If this year taught us anything, it is that we do not really know what is going to happen next. We heard about COVID-19 and then our entire way of life changed overnight. Some financial institutions were better prepared than others. For example, those who had employees working remotely when the pandemic hit, were positioned better to respond than those who had employees that never worked remotely. Customers banking remotely, fared better than those who always went into the branch to conduct transactions. We may not know what is going to happen next, however, we can strategically plan for various risks and put procedures in place to mitigate those risks. Isn’t that what financial institutions do all the time?
So when OFAC and FinCEN issued guidance at the same time on Ransomware illicit payments, it is important to pause and consider what plans are in place in your institution to mitigate those risk and address the problem if and when it occurs. As Jack Dempsey is reported to have said, “The best defense is a good offense.”
To begin, it is important to understand what ransomware is and who it can affect. FinCEN defines ransomware as “a form of malicious software (‘malware’) designed to block access to a computer system or data, often by encrypting data or programs on information technology (IT) systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data. In some cases, in addition to the attack, the perpetrators threaten to publish sensitive files belonging to the victims, which can be individuals or business entities (including financial institutions). The consequences of a ransomware attack can be severe and far-reaching—with losses of sensitive, proprietary, and critical information and/or loss of business functionality.”[i]
Before delving into the risk institutions face of processing illicit payments for victims of ransomware, it is good to consider that financial institutions themselves can be victims of ransomware. Therefore, the same steps you would take for pandemic planning, disaster recovery, you would mirror for ransomware. Begin with a committee made up of all departments of the institution to consider the key preparations needed to prevent this from occurring. Things such as a robust cyber security and IT infrastructure, employee training, cyber insurance are all critical steps to take.
One law enforcement conference I attended, highlighted another key component of a robust plan and that is to specifically lay out what steps to take once you have been a victim. Who manages the problem, communicates with regulators, law enforcement, the media, customers, the employees, and the perpetrator of the crime. Most importantly, what “experts” will you hire to help you regain control of your computer systems and determine if and how a ransom is paid. These companies are called digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs). One firm that was a victim of ransomware hired one of these firms to help them regain access to their systems and clean out any malware placed by the ransomware perpetrators. The experts “fixed” everything and left. Unfortunately, they left a back door open in the system that enabled the perpetrators to come right back in and commit the same crime again! So be sure to do your due diligence on firms you hire to assist you.
Hopefully, financial institutions will not fall victim to ransomware, but some of your customers may as ransomware operations become more sophisticated. The recently issued guidance from FinCEN and OFAC focuses on the processing of payments for those customers who are victims of ransomware and highlights 4 key risks to financial institutions associated with these payments.
- Not detecting the payments
- Not preventing the payments
- Not reporting the suspicious transactions
- Violating OFAC sanctions
The first risk of not detecting the payments can be caused by a lack of training on these types of payments. It is interesting to note that seven of the ten red flags FinCEN lists include the term “CVC” or convertible virtual currency since the majority of ransomware payments must be made using it. Training focusing on what CVC is, the flow of funds and the source or destination of these funds is vital to detecting ransomware payments. Customers can structure the movement of ransomware funds, but remember that one-time, small dollar transactions involving CVC are most likely not ransomware and may not even be illegal. It is legal to conduct transactions using CVC and more and more people are doing legitimate transactions all the time.
Another training piece is knowing that transactions between a DFIR or CIC and an organization at a high risk for targeting by ransomware such as a government, financial, educational, or healthcare entity is a red flag for ransomware. Employee training on ransomware and customer service is another important factor as customers may actually tell an institution they are a victim of a ransomware attack. If a customer tells an employee they are a victim, what actions should the employee take with the customer and to whom should they report that information?
The other red flag in the FinCEN guidance involves malicious cyber activity that may be more evident to the IT side of the financial institution via system log files, network traffic or file information, than the BSA side. However, training for all employees on what IT knows and works to prevent, is important in ensuring the entire financial institution is working together to identify these payments.
Preventing the payments and reporting of suspicious activity falls under the culture of compliance of the institution. If your institution has a robust BSA/AML and cyber security program that is directed from the top down and followed faithfully by your employees, preventing and reporting will be automatic upon identification of these types of payments. If training is lacking and a weak culture exists, detecting, preventing and reporting will be difficult and maybe even impossible to accomplish.
When institutions do report this type of activity via SARs, FinCEN requests financial institutions reference their advisory in SAR field 2 (Filing Institution Note to FinCEN) and the narrative by including the following key term: “CYBER FIN-2020-A006” and select SAR field 42 (Cyber Event). FinCEN also encouraged institutions to utilize 314(b) sharing between financial institutions to help prevent this type of activity.
As to the last risk of violating OFAC sanctions, the same principles of training and a culture of OFAC compliance within the institution are vital. An appropriate OFAC risk assessment for the institution and policies and procedures to mitigate those risks are the first steps. Proper monitoring software, employee training and mandatory adherence to policies and procedures tied to the program are all key components to ensure there are no sanction violations. The guidance issued by OFAC[ii] encourages institutions to contact OFAC if there is a potential for sanction violations with one of these types of payments. The guidance concludes with a reminder that “Victims should also contact the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if an attack involves a U.S. financial institution or may cause significant disruption to a firm’s ability to perform critical financial services.”
In conclusion, keep your policies and programs balanced, so when new guidance comes out like this guidance on ransomware, you are not creating entire new policies and procedures. You can add the key parts of the new guidance into the framework you already built to ensure you are properly mitigating the risks involved.
[i] FinCEN’s FIN-2020-A006 – https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20508.pdf
[ii] 10/1/2020 Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments – https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf