On January 13, Him Das, the acting head of the Financial Crimes Enforcement Network (FinCEN), highlighted ransomware as one of the top national security risks. At Conference on the fight against financial crime, Das suggested that current anti-money laundering regulations are insufficient to protect against technological threats, from cyberattacks to digital asset systems. FinCEN is therefore currently in the process of enacting new regulations under the Anti-Money Laundering Act of 2020 (AML Act), which will aim to address threats, such as corruption and anti-terrorism, while taking a proactive approach. against crimes related to ransomware, digital assets and strategic corruption. To that end, the agency recently issued two notices of proposed rulemaking, the first on December 7, 2021 and the second on January 24, 2022.
A notable proposal from the December notice is who should file a Beneficial Ownership Information (BOI) report, a report intended to help combat “bad actors who use corporate entities to hide illicit funds behind anonymous front companies”.
How is a BOI meant to fight bad actors?
- What is a BOI?
- A beneficial owner is defined as any natural person who meets at least one of the following two criteria: (1) exercises substantial control over the reporting company; or (2) owning or controlling at least 25% of the interest of the reporting company.
- Why should it help fight ransomware?
- Requiring this information will improve transparency for national security, intelligence, and law enforcement agencies and provide better insight into the flow of funding for illicit activities, including ransomware. Previously, this information was not required, allowing criminals, kleptocrats, and terrorists to hide their identities and wrongdoings.
- If so, what BOI-type provision does the existing AML law contain?
- The existing AML Act contains a 2016 Customer Due Diligence (CDD) Rule, which requires a covered financial institution to (1) identify and verify the identity of customers, (2) identify and verify the identity of beneficial owners of companies opening accounts, (3) understand the nature and purpose of customer relationships to develop customer risk profiles, and (4) conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. Compared to the CDD, the new regulations would increase the number of companies required to declare the BOI.
Another noteworthy proposal is the establishment of a time-limited pilot program that would allow financial institutions to share a Suspicious Activity Report (SAR) with foreign branches, subsidiaries and affiliates of the institution.
What is a SAR?
- A Suspicious Activity Report or “SAR” is a report when a financial institution has observed suspicious activity in an account. FinCEN is currently enacting regulations that would create a pilot program for a financial institution to share SARs and related information with the institution’s foreign branches, subsidiaries, and affiliates for the purpose of combating illicit financial risk.
How do SARs fight ransomware?
- Law enforcement agencies track suspicious account information to monitor illicit financial activity. While currently under the Bank Secrecy Act (BSA) financial institutions and their directors, officers and employees are prohibited from telling anyone involved in a suspicious transaction that the transaction has been reported, the Regulations do not prohibit reporting to the appropriate law enforcement agency. Prompt notification of SARs helps law enforcement crack down on money that could be used to fund illicit activities, such as ransomware.
- Previous FinCEN guidelines on sharing SAR within corporate organizational structures were updated in 2006 and 2010. These guidelines allowed for some sharing between domestic and foreign branches, such as a US bank that could share information with its controlling company. However, these guidelines still required internal controls to protect the confidentiality of the DAS. Under the proposed regulations, the pilot program would increase the number of financial institutions that could share SARs and related information with their overseas branches, subsidiaries and affiliates in an effort to combat the risk of illicit financing. .
The BOI and SAR provisions are not the only proposals intended to combat ransomware. FinCEN guidance also encourages institutions to share information with each other. In a Section 314(b) Fact Sheet published on December 10, 2020, FinCEN encourages financial institutions to strengthen their compliance with anti-money laundering and anti-terrorist financing requirements. Under Section 314(b) of the USA PATRIOT Act, there is a safe harbor that provides liability protections to better identify and report activities that may involve money laundering and terrorist activity. Under Section 314(b), information, such as cybersecurity-related data like IP addresses, can be shared.
The AML Act also calls for more engagement with the private sector, and Das urged companies to keep in touch with the bureau as part of a “feedback loop.” He said: “The data you provide can be leveraged to inform your risk assessments and compliance decisions. The same goes for cyber threat intelligence data. We are working to create real-time data feeds that will help protect against future cyberattacks.
During the conference, Das said, “The whole of government is needed to fight the threat of ransomware. It’s not just a job of FinCEN, but it’s a job we play a key role in, issuing ransomware advisories to highlight new typologies and trends, and building the capacity of financial institutions identify and report ransomware attacks and ransom payments. Das also noted that several high-profile attacks in 2021 affected public and private sector vulnerabilities, prompting both the US government and regulators to tighten cybersecurity. For example, the US Department of Justice has indicted three North Korean military hackers who extorted around $1.3 billion by robbing companies including Sony Pictures. In 2021, FinCEN published a report which noted that the number of ransomware-related SARs filed between January 2021 and June 2021 had increased by 30% compared to the whole of calendar year 2020.
The threat of ransomware remains a major concern for many, from organizations to government agencies. Troutman Pepper’s privacy professionals have extensive pre- and post-incident response experience and are ready to help organizations mitigate the threat and avoid ransomware attacks.
 See 86FR 69920.
 See Financial Crime Network, “Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021” available at https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf (last visit January 25, 2022).