By John Hintze
New U.S. sanctions on Russia and Belarus highlight the need for banks to have up-to-date defenses to mitigate cyber-related sanctions risk as well as a proactive plan should that risk become reality.In fact, those are the two key steps banks must take to mitigate the risk to banks from U.S. regulators pursuing sanctions-related enforcement actions against them, noted participants on a panel at the recent ABA/ABA Financial Crimes Enforcement Conference
“The most important thing is cyber hygiene and a playbook, a plan for how to handle a potential attack,” says Ilya Shulman, head of sanctions, legal, at J.P. Morgan.
In terms of ransomware attacks, Shulman says, banks should have a step-by-step plan on how to handle them, including securing whatever data possible and quickly notifying law enforcement.
“If those steps are taken, it would take a really unusual set of circumstances for the Office of Foreign Assets Control to respond with an enforcement action,” Shulman says. OFAC is Treasury’s financial intelligence and enforcement unit that administers and enforces economic and trade sanctions in support of national security and foreign policy objectives.
Shulman’s advice applies to both banks and their customers who may experience ransomware attacks, in which perpetrators threaten to publish the victim’s data or block access to it unless a ransom is paid. Such attacks surged in 2021, reports the Information Systems Audit and Control Association.
“If you have that playbook laid out, it’s a matter of just executing it during the event,” says Will Schisa, counsel at Davis Polk and Wardell, in a follow-up interview to the conference session in which he participated.
Schisa says that bank advising or playing an intermediary role to a customer responding to a ransomware attack from a sanctioned entity should handle the situation in accordance with federal guidelines. If it funds the customer’s ransom payment it should file a Suspicious Activity Report, he adds.
A bank customer that has insufficiently prepared to defend against a ransomware attack may prefer to avoid reporting it the authorities, potentially resulting in broader reputational risk for the bank. Schisa says that when a bank has a significant relationship with a customer, the bank’s cybersecurity diligence should include—and typically does—determining whether there is a sufficient incident-response game plan.
“It makes a lot of sense to address not only sanctions and anti-money laundering risk, but the broader risk when dealing with an organization that could be materially impacted on the financial side if their cyber defenses are not up to snuff,” he said.
New targets mean increased risk
New payment technologies such as faster payments occurring in seconds and digital currencies present increased risks to banks, since there may be insufficient time to perform traditional screening for sanctioned persons or entities. In the case of digital currencies, the counterparty may be unknown.
Schulman notes that financial institutions face the dilemma of applying reasonable and risk-based sanctions compliance when customers may not want to complete forms and respond to KYC questions before making every payment, an issue for which OFAC is unlikely to provide prescriptive guidance.
If a bank decides not to screen those payments, it must provide a comprehensive, well-designed risk assessment, Schulman adds, perhaps comparing an evaluation of sample transactions against known sanctions lists.
“The risk assessment aspect is critical,” Schisa says adding that a system that doesn’t include transaction screening should have a record showing the risk is limited and there are other measures in place that further limit the risk.
Similar precautions should be taken in the digital currency space, where traditional banks are expanding their presence. For example, digital-currency custody firm NYDIG and core provider FIS announced a partnership that would enable potentially hundreds of banks, even smaller ones, to enable their customers to buy, sell and hold bitcoin via their bank accounts. Bitcoin counterparties, however, may remain anonymous, making it a favored method to make illegal payments, such as those to sanctioned entities.
Schisa adds that traditional bank defenses, such know-your-customer requirements from Treasury’s Financial Crimes Enforcement Network, still provide protection with emerging payment methods. “At the end of the day, it’s understanding who your customers are, what they do, and the geographic and line-of-business risk,” he says.
Key sanctions violations in 2021 for which OFAC levied fines, according to Association of Certified Sanctions Specialists, included $8.5 million against Union de Bankques Arabes et Françaises for violating Syria-related sanctions, and $2.1 million against Germany’s SAP for violating sanctions against Iran.
Schulman pointed to SAP’s incident to illustrate OFAC’s priorities. The German enterprise software provider made its software available through distributors and third parties to end-users in Iran. It understood the possibility of violating sanctions, he said, because its own audit had highlighted the company’s failure to implement internet-protocol blocking, to prohibit sanctioned-country users’ access to its software downloaded from or made available from the United States.
“One theme there, and that theme recurs in other enforcement actions, is that you really cannot sit on compliance findings [and]findings of potential risk,” Schulman says.
There is no indication that SAP’s lenders were penalized, Schisa says, and lenders are unlikely to face direct enforcement action in such circumstances, given the well-worn precautions banks take to avoid financing sanctions-violating transactions. But it does suggest how a bank may want to approach due diligence of software clients and others whose products and services change hands so easily, he explains, and it is reasonable to inquire how the client addresses those sorts of indirect risks.
Schisa suggests asking whether the bank’s client employs IP blocking, and if not whether it understands who is using its software and how so, and whether it includes terms and conditions in its user agreements and enforces them.
“It’s the more general principle that banks must be aware of what their customers are doing,” Schisa said. “And if the bank knows its customer is doing something that is sanctioned, and the bank’s services are supporting it, then that’s a problem.”
John Hintze is a regular contributor to the ABA Banking Journal and its digital channel ABA Risk and Compliance.
