ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Compliance and Risk

Threats from Sanctioned Nations: Cyber Hygiene and a Plan Provide Best Defense for Banks

March 31, 2022
Reading Time: 4 mins read
Threats from Sanctioned Nations: Cyber Hygiene and a Plan Provide Best Defense for Banks
ADVERTISEMENT

By John Hintze

New U.S. sanctions on Russia and Belarus highlight the need for banks to have up-to-date defenses to mitigate cyber-related sanctions risk as well as a proactive plan should that risk become reality.

In fact, those are the two key steps banks must take to mitigate the risk to banks from U.S. regulators pursuing sanctions-related enforcement actions against them, noted participants on a panel at the recent ABA/ABA Financial Crimes Enforcement Conference

“The most important thing is cyber hygiene and a playbook, a plan for how to handle a potential attack,” says Ilya Shulman, head of sanctions, legal, at J.P. Morgan.

Learn more about the intersection of cybersecurity, financial crimes and compliance at the ABA Regulatory Compliance Conference, June 21-24 in Orlando. Register at aba.com/rcc.
Shulman is referring specifically to ransomware attacks, but the advice is pertinent to the vast majority of financial crimes today that stem from electronic transactions, such as cryptocurrency payments and selling services electronically, and may involve sanctioned persons or entities.

In terms of ransomware attacks, Shulman says, banks should have a step-by-step plan on how to handle them, including securing whatever data possible and quickly notifying law enforcement.

rightwards arrow
View more
risk and compliance articles

“If those steps are taken, it would take a really unusual set of circumstances for the Office of Foreign Assets Control to respond with an enforcement action,” Shulman says. OFAC is Treasury’s financial intelligence and enforcement unit that administers and enforces economic and trade sanctions in support of national security and foreign policy objectives.

Shulman’s advice applies to both banks and their customers who may experience ransomware attacks, in which perpetrators threaten to publish the victim’s data or block access to it unless a ransom is paid. Such attacks surged in 2021, reports the Information Systems Audit and Control Association.

“If you have that playbook laid out, it’s a matter of just executing it during the event,” says Will Schisa, counsel at Davis Polk and Wardell, in a follow-up interview to the conference session in which he participated.

Schisa says that bank advising or playing an intermediary role to a customer responding to a ransomware attack from a sanctioned entity should handle the situation in accordance with federal guidelines. If it funds the customer’s ransom payment it should file a Suspicious Activity Report, he adds.

A bank customer that has insufficiently prepared to defend against a ransomware attack may prefer to avoid reporting it the authorities, potentially resulting in broader reputational risk for the bank. Schisa says that when a bank has a significant relationship with a customer, the bank’s cybersecurity diligence should include—and typically does—determining whether there is a sufficient incident-response game plan.

“It makes a lot of sense to address not only sanctions and anti-money laundering risk, but the broader risk when dealing with an organization that could be materially impacted on the financial side if their cyber defenses are not up to snuff,” he said.

New targets mean increased risk

New payment technologies such as faster payments occurring in seconds and digital currencies present increased risks to banks, since there may be insufficient time to perform traditional screening for sanctioned persons or entities. In the case of digital currencies, the counterparty may be unknown.

Schulman notes that financial institutions face the dilemma of applying reasonable and risk-based sanctions compliance when customers may not want to complete forms and respond to KYC questions before making every payment, an issue for which OFAC is unlikely to provide prescriptive guidance.

If a bank decides not to screen those payments, it must provide a comprehensive, well-designed risk assessment, Schulman adds, perhaps comparing an evaluation of sample transactions against known sanctions lists.

“The risk assessment aspect is critical,” Schisa says adding that a system that doesn’t include transaction screening should have a record showing the risk is limited and there are other measures in place that further limit the risk.

Similar precautions should be taken in the digital currency space, where traditional banks are expanding their presence. For example, digital-currency custody firm NYDIG and core provider FIS announced a partnership that would enable potentially hundreds of banks, even smaller ones, to enable their customers to buy, sell and hold bitcoin via their bank accounts. Bitcoin counterparties, however, may remain anonymous, making it a favored method to make illegal payments, such as those to sanctioned entities.

Schisa adds that traditional bank defenses, such know-your-customer requirements from Treasury’s Financial Crimes Enforcement Network, still provide protection with emerging payment methods. “At the end of the day, it’s understanding who your customers are, what they do, and the geographic and line-of-business risk,” he says.

Key sanctions violations in 2021 for which OFAC levied fines, according to Association of Certified Sanctions Specialists, included $8.5 million against Union de Bankques Arabes et Françaises for violating Syria-related sanctions, and $2.1 million against Germany’s SAP for violating sanctions against Iran.

Schulman pointed to SAP’s incident to illustrate OFAC’s priorities. The German enterprise software provider made its software available through distributors and third parties to end-users in Iran. It understood the possibility of violating sanctions, he said, because its own audit had highlighted the company’s failure to implement internet-protocol blocking, to prohibit sanctioned-country users’ access to its software downloaded from or made available from the United States.

“One theme there, and that theme recurs in other enforcement actions, is that you really cannot sit on compliance findings [and] findings of potential risk,” Schulman says.

There is no indication that SAP’s lenders were penalized, Schisa says, and lenders are unlikely to face direct enforcement action in such circumstances, given the well-worn precautions banks take to avoid financing sanctions-violating transactions. But it does suggest how a bank may want to approach due diligence of software clients and others whose products and services change hands so easily, he explains, and it is reasonable to inquire how the client addresses those sorts of indirect risks.

Schisa suggests asking whether the bank’s client employs IP blocking, and if not whether it understands who is using its software and how so, and whether it includes terms and conditions in its user agreements and enforces them.

“It’s the more general principle that banks must be aware of what their customers are doing,” Schisa said. “And if the bank knows its customer is doing something that is sanctioned, and the bank’s services are supporting it, then that’s a problem.”

John Hintze is a regular contributor to the ABA Banking Journal and its digital channel ABA Risk and Compliance.

Tags: Anti-money launderingBank Secrecy ActFinancial crimesKnow your customerRansomwareSanctionsVendor relations
ShareTweetPin

Related Posts

ABA Fraudcast: How the ABA Foundation helps banks protect their customers

Compliance and Risk
July 16, 2025

As more older Americans are major targets for criminals, Safe Banking for Seniors is an effective program to inform and defend against targeted scams.

Senate Banking Committee advances OCC, SEC nominations

Gould takes office as comptroller of the currency

Compliance and Risk
July 15, 2025

Jonathan Gould was sworn in as the 32nd comptroller of the currency. He succeeds Rodney Hood, who was acting comptroller for five months.

FDIC withdraws proposed rules on brokered deposits, corporate governance, executive pay

FDIC board advances proposals on industrial banks, supervisory appeals, bank branches

Community Banking
July 15, 2025

The FDIC board voted to roll back Biden-era actions on industrial banks, supervisory appeals and CRA implementation. It also introduced a proposal to streamline the agency’s approval process for new bank branches.

FDIC proposes tying agency regulatory thresholds to inflation

FDIC proposes tying agency regulatory thresholds to inflation

Compliance and Risk
July 15, 2025

The FDIC board voted to advance a proposal to regularly adjust some of the agency’s regulatory thresholds for banks to keep pace with inflation.

The threat from within: Managing insider threat risks

The threat from within: Managing insider threat risks

Compliance and Risk
July 15, 2025

Insights into what may be among the most insidious risks facing banks today, often underestimated and uniquely dangerous.

CFPB warns against collection of ‘legally invalid’ medical debt

Court vacates CFPB medical debt rule

Compliance and Risk
July 14, 2025

A federal court in Texas vacated the CFPB’s medical debt reporting rule after the bureau’s current leadership joined with plaintiffs in asking it to be struck down.

NEWSBYTES

ABA urges lawmakers to take up Dodd-Frank reform

July 15, 2025

Budget reconciliation includes rural and agricultural benefits

July 15, 2025

Gould takes office as comptroller of the currency

July 15, 2025

SPONSORED CONTENT

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

July 1, 2025
AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025

PODCASTS

Breaking down the bank-related provisions in the big budget bill

July 10, 2025

Podcast: Inside ABA’s new Treasury Check Verification System API

June 25, 2025

Podcast: Staying close to clients amid tariff-driven volatility

June 18, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.