On January 13, Him Das, the acting head of the Financial Crimes Enforcement Network (FinCEN), highlighted ransomware as a chief national security risk. At the Financial Crimes Enforcement Conference, Das suggested that the current anti-money laundering regulations are insufficient to protect against tech-driven threats, from cyberattacks to digital asset schemes. FinCEN therefore is currently in the midst of enacting new regulations under the Anti-Money Laundering Act of 2020 (AML Act), which will seek to address threats, such as corruption and anti-terrorism, while also taking a proactive approach against crimes tied to ransomware, digital assets, and strategic corruption. To this end, the agency recently issued two Notices of Proposed Rulemaking, the first on December 7, 2021 and the second on January 24, 2022.

One noteworthy proposal from the December notice is who must file a beneficial ownership information (BOI) report, a report intended to help combat “bad actors from using legal entities to hide illicit funds behind anonymous shell companies.”[1]

How Is a BOI Intended to Combat Bad Actors?

  • What is a BOI?
    • A beneficial owner is defined as any individual who meets at least one of two criteria: (1) exercising substantial control over the reporting company; or (2) owning or controlling at least 25% of the ownership interest of the reporting company.
  • Why should it help combat ransomware?
    • Requiring this information will improve transparency for national security, intelligence, and law enforcement agencies and provide greater insight into the flow of funding for illicit activity, including ransomware. Previously, this information has not been required, which has allowed criminals, kleptocrats, and terrorists to hide their identities and bad acts.
  • What, if any, BOI-like provision does the existing AML Act have?
    • The existing AML Act has a 2016 Customer Due Diligence Rule (CDD) rule, which requires a covered financial institution to (1) identify and verify the identity of customers, (2) identify and verify the identity of the beneficial owners of companies opening accounts, (3) understand the nature and purpose of customer relationships to develop customer risk profiles, and (4) conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. Compared to the CDD, the new regulations would expand the number of companies required to report BOI.

Another noteworthy proposal is the establishment of a limited-duration pilot program that would allow financial institutions to share a suspicious activity report (SAR) with the institution’s foreign branches, subsidiaries, and affiliates.

What is a SAR?

  • A suspicious activity report or “SAR” is a report when a financial institution observed suspicious activity in an account. FinCEN is currently promulgating regulations that would create a pilot program to allow a financial institution to share SARs and related information with the institution’s foreign branches, subsidiaries, and affiliates for the purpose of combatting illicit financial risks.

How do SARs combat ransomware?

  • Law enforcement tracks suspicious account information to monitor illicit financial activity. While currently under the Bank Secrecy Act (BSA), financial institutions and their directors, officers, and employees are prohibited from notifying any person involved in a suspicious transaction that the transaction was reported, the regulations do not prohibit reporting to the appropriate law enforcement agency. The timely notification of SARs assists law enforcement to crack down on money that could be used to fund illicit activity, such as ransomware.

Proposed rulemaking.

  • FinCEN’s prior guidance on sharing SARs within corporate organizational structures was updated in 2006 and 2010. Those guidelines allowed certain sharing between domestic and foreign branches, such as a U.S. bank that could share information with its controlling company. However, these guidelines still required internal controls to protect the confidentiality of the SAR. Under the proposed rulemaking, the pilot program would expand the number of financial institutions that could share SARs and related information with its foreign branches, subsidiaries, and affiliates for the purpose of combating illicit finance risk.

The BOI and SAR provisions are not the only proposals intended to combat ransomware. Guidance from FinCEN also encourages institutions to share information with each other. In a Section 314(b) fact sheet published on December 10, 2020, FinCEN encourages financial institutions to enhance their compliance with anti-money laundering/counter-financing of terrorism requirements. Under Section 314(b) of the USA PATRIOT Act, there is a safe harbor that offers protections from liability to better identify and report activities that may involve money laundering and terrorist activities. Under Section 314(b), information, such as cyber-related data like IP addresses, can be shared.

The AML Act also calls for more engagement with the private sector, and Das urged companies to stay in touch with the bureau as part of a “feedback loop.” He stated, “The data you provide can be leveraged to inform your risk assessments and compliance decisions. The same goes for cyberthreat intelligence data. We are working to create real-time data flows that will help to protect against future cyberattacks.”

At the conference, Das stated, “The entire government is needed to combat the threat of ransomware. It’s not just a FinCEN job, but it is one in which we play a key role, issuing ransomware advisories to highlight new typologies and trends, and bolstering the ability of financial institutions to identify and report ransomware attacks and ransom payments.” Das also noted that several high-profile attacks in 2021 affected vulnerabilities in the public and private sector, which incentivized both the U.S. government and regulators to bolster cybersecurity. For example, the U.S. Department of Justice indicted three North Korean military hackers who extorted roughly $1.3 billion by robbing companies, including Sony Pictures. In 2021, FinCEN published a report that noted the number of ransomware-related SARs filed between January 2021 and June 2021 had increased 30% compared to the entire 2020 calendar year.[2]

The threat of ransomware remains top of mind for many, from organizations to government agencies. Troutman Pepper’s privacy professionals have extensive pre- and post-incident response experience and are ready to help businesses mitigate the threat and fall out of ransomware attacks.

[1] See 86 FR 69920.

[2] See Financial Crime Network, “Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021” available at https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf (last visited January 25, 2022).