Year-end Crypto Roundup — Five Key Concepts About the U.S. Government’s Recent Actions on Virtual Currency and Ransomware

December.29.2021

The innovative use of virtual currencies is hotter than ever, but so is a dark side of these instruments: their exploitation in ransomware schemes. This year, since January 2021, ransomware attacks have increased dramatically in number and severity. In these attacks, cybercriminals deploy malicious code into the victim’s environment. They then generally demand payment in the form of virtual currencies—particularly anonymity-enhanced cryptocurrencies—in exchange for a decryption key to unlock the victim’s digital infrastructure. To address this problem, and the growing use of virtual currencies in general, several U.S. regulators and legislators have attempted to clarify regulatory requirements related to virtual currency and ransomware.

This alert discusses recent regulatory guidance about virtual currency and ransomware, specifically related to sanctions and anti-money laundering compliance, and the increased focus of the Federal Deposit Insurance Corporation (the “FDIC”), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (the “OCC”) (collectively, the “Federal Banking Regulators”) on virtual currency in general. After discussing the motivating factors for this regulatory activity, we make recommendations for mitigating risk and forecast what is next in this arena.

What are the new initiatives?
Why are these government actions important?
What should virtual currency companies and financial institutions engaging in activities related to virtual currencies do?
Who is paying attention?
What’s next?

1. What are the new initiatives?

Key activity by the U.S. government related to virtual currency and ransomware over the last several months has included the following:

September 21, 2021: The U.S. Department of Treasury (“Treasury”)’s Office of Foreign Assets Control (“OFAC”) published an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.^[1]As described here in our prior client alert, the publication announced several actions focused on: disrupting criminal digital finance infrastructure, including virtual currency exchanges, that are responsible for laundering cyberattack ransoms; and encouraging incident and ransomware payment reporting to U.S. authorities. The updated advisory also described potential sanctions risks associated with facilitating ransomware payments.
October 15, 2021: Treasury’s Financial Crimes Enforcement Network (“FinCEN”) released Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021.^[2] The FinCEN report noted an increase in ransomware attacks in general during the covered period and the commission of several recent large and disruptive ransomware attacks.
October 15, 2021: OFAC published Sanctions Compliance Guidance for the Virtual Currency Industry.^[3] The OFAC brochure offers practical advice for virtual currency companies seeking to implement policies and programs to mitigate sanctions risk and shares case studies identifying pitfalls to avoid.
November 8, 2021: FinCEN released an updated Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments,^[4] drawing on the conclusions in its October 2020 report.^[5] On the same day, OFAC designated Chatex, a virtual currency exchange that reportedly has direct ties to the Russia-based cryptocurrency exchange SUEX OTC, and two companies that provided material support to Chatex’s operations, as Specially Designated Nationals and Blocked Persons (“SDNs”).^[6]
November 18, 2021: The OCC issued an interpretive letter ^[7] that, among other things, followed up on previous guidance and clarified that it is legally permissible for banks to (1) provide cryptocurrency custody services; (2) hold dollar deposits serving as reserves backing stablecoin; (3) act as nodes on distributed ledgers to verify customer payments; and (4) “engage in certain stablecoin activities to facilitate payment transactions on a distrusted ledger.” The OCC permits these activities “provided the bank can demonstrate, to the satisfaction of its supervisory office, that it has controls in place to conduct the activity in a safe and sound manner.”
November 23, 2021: The Federal Banking Regulators issued a Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps.^[8] The statement focuses on the progress of the Federal Banking Regulators’ recent crypto-asset “policy sprints” and outlines areas on which they intend to focus in the crypto-asset space in 2022, including guidance on the legality of certain crypto-asset-related activities conducted by banks, and the regulators’ expectations for safety and soundness; consumer protection; compliance with existing laws and regulations related to certain crypto-asset-related activities; and evaluation of the application of bank capital and liquidity standards to crypto-assets.

2. Why are these government actions important?

The $590 million in ransomware payments FinCEN recorded from January 1 to June 30 of this year is 42% higher than the total ransomware-related transaction value recorded in all of 2020, and it is estimated that the 2021 figure will exceed those of the previous 10 years combined. While many companies are susceptible to ransomware attacks, virtual currency service providers are also at risk of facilitating ransomware payments.^[9] OFAC’s recent designations of both Chatex and SUEX OTC to the SDN List resulted from their respective roles in aiding such illicit transactions. U.S. regulators are paying close attention to companies that negotiate or otherwise could be considered to facilitate ransomware payments.^[10]

In addition, companies providing virtual currency services must understand the corresponding sanctions risks and regulatory obligations imposed by Treasury and the Federal Banking Regulators. As the Federal Banking Regulators note, the “emerging crypto-asset sector presents potential opportunities and risks for banking organizations, their customers, and the overall financial system” and regulators intend to provide “coordinated and timely clarity” on regulatory requirements related to crypto-assets. To that end, OFAC’s and FinCEN’s guidance describe their compliance expectations, which companies should carefully consider when implementing proper internal controls. OCC’s guidance explains the supervisory process and expectations for banks’ virtual currency activities. And the Federal Banking Regulators have summarized their efforts to provide coordinated and timely clarity to regulated institutions that seek to engage in crypto-asset-related activities and outlined what’s to come next year.

3. What should virtual currency companies and financial institutions engaging in activities related to virtual currencies do?

OFAC and FinCEN’s guidance – virtual currency companies and financial institutions should consider the following risk-mitigating measures, where applicable:

Conduct routine risk assessments and follow up with remediation strategies for identified risks related to ransomware.
Implement internal controls for identification, interdiction, and escalation of suspicious activity. Consider implementing software to facilitate geolocation, IP address blocking, transaction monitoring, and investigation.
- Screening alone is not enough. Virtual currency companies must also prevent parties in sanctioned jurisdictions from using the companies’ platforms.
- The responsibility to prevent interaction with individuals and entities on OFAC sanctions lists or located in sanctioned jurisdictions includes those who may not even be direct customers.
Implement appropriate mechanisms to conduct “sufficient due diligence on customers, business partners, and transactions.”^[11] Proper Know-Your-Customer (KYC) procedures can facilitate this.^[12]
- Customer-identifying information should be screened against the SDN List, other relevant sanctions lists, and the list of sanctioned jurisdictions. Higher-risk customers should be analyzed with greater scrutiny. Records of sanctions screening and of transactions occurring on the platform should be stored for the recordkeeping period required by applicable laws and regulations, and utilized in audits.
Hold regular, targeted trainings for employees.
- As the virtual currency space is rapidly evolving, companies should note new technological and strategic developments that nefarious actors are employing and incorporate their learnings in employee trainings.
Use reporting channels and revisit reporting protocols.
- Virtual currency service providers that are regulated financial institutions have suspicious activity reporting (“SAR”) obligations under the Bank Secrecy Act, as amended (the “BSA”). SAR filings are required not only in the event of successful extortion through a ransomware attack, but also for any attempts or suspected attempts involving $5,000 or more ($2,000 or more for money services businesses).
- Include in SARs cyber indicators such as relevant email addresses, IP addresses, CVC (convertible virtual currency) wallet addresses, mobile device information, malware hashes, malicious domains, details on suspicious electronic communications, and login information with locations and timestamps can help.^[13]

OCC’s guidance – For banks dealing in virtual currency, implement controls to conduct authorized virtual currency activity in a safe and sound manner:

Notify regulatory supervisors of intent to engage in virtual currency activities outlined in the OCC’s guidance. Banks should consult with their supervisory offices prior to engaging in the activities. The supervisory office will review the bank’s systems and controls to ensure they will allow the bank to engage in the proposed activities in a “safe and sound manner.”
Establish an appropriate risk management and measurement system for virtual currency activities. The system should identify, measure, monitor, and control risks associated with the activities on an ongoing basis. Risks include:
- Operational risks such as hacking, fraud, theft, and third-party risk management;
- Liquidity risk;
- Strategic risk;
- Compliance risk associated with regulatory requirements such as those imposed by the BSA and FinCEN, OFAC, securities laws, and consumer protection laws.
Develop the ability to demonstrate in writing to regulators that the bank “understands and will comply with laws that apply to [virtual currency] activities” as well as its compliance obligations, including those identified above.
Evaluate and understand the regulatory requirements for your particular virtual currency products. For example, “[t]here may be different legal and compliance obligations for stablecoin activities, depending on how the particular stablecoin is structured,” i.e., whether the stablecoin is a security.^[14]

4. Who is paying attention?

Federal and state legislators and regulators are trying to combat ransomware-related activities through enforcement actions, sanctions designations, and newly proposed legislation and regulations.

Federal Government Highlights

The Department of Justice (the “DOJ”) is leading the administration-wide effort to mitigate ransomware threats. Earlier this year, the DOJ seized a ransomware payment of $2.3 million to disrupt the ransomware ecosystem and deter ransomware attacks.^[15] The DOJ further noted its commitment to improving the department’s ability to track and recover ransomware payments.^[16] In addition, the DOJ recently established a National Cryptocurrency Enforcement Team to disrupt the infrastructure used to carry out ransomware attacks.^[17]
Securities and Exchange Commission (“SEC”) Chairman Gary Gensler recently testified before the Senate that the SEC is considering reforms on cybersecurity risk governance which may address issues such as cyber hygiene and incident reporting. The SEC is considering gaps that, with Congress’s assistance, the SEC might fill. He also said that the SEC is working with other financial regulators under current authorities to best bring investor protection to crypto-asset markets. He specifically noted that the SEC is working on projects relating to:
- The offer and sale of crypto tokens;
- Crypto trading and lending platforms;
- Stable value coins;
- Investment vehicles providing exposure to crypto-assets or crypto derivatives; and
- Custody of crypto-assets.^[18]
The White House held a multinational summit on ransomware in October 2021, where the participants pledged to “seek out ways to cooperate with the virtual asset industry to enhance ransomware-related information sharing.”^[19]
Legislation has been introduced in Congress that would impose mandatory notification requirements following security incidents. One such bill, introduced by Senator Elizabeth Warren, would impose mandatory disclosures to the Department of Homeland Security (“DHS”) following ransomware payments.^[20]

State Government Highlights

New York: On October 18, 2021, New York Attorney General Letitia James issued a cease-and-desist letter to two unregistered virtual currency lending platforms that allegedly engaged in unlawful activities, continuing the trend of state regulators’ effort to provide oversight over virtual currency companies.^[21]
North Carolina: The North Carolina House approved a bill that prohibits any state agency or local government from paying ransom payments or communicating with ransomware actors. This bill will further require local governments to communicate with the North Carolina Department of Information Technology if they receive a ransom demand.^[22]
Pennsylvania: Legislators are considering a comprehensive ransomware bill that would make the possession, use, or transfer of ransomware a criminal felony offense, depending on the ransomware amount.^[23]

5. What’s next?

OFAC’s recent designations of virtual currency exchanges to the SDN List demonstrate that it intends to target bad actors in the virtual currency industry. And given OFAC’s and FinCEN’s recent written guidance for the virtual currency industry, we can expect Treasury to take action against financial institutions that do not implement appropriate compliance programs should their failures lead to violations of law or regulations.

The Federal Banking Regulators suggest that we can expect more regulatory guidance on a number of subjects, including crypto-asset safekeeping and custody services, facilitation of consumer purchases and sales of crypto-assets, crypto-asset collateralized loans, issuance of stablecoins, and holding crypto-assets on balance sheets. Additionally, as regulator and prosecutor attention expands, in 2022 we can expect increased regulatory activity from a variety of federal and state actors, including possible additional legislation and reporting requirements, as well as increased enforcement of existing laws and regulations.

^[1] US Department of the Treasury’s Office of Foreign Assets Control, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, OFAC (Sept. 21, 2021), https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf.

^[2] US Department of the Treasury’s Financial Crimes Enforcement Network, Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021, FinCEN (Oct. 2021), https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf.

^[3] US Department of the Treasury’s Office of Foreign Assets Control, Sanctions Compliance Guidance for the Virtual Currency Industry, OFAC (Oct. 2021), https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.

^[4] US Department of the Treasury’s Financial Crimes Enforcement Network, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, FinCEN (Nov. 8, 2021).

^[5] US Department of the Treasury’s Financial Crimes Enforcement Network, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, FinCEN (Oct. 1, 2020), https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20508.pdf.

^[6] US Department of the Treasury, Treasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware Operators and Virtual Currency Exchange, Treasury (Nov. 8, 2021), https://home.treasury.gov/news/press-releases/jy0471.

^[7] US Department of the Treasury’s Office of the Comptroller of the Currency, Chief Counsel’s Interpretation Clarifying: (1) Authority of a Bank to Engage in Certain Cryptocurrency Activities;and (2) Authority of the OCC to Charter a National Trust Bank, OCC (Nov. 18, 2021), https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2021/int1179.pdf.

^[8] Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps, FDIC (Nov. 23, 2021), https://www.fdic.gov/news/press-releases/2021/pr21096a.pdf.

^[9] OFAC sanctioned SUEX OTC, S.R.O., a Russia-based virtual currency exchange, for facilitating transactions involving illicit proceeds from at least eight ransomware variants. Additionally, earlier this year OFAC announced settlements of more than $500,000 and nearly $100,000 with BitPay, Inc. and BitGo, Inc., respectively. The largest Digital Currency Exchange (U.S.), is currently under review by OFAC after voluntarily disclosing potential sanctionable violations.

^[10] US Department of the Treasury, supra note 6.

^[11] US Department of the Treasury’s Office of Foreign Assets Control, Sanctions Compliance Guidance for the Virtual Currency Industry, OFAC (October 2021), https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.

^[12] James Cook, What Is KYC?, SentiLink Blog (September 21. 2021), https://blog.sentilink.com/what-is-kyc.

^[13] US Department of the Treasury’s Financial Crimes Enforcement Network, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, FinCEN Advisory (November 8, 2021), https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf.

^[14] US Department of the Treasury’s Office of the Comptroller of the Currency, supra note 7.

^[15] Department of Justice Office of Public Affairs, Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside, Justice News (June 7, 2021), https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside.

^[16] Id.

^[17] Department of Justice Office of Public Affairs, Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team, Justice News (October 6, 2021), https://www.sec.gov/news/testimony/gensler-2021-09-14.

^[18] Stablecoins: How Do They Work, How Are They Used, and What Are Their Risk?: Hearing Before the S. Comm. on Banking, Housing, and Urban Affairs, (2021) (statement of Gary Gensler, Chairman, US Sec. and Exch. Comm.), https://www.sec.gov/news/testimony/gensler-2021-09-14.

^[19] The White House, Joint Statement of the Ministers and Representatives from the Counter Ransomware Initiative Meeting October 2021, Briefing Room (October 14, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/10/14/joint-statement-of-the-ministers-and-representatives-from-the-counter-ransomware-initiative-meeting-october-2021/.

^[20] S.2943, 117th Cong. (2021).

^[21] Letitia James, Attorney General James Directs Unregistered Crypto Lending Platforms to Cease Operations In New York, Announces Additional Investigations, Press Release (October 18, 2021), https://ag.ny.gov/press-release/2021/attorney-general-james-directs-unregistered-crypto-lending-platforms-cease.

^[22] H.B. 813, Gen. Assemb., Sess. 2021 (Nc. 2021).

^[23] S.B. 726, Gen. Assemb., Sess. 2021 (Pa. 2021).

Authors

Jeanine P. McGuinness Partner, International Trade and Investment, FCPA & Anti–Corruption

Washington, D.C.

See my bio

D:+1 202 339 8543
E: [email protected]

Practice:

International Trade and Investment
FCPA & Anti–Corruption
Anti‐Money Laundering and Bank Secrecy Act
Mergers & Acquisitions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Jeanine P. McGuinness Partner

Washington, D.C.

Jeanine’s clients include major U.S. and foreign financial institutions, and pharmaceutical, technology, telecommunications, energy, and natural resources companies.

Examples of Jeanine’s experience include:

Represents clients in preparing voluntary self-disclosures, administrative subpoena responses and license applications, and represents companies in connection with enforcement actions by the Treasury Department’s Office of Foreign Assets Control (OFAC)
Provides policy and compliance advice to clients affected by frequent changes in U.S. sanctions, including sanctions targeting Iran, Cuba, and Russia/Ukraine
Assists foreign purchasers of U.S. companies in national security reviews, including navigating the CFIUS process, through preparation of notices, meetings with CFIUS member agencies, advising on follow-on investigations, and negotiating and implementing mitigation agreements
Assists clients in developing and updating economic sanctions, anti-money laundering, and anti-corruption compliance policies and procedures
Represents financial institutions in connection with U.S. federal and state enforcement actions regarding compliance with U.S. anti-money laundering laws and regulations
Represents lenders, underwriters, borrowers, and issuers in international lending and capital markets transactions regarding sanctions, anti-corruption, and anti-money laundering issues
Advises a U.S. trade association and its member banks regarding U.S. sanctions, anti-corruption, and anti-money laundering issues in lending transactions, and prepares guidance for the industry on these matters
Advises financial institutions on the application of U.S. anti-money laundering regulations, with specific emphasis on customer identification program (CIP)/know your customer (KYC)/customer due diligence (CDD) requirements and suspicious activity reporting requirements
Regularly advises private equity and hedge funds regarding compliance with U.S. anti-money laundering and sanctions laws and regulations, including with respect to appropriate provisions in subscription materials and enhanced due diligence on high-risk investors
Advises clients regarding sanctions-related inquiries from the Securities and Exchange Commission (SEC) and state agencies implementing divestment laws and assists clients in preparing sanctions-related disclosure for inclusion in annual reports to the SEC

Jeanine is ranked in both the CFIUS Experts and Export Controls & Economic Sanctions categories by Chambers USA in 2019, 2020, 2021, and 2022. An interviewee had this to say of their experience working with Jeanine, “I am continuously impressed by her extensive knowledge, excellent communication skills and her ability to wrap her subject matter expertise around the details of the matter and then drive conclusions or recommendations for next steps."

Kathryn "Katy" de Visscher Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Boston

See my bio

D:+1 617 880 1800
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kathryn "Katy" de Visscher Managing Associate

Boston

Katy assists clients in their data breach investigations and cybersecurity incident response, including advising clients on data breach notification responsibilities and providing strategic advice on how to manage cybersecurity risks. She advises on enhancing existing privacy and information security policies and procedures, such as online privacy notices.

Her work includes counseling on compliance with the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) for day-to-day business operations and the development of new products.

Katy graduated from Boston College Law School. During that time, she externed in the Data Privacy & Security Unit at the Massachusetts Attorney General’s Office where she supported consumer protection enforcement actions. She also interned with The Future of Privacy Forum and in-house with a leading cloud-based software company.