On October 1, 2020, the US Treasury Department issued important guidance on what victims of ransomware attacks, as well as financial institutions (particularly money services businesses (“MSBs”) and other companies that facilitate such payments), should consider when confronted with potential ransomware demands. First, the Office of Foreign Assets Control (“OFAC”) issued an advisory that emphasizes the existing sanctions risks associated with making or facilitating ransomware payments on behalf of companies targeted by malicious cyber-enabled activities and indicates the agency’s position with respect to requests to make prohibited payments.1 This guidance has important implications for businesses across economic sectors that face ransomware demands and the complex legal and practical issues that a ransom or extortion situation can entail. Second, the Financial Crimes Enforcement Network (“FinCEN”) issued an advisory that provides information on trends, typologies and red flags that may be indicative of ransomware payments and related money laundering. Importantly, the advisory provides specific direction with respect to information that financial institutions should include in Suspicious Activity Reports (“SARs”) relating to ransomware attacks and the application of FinCEN registration requirements to companies facilitating ransomware payments.2

Continue reading.