ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
Home Compliance and Risk

How to Contend With a 21st Century Ransom Note

April 15, 2021
Reading Time: 6 mins read
How to Contend With a 21st Century Ransom Note

By Matthew White, Alexander Koskey and Emma L. Marion

Both the Office of Foreign Assets Control and the Financial Crimes Enforcement Network have issued advisories recently regarding regulatory considerations financial institutions should take into account when processing ransom payments.

We saw a substantial increase in ransomware attacks during the COVID-19 pandemic and anticipate that they will continue in 2021. These attacks are also becoming more layered and sophisticated with cybercriminals gaining access to computer networks for extended periods of time.

The advisories include general guidance for financial institutions that are either involved in making a ransom payment or have reasonable knowledge that money is being used by a customer to make a ransom payment. It is this second aspect that adds another dimension of the responsibility on financial institutions they have not previously had to consider. OFAC and FinCEN warn financial institutions and payment intermediaries of potential sanctions risks involved in making ransom payments as well as provide information on requirements for suspicious activity reports under anti-money laundering regulations.

Financial institutions must be especially keen to these advisories both as a potential target of an attack and potential intermediary of a ransom payment involving a customer.

In particular, banks should:

  • Incorporate provisions into third-party vendor contracts to address OFAC compliance issues.
  • Ensure that appropriate red flag indicators are in place to detect, prevent and report suspicious transactions associated with ransomware attacks.
  • Develop and refine protocols for filing a SAR related to a ransomware attack or payment.
  • Review their incident response plans to address potential issues associated with ransomware attacks.

Banks must review and address these issues as soon as possible to reduce potential risk and be better prepared in the event of an attack and to better respond if there is reason to believe its customer is paying a ransom.

Rise of ransomware attacks

Ransomware is a form of malicious software used by attackers to block victims’ access to their computer systems or data, often through encryption. Malicious actors then extort a ransom payment in exchange for restoring access. These attacks can lead to severe consequences, including the loss of data, the publication of proprietary information and the overall loss of business functionality. Malicious actors not only target large corporations but also small and medium-sized businesses, government agencies, hospitals and schools.

The rise in ransomware attacks in recent years has led to the creation of digital forensics and cyber insurance companies designed to assist victims with responding to ransomware attacks. Ransoms paid to malicious actors to regain access to systems or data are often paid through these companies and are usually paid in digital currency through a financial institution. When an intermediary facilitates the payments, they are usually required to register as money services businesses with FinCEN and are exposed to similar regulations as financial institutions. The processing of these payments therefore presents risks to the victim, the financial institution and any intermediaries.

Ransom payments are processed through complex financial pathways designed to mask the identity of the attacker. Consequently, paying the ransom may run the risk of the victim, the financial institution or the payment intermediary knowingly or unknowingly violating U.S. sanctions laws. Additionally, as ransoms become more and more costly, processing these payments may trigger financial institutions or money services businesses’ requirement to file a SAR.

OFAC and FinCEN’s recent advisories highlight the regulations faced by financial institutions and payment intermediaries when processing these payments in response to an attack or when facilitating victims’ payments and provides guidelines in ensuring compliance and reducing risk.

Risks of ransomware payments and guidelines to follow

OFAC designates malicious actors as specially designed nationals and blocked persons, including both perpetrators of ransomware attacks and those who facilitate these attacks through materially assisting, sponsoring or providing financial, material or technological support for ransomware attacks.

OFAC warns in its advisory that U.S. persons are prohibited from directly or indirectly engaging in or facilitating transactions with SDNs or other blocked persons as well as with those covered by comprehensive country or region embargoes such as Cuba, the Russia-occupied Crimea region of Ukraine, Iran, North Korea and Syria.

Financial institutions and intermediaries involved in making payments as a victim of a ransomware attack or in processing other victims’ ransom payments through their services must ensure that the entity to whom they are making a ransomware payment is not on a blocked persons list or located in or affiliated with an embargoed jurisdiction.

OFAC warns that it may impose civil penalties under a strict liability standard for violations, meaning that it may impose civil penalties regardless of whether the person processing the payment knew or should have known that it was engaging in a transaction prohibited under sanctions laws.

When deciding the appropriate enforcement response, OFAC takes into account the adequacy of the violating party’s sanctions compliance program. Therefore, OFAC recommends that financial institutions and other intermediaries such as cyber insurance, digital forensics and incident response services implement a strong risk-based compliance program to mitigate the company’s exposure to potential sanctions violations. Compliance programs should account for the risk that a payment may involve a blocked person or a person or embargoed jurisdiction.

OFAC underlines in its advisory that making or facilitating ransomware payments with a sanctions nexus may enable malicious cyber actors to advance their goals. A ransomware payment made to a sanctioned person or a sanctioned jurisdiction, according to OFAC, may be used to fund activities adverse to national security, may embolden actors to continue to engage in ransomware attacks, and does not guarantee that the malicious actor will actually restore the victim’s access to the encrypted data or systems.

Financial institutions should ensure self-initiated, timely and complete reports of any ransomware attack to law enforcement as well as to Treasury’s Office of Cybersecurity and Critical Infrastructure Protection. Additionally, if a financial institution or intermediary believes that a ransomware payment may involve a sanctions nexus, it should contact OFAC directly.

Detecting and reporting suspicious ransomware payments

FinCEN’s advisory provides helpful guidance for financial institutions and money services businesses to better detect and report suspicious payments as required by FinCEN’s anti-money laundering regulations.

The advisory provides red flag indicators of illicit activity related to ransomware to assist institutions in preventing and detecting suspicious payments made by or through its institution. For example, these red flag indicators include transactions occurring between an organization from a high-risk sector (such as financial, government, educational, health care, etc.) and a digital forensics or cyber insurance company, transactions between a digital forensics or cyber insurance company involving receiving funds followed by sending equivalent funds to a convertible virtual currency exchange shortly after and certain large CVC transactions that are out of the ordinary for that customer. For the full list of red flags, see the advisory.

The FinCEN advisory also delineates reporting requirements that financial institutions and money services businesses must make when they suspect suspicious payment activity. FinCEN reminds financial institutions and money services business of their obligation under anti-money laundering regulations to report suspicious activity by filing SARs with FinCEN. According to FinCEN, SARs should be filed when a suspicious payment is made at or through the institution as well as when the institution is paying a ransom payment itself as victim of a ransomware attack.

A financial institution or money services business is required to file a SAR if it knows, suspects or has reason to suspect that a transaction conducted or attempted by, at or through the institution involves illegal activity when the payment amounts, in one or multiple transactions, to $5,000 or more ($2,000 for money services businesses). FinCEN’s advisory provides detailed information on how and where to file such reports, as well as what type of information to include in these reports. Pursuant to FinCEN’s guidance, financial institutions and MSBs should include protocols for detecting suspicious activity and for correctly filing SARs with FinCEN in their compliance protocols, taking into account FinCEN’s red flag indicators.

Ransomware attacks are becoming more numerous, sophisticated and costly, especially during the COVID-19 pandemic. Pursuant to Treasury’s recent guidance, financial institutions and intermediaries should ensure that they have risk-based compliance programs in place for both sanctions risks and for detecting and reporting suspicious activity. These programs should address both payments made by the institution as a victim of a ransomware attack and ransom payments made by a customer at or through the institution.

These new advisories reinforce the importance of financial institutions doing tabletop exercises to simulate what to do in the event of a ransomware attack or how to respond when a suspicious transaction is identified involving a customer that may be paying a ransom. Simulating these scenarios—and evaluating the variety of different factors that could come into play—is a proactive measure that financial institutions can take to be prepared for when these issues arise in real time.

Matthew G. White, a shareholder in the Memphis office of Baker Donelson, advises clients on a wide variety of cybersecurity and data privacy issues. Alexander F. Koskey, an attorney in Baker Donelson’s Atlanta office, represents financial institutions and organizations on a wide range of data privacy, regulatory and compliance and litigation matters. As an associate in Baker Donelson’s Chattanooga office, Emma Marion assists clients in business and intellectual property-related litigation matters as well as in data protection, privacy and cybersecurity advising.

Tags: Anti-money launderingBank Secrecy ActCOVID-19Financial crimesRansomwareReportingSanctions
ShareTweetPin

Related Posts

ABA, BPI support proposed process to create drone no-fly zones

ABA, BPI support proposed process to create drone no-fly zones

Cybersecurity
July 7, 2026

In a joint letter to the FAA, ABA and BPI said that unauthorized unmanned aircraft activity near financial institution sites can create “obvious and legitimate risk” to physical security as well as cybersecurity, as the technology can be...

How to Talk About Your Bank’s Fintech Collaborations

The trust dividend

Technology
July 7, 2026

How regulatory and consumer expectations are shifting how partner banks compete for fintech deposits.

FCC grants ABA-requested extension of ‘revoke all’ rule’s effective date

ABA joins with consumer rights group to protect fraud alerts

Compliance and Risk
July 1, 2026

ABA joined with the National Consumer Law Center and ACA International in proposing to the FCC a rewrite of the “revoke all” rule. The rule is set to take effect on January 31, 2027, but the FCC is...

A close call with fraud

ABA Fraudcast: Defending customers from wire fraud

Compliance and Risk
July 1, 2026

'It's asking questions like: Have you been coached? Is someone telling you to do this? Is this going into an account that you opened or authorized to be opened?'

Republican lawmakers urge Trump officials to preserve CDFI Fund

House committee advances ABA-backed bills on fair credit liability, check fraud

Compliance and Risk
June 30, 2026

The House Financial Services Committee advanced legislation that would align Fair Credit Reporting Act liability with other financial consumer protection laws, reform the Securities and Exchange Commission and give banks more time to verify suspicious checks. The three...

FinCEN issues alert on oil smuggling schemes along southwest border

FinCEN issues alert on fuel smuggling schemes linked to Mexican cartels

Compliance and Risk
June 30, 2026

FinCEN issued a supplemental alert for financial institutions on suspicious activity connected to Cartel de Jalisco Nueva Generacion and other Mexico-based transnational criminal organizations smuggling fuel from the U.S. into Mexico in schemes involving Mexican tax evasion known...

NEWSBYTES

Podcast: Understanding the 2025 Home Mortgage Disclosure Act data

July 8, 2026

CFPB RFI seeks to reduce regulatory burdens, promote mortgage credit access

July 8, 2026

Fed seeks comments on changes to AML program rules, aligns with other agencies

July 8, 2026

SPONSORED CONTENT

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

June 11, 2026
Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

June 1, 2026
A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

May 28, 2026
Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

May 20, 2026

PODCASTS

Podcast: Understanding the 2025 Home Mortgage Disclosure Act data

July 8, 2026

Podcast: Financing America’s independence

June 29, 2026

Podcast: Talent and innovation in community banking

June 18, 2026

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2026 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2026 American Bankers Association. All rights reserved.