year is 42% higher than the total ransomware-related transaction value recorded in all of 2020, and it is estimated that the 2021 figure will exceed those of the previous 10 years combined. While many companies are susceptible to ransomware attacks, virtual currency service providers are also at risk of facilitating ransomware payments. OFAC’s recent designations of both Chatex and SUEX OTC to the SDN List resulted from their respective roles in aiding such illicit transactions. U.S. regulators are paying close attention to companies that negotiate or otherwise could be considered to facilitate ransomware payments.
In addition, companies providing virtual currency services must understand the corresponding sanctions risks and regulatory obligations imposed by Treasury and the Federal Banking Regulators. As the Federal Banking Regulators note, the “emerging crypto-asset sector presents potential opportunities and risks for banking organizations, their customers, and the overall financial system” and regulators intend to provide “coordinated and timely clarity” on regulatory requirements related to crypto-assets. To that end, OFAC’s and FinCEN’s guidance describe their compliance expectations, which companies should carefully consider when implementing proper internal controls. OCC’s guidance explains the supervisory process and expectations for banks’ virtual currency activities. And the Federal Banking Regulators have summarized their efforts to provide coordinated and timely clarity to regulated institutions that seek to engage in crypto-asset-related activities and outlined what’s to come next year.
3. What should virtual currency companies and financial institutions engaging in activities related to virtual currencies do?
OFAC and FinCEN’s guidance – virtual currency companies and financial institutions should consider the following risk-mitigating measures, where applicable:
Conduct routine risk assessments and follow up with remediation strategies for identified risks related to ransomware.
Implement internal controls for identification, interdiction, and escalation of suspicious activity. Consider implementing software to facilitate geolocation, IP address blocking, transaction monitoring, and investigation.
Screening alone is not enough. Virtual currency companies must also prevent parties in sanctioned jurisdictions from using the companies’ platforms.
The responsibility to prevent interaction with individuals and entities on OFAC sanctions lists or located in sanctioned jurisdictions includes those who may not even be direct customers.
Implement appropriate mechanisms to conduct “sufficient due diligence on customers, business partners, and transactions.” Proper Know-Your-Customer (KYC) procedures can facilitate this.
Customer-identifying information should be screened against the SDN List, other relevant sanctions lists, and the list of sanctioned jurisdictions. Higher-risk customers should be analyzed with greater scrutiny. Records of sanctions screening and of transactions occurring on the platform should be stored for the recordkeeping period required by applicable laws and regulations, and utilized in audits.
Hold regular, targeted trainings for employees.
As the virtual currency space is rapidly evolving, companies should note new technological and strategic developments that nefarious actors are employing and incorporate their learnings in employee trainings.
Use reporting channels and revisit reporting protocols.
Virtual currency service providers that are regulated financial institutions have suspicious activity reporting (“SAR”) obligations under the Bank Secrecy Act, as amended (the “BSA”). SAR filings are required not only in the event of successful extortion through a ransomware attack, but also for any attempts or suspected attempts involving $5,000 or more ($2,000 or more for money services businesses).
Include in SARs cyber indicators such as relevant email addresses, IP addresses, CVC (convertible virtual currency) wallet addresses, mobile device information, malware hashes, malicious domains, details on suspicious electronic communications, and login information with locations and timestamps can help.
OCC’s guidance – For banks dealing in virtual currency, implement controls to conduct authorized virtual currency activity in a safe and sound manner:
Notify regulatory supervisors of intent to engage in virtual currency activities outlined in the OCC’s guidance. Banks should consult with their supervisory offices prior to engaging in the activities.The supervisory office will review the bank’s systems and controls to ensure they will allow the bank to engage in the proposed activities in a “safe and sound manner.”
Establish an appropriate risk management and measurement system for virtual currency activities. The system should identify, measure, monitor, and control risks associated with the activities on an ongoing basis. Risks include:
Operational risks such as hacking, fraud, theft, and third-party risk management;
Compliance risk associated with regulatory requirements such as those imposed by the BSA and FinCEN, OFAC, securities laws, and consumer protection laws.
Develop the ability to demonstrate in writing to regulators that the bank “understands and will comply with laws that apply to [virtual currency] activities” as well as its compliance obligations, including those identified above.
Evaluate and understand the regulatory requirements for your particular virtual currency products. For example, “[t]here may be different legal and compliance obligations for stablecoin activities, depending on how the particular stablecoin is structured,” i.e., whether the stablecoin is a security.
4. Who is paying attention?
Federal and state legislators and regulators are trying to combat ransomware-related activities through enforcement actions, sanctions designations, and newly proposed legislation and regulations.
Federal Government Highlights
The Department of Justice (the “DOJ”) is leading the administration-wide effort to mitigate ransomware threats. Earlier this year, the DOJ seized a ransomware payment of $2.3 million to disrupt the ransomware ecosystem and deter ransomware attacks. The DOJ further noted its commitment to improving the department’s ability to track and recover ransomware payments. In addition, the DOJ recently established a National Cryptocurrency Enforcement Team to disrupt the infrastructure used to carry out ransomware attacks.
Securities and Exchange Commission (“SEC”) Chairman Gary Gensler recently testified before the Senate that the SEC is considering reforms on cybersecurity risk governance which may address issues such as cyber hygiene and incident reporting. The SEC is considering gaps that, with Congress’s assistance, the SEC might fill. He also said that the SEC is working with other financial regulators under current authorities to best bring investor protection to crypto-asset markets. He specifically noted that the SEC is working on projects relating to:
The offer and sale of crypto tokens;
Crypto trading and lending platforms;
Stable value coins;
Investment vehicles providing exposure to crypto-assets or crypto derivatives; and
Custody of crypto-assets.
The White House held a multinational summit on ransomware in October 2021, where the participants pledged to “seek out ways to cooperate with the virtual asset industry to enhance ransomware-related information sharing.”
Legislation has been introduced in Congress that would impose mandatory notification requirements following security incidents. One such bill, introduced by Senator Elizabeth Warren, would impose mandatory disclosures to the Department of Homeland Security (“DHS”) following ransomware payments.
State Government Highlights
New York: On October 18, 2021, New York Attorney General Letitia James issued a cease-and-desist letter to two unregistered virtual currency lending platforms that allegedly engaged in unlawful activities, continuing the trend of state regulators’ effort to provide oversight over virtual currency companies.
North Carolina: The North Carolina House approved a bill that prohibits any state agency or local government from paying ransom payments or communicating with ransomware actors. This bill will further require local governments to communicate with the North Carolina Department of Information Technology if they receive a ransom demand.
Pennsylvania: Legislators are considering a comprehensive ransomware bill that would make the possession, use, or transfer of ransomware a criminal felony offense, depending on the ransomware amount.
5. What’s next?
OFAC’s recent designations of virtual currency exchanges to the SDN List demonstrate that it intends to target bad actors in the virtual currency industry. And given OFAC’s and FinCEN’s recent written guidance for the virtual currency industry, we can expect Treasury to take action against financial institutions that do not implement appropriate compliance programs should their failures lead to violations of law or regulations.
The Federal Banking Regulators suggest that we can expect more regulatory guidance on a number of subjects, including crypto-asset safekeeping and custody services, facilitation of consumer purchases and sales of crypto-assets, crypto-asset collateralized loans, issuance of stablecoins, and holding crypto-assets on balance sheets. Additionally, as regulator and prosecutor attention expands, in 2022 we can expect increased regulatory activity from a variety of federal and state actors, including possible additional legislation and reporting requirements, as well as increased enforcement of existing laws and regulations.
 US Department of the Treasury’s Financial Crimes Enforcement Network, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, FinCEN (Nov. 8, 2021).
 OFAC sanctioned SUEX OTC, S.R.O., a Russia-based virtual currency exchange, for facilitating transactions involving illicit proceeds from at least eight ransomware variants. Additionally, earlier this year OFAC announced settlements of more than $500,000 and nearly $100,000 with BitPay, Inc. and BitGo, Inc., respectively. Coinbase Global Inc., the largest U.S.-based cryptocurrency exchange, is currently under review by OFAC after voluntarily disclosing potential sanctionable violations.
 US Department of the Treasury, supra note 6.
 US Department of the Treasury’s Office of the Comptroller of the Currency, supra note 7.
 S.2943, 117th Cong. (2021).
 H.B. 813, Gen. Assemb., Sess. 2021 (Nc. 2021).
 S.B. 726, Gen. Assemb., Sess. 2021 (Pa. 2021).