Treasury Department Tells Companies to Comply With SanctionsNew Crypto-Based Guidelines Target Anonymous Money Laundering Activity
The U.S. Department of the Treasury unveiled additional steps to curb the illicit use of cryptocurrencies on Friday, warning enterprises not to engage with sanctioned entities exploiting the financial system - particularly to launder ransomware proceeds.
The sanctions guidelines, announced by the Treasury Department's Office of Foreign Assets Control, or OFAC, effectively puts the private sector on notice - ensuring that crypto operators do not directly or indirectly facilitate payments restricted by U.S. sanctions.
This follows the first-ever designation of a virtual currency exchange for allegedly facilitating transactions for ransomware actors. Treasury officials say the guidance outlines best practices "tailored to the unique risks posed in [the] dynamic [cryptocurrency] space" (see: US Treasury Blacklists Russia-Based Crypto Exchange).
"Ransomware actors are criminals who are enabled by gaps in compliance regimes across the global virtual currency ecosystem," says Deputy Secretary of the Treasury Wally Adeyemo. "Treasury is helping to stop ransomware attacks by making it difficult for criminals to profit from their crimes, but we need partners in the private sector to help prevent this illicit activity."
In a statement, the department calls the actions "part of the Biden administration's focused, integrated effort to counter the ransomware threat."
Treasury officials noted Friday that "the private sector plays a key role by implementing appropriate sanctions and anti-money laundering/countering the financing of terrorism controls to prevent sanctioned persons and other illicit actors from exploiting virtual currencies and undermining U.S. foreign policy and national security interests."
Michael Fasanello, who has served in various roles within the U.S. Justice and Treasury departments, including for Treasury's Financial Crimes Enforcement Network, or FinCEN, tells Information Security Media Group, "Today's actions by the Treasury Department come as no surprise. Crypto transactions have always been governed by U.S. sanctions policy administered by OFAC, as made clear time after time through enforcement actions and designations of blacklisted persons, entities, and now digital addresses."
Sanctions Compliance - The Specifics
Issued through an OFAC brochure, the guidelines say virtual currency payments may pose sanctions risks - if blacklisted entities are involved.
OFAC's guidelines apply to the virtual currency industry "in the same manner as they do to traditional financial institutions," carrying both civil and criminal penalties for failure to comply, officials say.
The document continues: "OFAC encourages members of the virtual currency industry to evaluate their exposure to OFAC sanctions and take steps to minimize their risks."
The new document, they continue, also provides examples of compliance best practices for operators in the space - including technology companies, exchanges, administrators, miners, and wallet providers - as well as traditional financial institutions "that may have exposure to virtual currencies."
OFAC also states, "[Cryptocurrency companies should] incorporate geolocation tools and IP address blocking controls. Virtual currency companies with strong … programs should be able to use geolocation tools to identify and prevent IP addresses that originate in sanctioned jurisdictions from accessing a company’s website and services for activity that is prohibited by OFAC’s regulations."
The document notes: "Transaction monitoring and investigation software can [also] be used to identify transactions involving virtual currency addresses or other identifying information (e.g., originator, beneficiary, originating and beneficiary exchanges, and underlying transactional data) associated with sanctioned individuals and entities listed on Treasury's Specially Designated Nationals and Blocked Persons List, or other sanctions lists, or located in sanctioned jurisdictions."
In its press statement, department officials say, "Industry participants should consider incorporating the elements and controls outlined in the brochure into their … compliance programs. If ignored or mishandled, sanctions are vulnerabilities that can lead to violations and subsequent enforcement actions, as well as harm U.S. foreign policy and national security interests."
Fasanello, currently the director of training and regulatory affairs for the firm Blockchain Intelligence Group, adds, "Because the economic sanctions are so intimately related to U.S. foreign policy and national security interests, the resulting enforcement actions can pose significant economic and reputational harm to industry participants and their clients. This is not an area of regulatory compliance to treat lightly."
Other Federal Efforts
The announcement is the latest in a series of moves from the Biden administration to combat ransomware, following high-profile attacks this year that have disrupted the East Coast's fuel supply during the Colonial Pipeline incident; jeopardized the nation's meat supply by attacking JBS USA; and knocking some 1,500 downstream organizations offline by zeroing in on managed service provider, Kaseya, over the July Fourth holiday.
Last month, the Treasury Department blacklisted Russia-based cryptocurrency exchange, Suex, for allegedly laundering tens of millions of dollars for ransomware operators, scammers and darknet markets.
In its latest issuance, the department alleges that over 40% of Suex’s transaction history had been associated with illicit actors, involving the proceeds from at least eight ransomware variants.
Similarly, this week, the White House National Security Council facilitated a 30-nation, two-day "counter-ransomware" event, which found senior officials strategizing on ways to improve network resiliency, addressing illicit cryptocurrency usage, and ways to heighten law enforcement collaboration and diplomacy. Noticeably absent from the virtual event: Russia, long viewed as an aggressor in cyberspace (see: US Convenes Global Ransomware Summit Without Russia).
At the end of the mostly private two-day event, the White House claimed that measurable progress had been made. In a statement, the administration said, "[The nations gathered at the event] recognize that ransomware is an escalating global security threat" and that it "poses a significant risk to critical infrastructure, essential services, public safety, consumer protection and privacy, and economic prosperity."
"Together, we must take appropriate steps to counter cybercriminal activity emanating from within our own territory and impress urgency on others to do the same in order to eliminate safe havens for the operators who conduct such disruptive and destabilizing operations," the White House said Thursday.