On March 7, 2022, the Financial Crimes Enforcement Network (FinCEN) issued an alert advising financial institutions to be vigilant against efforts to evade the expansive and unprecedented sanctions implemented by the United States and its allies in connection with Russia’s invasion of Ukraine. According to FinCEN Acting Director Him Das, “[i]n the face of mounting economic pressure on Russia, it is vitally important for U.S. financial institutions to be vigilant about potential Russian sanctions evasion, including by both state actors and oligarchs. Although we have not seen widespread evasion of our sanctions using methods such as cryptocurrency, prompt reporting of suspicious activity contributes to our national security and our efforts to support Ukraine and its people.”
The FinCEN alert provides several examples of red flags to assist in identifying suspected sanctions evasion activity, building on the U.S. Treasury Department’s Office of Foreign Assets Controls (OFAC) 2015 advisory, which highlighted practices used to evade or circumvent Russia-related sanctions following Russia’s annexation of Crimea. The alert also reminds financial institutions of their obligations under the Bank Secrecy Act (BSA), including monitoring for, and reporting suspicious activity, and conducting risk-based customer due diligence or enhanced due diligence.
While the alert addresses all financial institutions, it specifically calls out those with visibility into convertible virtual currency (CVC) flows, such as CVC exchangers and administrators. Previously, OFAC and the New York State Department of Financial Services warned that, as sanctioned persons and jurisdictions “become more desperate for access to the U.S. financial system,” they are likely to turn to cryptocurrency to minimize the crippling effect of sanctions. In addition, FinCEN reminds financial institutions of the risks posed by Russian-related ransomware attacks.
Select Sanctions Evasion Red Flags
The latest FinCEN alert highlights seven red flags that may be indicative of sanctions evasion activities by Russian and Belarusian actors, including through non-sanctioned Russian and Belarusian financial institutions and financial institutions in third countries:
- The use of corporate vehicles, such as shell companies, to obscure ownership, source of funds, or countries involved to obscure (i) ownership, (ii) source of funds, or (iii) countries involved, particularly sanctioned jurisdictions.
- The use of shell companies for international wire transfers, often involving financial institutions in jurisdictions distinct from company registration.
- The use of third parties to shield the identity of sanctioned persons and/or senior foreign political figures, their families, and their associates, (collectively, foreign Politically Exposed Persons (PEPs)), to hide the origin or ownership of funds, for example, to hide the purchase and sale of real estate.
- Accounts in jurisdictions or with financial institutions that are experiencing a sudden rise in value being transferred to them, without a clear economic or business rationale.
- Jurisdictions previously associated with Russian financial flows that are experiencing an increase in new company formations.
- Newly established accounts that attempt to send or receive funds from a sanctioned institution or an institution removed from the Society for Worldwide Interbank Financial Telecommunication (SWIFT).
- Non-routine foreign exchange transactions that may indirectly involve sanctioned Russian financial institutions, including transactions that are inconsistent with activity over the prior 12 months. For example, FinCEN specifically warns that the Central Bank of the Russian Federation may seek to use import or export companies to engage in foreign exchange transactions on its behalf and to obfuscate its involvement.
FinCEN recognizes that “large scale sanctions evasion” using cryptocurrency by a government such as the Russian Federation may not be “necessarily practicable,” and the Blockchain Association has assured the market and the regulators that “it’s very easy” for crypto exchanges “to comply with sanctions, just like any other financial institution.” Nevertheless, the alert warns that sanctioned entities and individuals and their networks or facilitators may attempt to use crypto currency and anonymizing tools to evade U.S. sanctions. FinCEN urges CVC exchangers and administrators, among other financial institutions, to be on the lookout for attempted or completed transactions tied to crypto wallets or other activity associated with sanctioned Russian, Belarusian, and other affiliated persons, providing three additional red flags:
- A customer’s transactions are initiated from or sent to Internet Protocol addresses previously flagged as suspicious or from/to: non-trusted sources; locations in Russia; Belarus; jurisdictions identified by the Financial Action Task Force with anti-money laundering (AML) deficiencies; or comprehensively sanctioned jurisdictions.
- A customer’s transactions are connected to CVC addresses listed on OFAC’s Specially Designated Nationals (SDN) and Blocked Persons List.
- A customer uses a crypto currency exchanger or foreign-located MSB in a high-risk jurisdiction with AML/CFT/CP deficiencies, including inadequate “know-your-customer” or customer due diligence measures.
Select Ransomware Attacks Red Flags
The alert also emphasizes the “dangers posed by Russian-related ransomware campaigns.” These dangers are palpable in light of Russia-based cybercrime group Conti’s recent vow to attack the Kremlin’s enemies. Drawing attention to the previous guidance by FinCEN and OFAC, the alert highlights the following red flags:
- A customer receives crypto currency from an external wallet and immediately initiates multiple, rapid trades among multiple crypto currencies with no apparent related purpose, followed by a transaction off the platform. FinCEN notes that this may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.
- A customer initiates a transfer of funds involving a crypto currency mixing service.
- A customer has direct or indirect receiving transaction exposure identified by blockchain tracing software as related to ransomware.
The alert serves as another reminder to financial institutions of their BSA-related obligations. In light of OFAC’s increased designations of Russian oligarchs and their family members as SDNs, FinCEN’s diligence reminders include financial institution’s obligations (1) to ascertain the status of an individual as a foreign PEP and to conduct scrutiny of assets held by such individuals and (2) to identify and verify the identity of beneficial owners of legal entity customers, which will facilitate the identification of legal entities that may be owned or controlled by foreign PEPs.
FinCEN also connects this increased PEP risk to certain financial institutions’ obligations to implement a due diligence program for private banking accounts held for non-U.S. persons. Such due diligence should be designed to detect and report any known or suspected money laundering or other suspicious activity.
There are also additional due diligence obligations related to maintaining correspondent accounts for foreign financial institutions, an issue of high importance following OFAC’s new prohibitions on U.S. correspondence and payable-through account access for Russia’s largest financial institution, Sberbank, which take effect on March 26, 2022. The alert reminds banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities of their obligation to comply with the due diligence obligations for correspondent accounts. These include the obligation to: (1) assess the money laundering risk presented by correspondent accounts; (2) apply risk-based procedures and controls to correspondent accounts reasonably designed to detect and report known or suspected money laundering activity; and (3) assess whether enhanced due diligence is required.
FinCEN notes that reporting suspicious activity is critical to U.S. “national security and our efforts to support Ukraine and its people.” In this regard, the alert provides guidance on filing SARs related to suspicious activity involving Russia-related sanctions evasion and ransomware attacks. When filing ransomware SARs, financial institutions are encouraged to provide any relevant technical cyber indicators. Relatedly, financial institutions, including crypto exchanges, should report ransomware attacks and payments directly to OFAC if a potential sanctions nexus exists.
In addition, when blocking or rejecting transactions involving sanctioned persons and jurisdictions, FinCEN reminds financial institutions that they should generally file SARs in addition to OFAC blocking and rejected transaction reports, to the extent the facts and circumstances surrounding the OFAC match are “independently suspicious” and otherwise required to be reported under FinCEN regulations.
Finally, the alert strongly encourages financial institutions to share information regarding suspicious activities with one another under the safe harbor authorized by section 314(b) of the USA PATRIOT Act. FinCEN emphasizes that such information sharing is “critical to identifying, reporting, and preventing evolving sanctions evasion, ransomware/cyber attacks, and laundering of the proceeds of corruption.”
The unprecedented and expansive Russia-related sanctions are reportedly already presenting significant compliance challenges to financial institutions. And there are signs enforcement activities will likely intensify. On March 2, the Department launched Task Force KleptoCapture, an interagency law enforcement task force dedicated to enforcing sanctions. Among other things, the Task Force will: (1) investigate and prosecute Russia-related sanctions violations; (2) combat efforts to undermine restrictions against Russian financial institutions, “including the prosecution of those who try to evade know-your-customer and anti-money laundering measures”; and (3) target efforts to use cryptocurrency to evade U.S. sanctions. And on March 3, the Department unsealed its first-ever criminal indictment charging a violation of Crimea-related sanctions violations.
In light of the increased regulatory, enforcement, and reputational risk, financial institutions should consider whether to adjust compliance resources to ensure they are quickly identifying and reporting suspicious activity associated with potential sanctions evasion.