ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
Home Compliance and Risk

Threats from Sanctioned Nations: Cyber Hygiene and a Plan Provide Best Defense for Banks

March 31, 2022
Reading Time: 4 mins read
Threats from Sanctioned Nations: Cyber Hygiene and a Plan Provide Best Defense for Banks

By John Hintze

New U.S. sanctions on Russia and Belarus highlight the need for banks to have up-to-date defenses to mitigate cyber-related sanctions risk as well as a proactive plan should that risk become reality.

In fact, those are the two key steps banks must take to mitigate the risk to banks from U.S. regulators pursuing sanctions-related enforcement actions against them, noted participants on a panel at the recent ABA/ABA Financial Crimes Enforcement Conference

“The most important thing is cyber hygiene and a playbook, a plan for how to handle a potential attack,” says Ilya Shulman, head of sanctions, legal, at J.P. Morgan.

Learn more about the intersection of cybersecurity, financial crimes and compliance at the ABA Regulatory Compliance Conference, June 21-24 in Orlando. Register at aba.com/rcc.
Shulman is referring specifically to ransomware attacks, but the advice is pertinent to the vast majority of financial crimes today that stem from electronic transactions, such as cryptocurrency payments and selling services electronically, and may involve sanctioned persons or entities.

In terms of ransomware attacks, Shulman says, banks should have a step-by-step plan on how to handle them, including securing whatever data possible and quickly notifying law enforcement.

rightwards arrow
View more
risk and compliance articles

“If those steps are taken, it would take a really unusual set of circumstances for the Office of Foreign Assets Control to respond with an enforcement action,” Shulman says. OFAC is Treasury’s financial intelligence and enforcement unit that administers and enforces economic and trade sanctions in support of national security and foreign policy objectives.

Shulman’s advice applies to both banks and their customers who may experience ransomware attacks, in which perpetrators threaten to publish the victim’s data or block access to it unless a ransom is paid. Such attacks surged in 2021, reports the Information Systems Audit and Control Association.

“If you have that playbook laid out, it’s a matter of just executing it during the event,” says Will Schisa, counsel at Davis Polk and Wardell, in a follow-up interview to the conference session in which he participated.

Schisa says that bank advising or playing an intermediary role to a customer responding to a ransomware attack from a sanctioned entity should handle the situation in accordance with federal guidelines. If it funds the customer’s ransom payment it should file a Suspicious Activity Report, he adds.

A bank customer that has insufficiently prepared to defend against a ransomware attack may prefer to avoid reporting it the authorities, potentially resulting in broader reputational risk for the bank. Schisa says that when a bank has a significant relationship with a customer, the bank’s cybersecurity diligence should include—and typically does—determining whether there is a sufficient incident-response game plan.

“It makes a lot of sense to address not only sanctions and anti-money laundering risk, but the broader risk when dealing with an organization that could be materially impacted on the financial side if their cyber defenses are not up to snuff,” he said.

New targets mean increased risk

New payment technologies such as faster payments occurring in seconds and digital currencies present increased risks to banks, since there may be insufficient time to perform traditional screening for sanctioned persons or entities. In the case of digital currencies, the counterparty may be unknown.

Schulman notes that financial institutions face the dilemma of applying reasonable and risk-based sanctions compliance when customers may not want to complete forms and respond to KYC questions before making every payment, an issue for which OFAC is unlikely to provide prescriptive guidance.

If a bank decides not to screen those payments, it must provide a comprehensive, well-designed risk assessment, Schulman adds, perhaps comparing an evaluation of sample transactions against known sanctions lists.

“The risk assessment aspect is critical,” Schisa says adding that a system that doesn’t include transaction screening should have a record showing the risk is limited and there are other measures in place that further limit the risk.

Similar precautions should be taken in the digital currency space, where traditional banks are expanding their presence. For example, digital-currency custody firm NYDIG and core provider FIS announced a partnership that would enable potentially hundreds of banks, even smaller ones, to enable their customers to buy, sell and hold bitcoin via their bank accounts. Bitcoin counterparties, however, may remain anonymous, making it a favored method to make illegal payments, such as those to sanctioned entities.

Schisa adds that traditional bank defenses, such know-your-customer requirements from Treasury’s Financial Crimes Enforcement Network, still provide protection with emerging payment methods. “At the end of the day, it’s understanding who your customers are, what they do, and the geographic and line-of-business risk,” he says.

Key sanctions violations in 2021 for which OFAC levied fines, according to Association of Certified Sanctions Specialists, included $8.5 million against Union de Bankques Arabes et Françaises for violating Syria-related sanctions, and $2.1 million against Germany’s SAP for violating sanctions against Iran.

Schulman pointed to SAP’s incident to illustrate OFAC’s priorities. The German enterprise software provider made its software available through distributors and third parties to end-users in Iran. It understood the possibility of violating sanctions, he said, because its own audit had highlighted the company’s failure to implement internet-protocol blocking, to prohibit sanctioned-country users’ access to its software downloaded from or made available from the United States.

“One theme there, and that theme recurs in other enforcement actions, is that you really cannot sit on compliance findings [and] findings of potential risk,” Schulman says.

There is no indication that SAP’s lenders were penalized, Schisa says, and lenders are unlikely to face direct enforcement action in such circumstances, given the well-worn precautions banks take to avoid financing sanctions-violating transactions. But it does suggest how a bank may want to approach due diligence of software clients and others whose products and services change hands so easily, he explains, and it is reasonable to inquire how the client addresses those sorts of indirect risks.

Schisa suggests asking whether the bank’s client employs IP blocking, and if not whether it understands who is using its software and how so, and whether it includes terms and conditions in its user agreements and enforces them.

“It’s the more general principle that banks must be aware of what their customers are doing,” Schisa said. “And if the bank knows its customer is doing something that is sanctioned, and the bank’s services are supporting it, then that’s a problem.”

John Hintze is a regular contributor to the ABA Banking Journal and its digital channel ABA Risk and Compliance.

Tags: Anti-money launderingBank Secrecy ActFinancial crimesKnow your customerRansomwareSanctionsVendor relations
ShareTweetPin

Related Posts

AI’s rapid rise compels smart risk management for banks

Risk and compliance as strategic growth partners

Compliance and Risk
July 16, 2026

Risk leaders must build relationships, credibility and trust at the bank so their input is valued.

Vought calls for more CFPB oversight, says open banking proposal coming soon

Vought calls for more CFPB oversight, says open banking proposal coming soon

Compliance and Risk
July 15, 2026

Congress should enact legislation to better define “unfair, deceptive, or abusive acts or practices” to avoid abuses by future regulators, and to fund the CFPB through congressional appropriation to make it more responsive to elected officials, CFPB Acting...

ABA urges FCC to modernize calling rules, strengthen fraud protections

ABA expresses support for strengthening FCC’s Robocall Mitigation Database

Compliance and Risk
July 15, 2026

ABA expressed support for the Federal Communications Commission’s draft proposal to strengthen the Robocall Mitigation Database in a letter sent in advance of a vote on issuing the proposal.

Trump orders creation of AI ‘action plan’

White House announces cybersecurity clearinghouse for software patches

Compliance and Risk
July 15, 2026

The White House has announced a cybersecurity “clearinghouse” that would coordinate scanning for software vulnerabilities and the distribution of vulnerability patches.

Kentucky judge blocks enforcement of small business lending rule

House bill would increase transparency about small business lending program risks

Commercial Lending
July 14, 2026

A proposed bill supported by ABA would require the Small Business Administration to provide and make public more details about 7(a) lending program risks.

CFPB, DOJ warn against using immigration status to determine creditworthiness

OCC, FDIC release guidance on lending, undocumented workers

Compliance and Risk
July 13, 2026

Lending to individuals who are not legally authorized to work in the U.S. may present elevated credit risk to financial institutions, the FDIC, OCC and National Credit Union Administration said in joint guidance.

NEWSBYTES

Scott, Vought warn against price controls on credit, bank products

July 16, 2026

CSBS: Community bankers maintain ‘rosy’ outlook despite uncertainties

July 16, 2026

Mortgage rates rise

July 16, 2026

SPONSORED CONTENT

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

June 11, 2026
Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

June 1, 2026
A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

May 28, 2026
Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

May 20, 2026

PODCASTS

Podcast: Understanding the 2025 Home Mortgage Disclosure Act data

July 8, 2026

Podcast: Financing America’s independence

June 29, 2026

Podcast: Talent and innovation in community banking

June 18, 2026

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2026 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2026 American Bankers Association. All rights reserved.