The innovative use of virtual currencies is hotter than ever, but so is a dark side of these instruments: their exploitation in ransomware schemes. This year, since January 2021, ransomware attacks have increased dramatically in number and severity. In these attacks, cybercriminals deploy malicious code into the victim’s environment. They then generally demand payment in the form of virtual currencies—particularly anonymity-enhanced cryptocurrencies—in exchange for a decryption key to unlock the victim’s digital infrastructure. To address this problem, and the growing use of virtual currencies in general, several U.S. regulators and legislators have attempted to clarify regulatory requirements related to virtual currency and ransomware.
This alert discusses recent regulatory guidance about virtual currency and ransomware, specifically related to sanctions and anti-money laundering compliance, and the increased focus of the Federal Deposit Insurance Corporation (the “FDIC”), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (the “OCC”) (collectively, the “Federal Banking Regulators”) on virtual currency in general. After discussing the motivating factors for this regulatory activity, we make recommendations for mitigating risk and forecast what is next in this arena.
Key activity by the U.S. government related to virtual currency and ransomware over the last several months has included the following:
The $590 million in ransomware payments FinCEN recorded from January 1 to June 30 of this year is 42% higher than the total ransomware-related transaction value recorded in all of 2020, and it is estimated that the 2021 figure will exceed those of the previous 10 years combined. While many companies are susceptible to ransomware attacks, virtual currency service providers are also at risk of facilitating ransomware payments. OFAC’s recent designations of both Chatex and SUEX OTC to the SDN List resulted from their respective roles in aiding such illicit transactions. U.S. regulators are paying close attention to companies that negotiate or otherwise could be considered to facilitate ransomware payments.
In addition, companies providing virtual currency services must understand the corresponding sanctions risks and regulatory obligations imposed by Treasury and the Federal Banking Regulators. As the Federal Banking Regulators note, the “emerging crypto-asset sector presents potential opportunities and risks for banking organizations, their customers, and the overall financial system” and regulators intend to provide “coordinated and timely clarity” on regulatory requirements related to crypto-assets. To that end, OFAC’s and FinCEN’s guidance describe their compliance expectations, which companies should carefully consider when implementing proper internal controls. OCC’s guidance explains the supervisory process and expectations for banks’ virtual currency activities. And the Federal Banking Regulators have summarized their efforts to provide coordinated and timely clarity to regulated institutions that seek to engage in crypto-asset-related activities and outlined what’s to come next year.
OFAC and FinCEN’s guidance – virtual currency companies and financial institutions should consider the following risk-mitigating measures, where applicable:
Implement internal controls for identification, interdiction, and escalation of suspicious activity. Consider implementing software to facilitate geolocation, IP address blocking, transaction monitoring, and investigation.
Hold regular, targeted trainings for employees.
Use reporting channels and revisit reporting protocols.
OCC’s guidance – For banks dealing in virtual currency, implement controls to conduct authorized virtual currency activity in a safe and sound manner:
Establish an appropriate risk management and measurement system for virtual currency activities. The system should identify, measure, monitor, and control risks associated with the activities on an ongoing basis. Risks include:
Federal and state legislators and regulators are trying to combat ransomware-related activities through enforcement actions, sanctions designations, and newly proposed legislation and regulations.
Federal Government Highlights
Securities and Exchange Commission (“SEC”) Chairman Gary Gensler recently testified before the Senate that the SEC is considering reforms on cybersecurity risk governance which may address issues such as cyber hygiene and incident reporting. The SEC is considering gaps that, with Congress’s assistance, the SEC might fill. He also said that the SEC is working with other financial regulators under current authorities to best bring investor protection to crypto-asset markets. He specifically noted that the SEC is working on projects relating to:
State Government Highlights
OFAC’s recent designations of virtual currency exchanges to the SDN List demonstrate that it intends to target bad actors in the virtual currency industry. And given OFAC’s and FinCEN’s recent written guidance for the virtual currency industry, we can expect Treasury to take action against financial institutions that do not implement appropriate compliance programs should their failures lead to violations of law or regulations.
The Federal Banking Regulators suggest that we can expect more regulatory guidance on a number of subjects, including crypto-asset safekeeping and custody services, facilitation of consumer purchases and sales of crypto-assets, crypto-asset collateralized loans, issuance of stablecoins, and holding crypto-assets on balance sheets. Additionally, as regulator and prosecutor attention expands, in 2022 we can expect increased regulatory activity from a variety of federal and state actors, including possible additional legislation and reporting requirements, as well as increased enforcement of existing laws and regulations.
 US Department of the Treasury’s Office of Foreign Assets Control, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, OFAC (Sept. 21, 2021), https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf.
 US Department of the Treasury’s Financial Crimes Enforcement Network, Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021, FinCEN (Oct. 2021), https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf.
 US Department of the Treasury’s Office of Foreign Assets Control, Sanctions Compliance Guidance for the Virtual Currency Industry, OFAC (Oct. 2021), https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.
 US Department of the Treasury’s Financial Crimes Enforcement Network, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, FinCEN (Nov. 8, 2021).
 US Department of the Treasury’s Financial Crimes Enforcement Network, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, FinCEN (Oct. 1, 2020), https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20508.pdf.
 US Department of the Treasury, Treasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware Operators and Virtual Currency Exchange, Treasury (Nov. 8, 2021), https://home.treasury.gov/news/press-releases/jy0471.
 US Department of the Treasury’s Office of the Comptroller of the Currency, Chief Counsel’s Interpretation Clarifying: (1) Authority of a Bank to Engage in Certain Cryptocurrency Activities;and (2) Authority of the OCC to Charter a National Trust Bank, OCC (Nov. 18, 2021), https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2021/int1179.pdf.
 Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps, FDIC (Nov. 23, 2021), https://www.fdic.gov/news/press-releases/2021/pr21096a.pdf.
 OFAC sanctioned SUEX OTC, S.R.O., a Russia-based virtual currency exchange, for facilitating transactions involving illicit proceeds from at least eight ransomware variants. Additionally, earlier this year OFAC announced settlements of more than $500,000 and nearly $100,000 with BitPay, Inc. and BitGo, Inc., respectively. Coinbase Global Inc., the largest U.S.-based cryptocurrency exchange, is currently under review by OFAC after voluntarily disclosing potential sanctionable violations.
 US Department of the Treasury, supra note 6.
 US Department of the Treasury’s Office of Foreign Assets Control, Sanctions Compliance Guidance for the Virtual Currency Industry, OFAC (October 2021), https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.
 US Department of the Treasury’s Financial Crimes Enforcement Network, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, FinCEN Advisory (November 8, 2021), https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf.
 US Department of the Treasury’s Office of the Comptroller of the Currency, supra note 7.
 Department of Justice Office of Public Affairs, Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside, Justice News (June 7, 2021), https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside.
 Department of Justice Office of Public Affairs, Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team, Justice News (October 6, 2021), https://www.sec.gov/news/testimony/gensler-2021-09-14.
 Stablecoins: How Do They Work, How Are They Used, and What Are Their Risk?: Hearing Before the S. Comm. on Banking, Housing, and Urban Affairs, (2021) (statement of Gary Gensler, Chairman, US Sec. and Exch. Comm.), https://www.sec.gov/news/testimony/gensler-2021-09-14.
 The White House, Joint Statement of the Ministers and Representatives from the Counter Ransomware Initiative Meeting October 2021, Briefing Room (October 14, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/10/14/joint-statement-of-the-ministers-and-representatives-from-the-counter-ransomware-initiative-meeting-october-2021/.
 S.2943, 117th Cong. (2021).
 Letitia James, Attorney General James Directs Unregistered Crypto Lending Platforms to Cease Operations In New York, Announces Additional Investigations, Press Release (October 18, 2021), https://ag.ny.gov/press-release/2021/attorney-general-james-directs-unregistered-crypto-lending-platforms-cease.
 H.B. 813, Gen. Assemb., Sess. 2021 (Nc. 2021).
 S.B. 726, Gen. Assemb., Sess. 2021 (Pa. 2021).