FinCEN Releases Updated Ransomware Advisory

FinCEN released FinCEN Advisory FIN-2021-A004 on ransomware and the use of the financial system to facilitate ransom payments. The updated advisory replaces the one issued on Oct. 15, 2020, and is intended to alert financial institutions to the predominant trends, typologies, and potential red flags of ransomware and associated money laundering activities. The updated advisory identifies new trends and typologies of ransomware and associated payments, including the growing proliferation of anonymity-enhanced cryptocurrencies (AECs) and decentralized mixers.

Ransomware is a form of malicious software designed to block access to a computer system or data that is used to extort ransom payments from victims in exchange for restoring victims’ access to their systems or data. Ransomware attacks are a growing concern for the financial sector due to the critical role financial institutions play in the collection of ransom payments. Processing ransomware payments is typically a multi-step process that involves at least one depository institution and one or more money service business.

The severity and sophistication of ransomware attacks continue to rise across various sectors, particularly across governmental entities, and financial, educational, and health care institutions. Ransomware attacks on small municipalities and healthcare organizations have increased, likely due to victims’ weaker cybersecurity controls, such as adequate system backups and ineffective incident response capabilities.

Cybercriminals using ransomware often resort to common tactics, such as wide-scale phishing and targeted spear-phishing campaigns that induce victims to download a malicious file or go to a malicious site, exploit remote desktop protocol endpoints and software vulnerabilities, or deploy “drive-by” malware attacks that host malicious code on legitimate websites. Proactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency is often the best defense against ransomware.

While there is no one financial red flag indicator, credit unions should consider the relevant facts and circumstances of each transaction. Some of the potential red flags include:

  • A financial institution or its customer detects IT enterprise activity that is connected to ransomware cyber indicators or known cyber threat actors. Malicious cyber activity may be evident in system log files, network traffic, or file information.
  • When opening a new account or during other interactions with the financial institution, a customer provides information that a payment is in response to a ransomware incident.
  • A customer’s CVC address, or an address with which a customer conducts transactions is connected to ransomware variants, payments, or related activity. These connections may appear in open sources or commercial or government analyses. A transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare), and a DFIR or CIC, especially one known to facilitate ransomware payments.
  • An irregular transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare) and a DFIR or CIC, especially one known to facilitate ransomware payments.
  • A DFIR or CIC customer receives funds from a customer company and shortly after receipt of funds sends equivalent amounts to a CVC exchange.
  • A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution, yet inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware.
  • A customer that has no or limited history of CVC transactions sends a large CVC transaction, particularly when outside a company’s normal business practices.
  • A customer that has not identified itself to the CVC exchanger, or registered with FinCEN as a money transmitter, appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB.
  • A customer uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking, or known to have inadequate, AML/CFT regulations for CVC entities.
  • A customer receives CVC from an external wallet, and immediately initiates multiple, rapid trades among multiple CVCs, especially AECs, with no apparent related purpose, followed by a transaction off the platform. This may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.
  • A customer initiates a transfer of funds involving a mixing service.
  • A customer uses an encrypted network (e.g., the onion router) or an unidentified web portal to communicate with the recipient of the CVC transaction.

Credit unions should determine if filing a SAR is required and appropriate when dealing with an incident of ransomware conducted by, at, or through the credit union, including ransomware payments made by credit unions that were victims of ransomware.

Question of the Week

Q. A member gives her debit card and PIN to another person to do occasional purchases. Subsequently, this person withdraws cash for himself. Is the member liable for the total amount of the withdrawals or would the credit union have to refund the funds to the member?

A. The credit union may hold the member liable. The transactions would not be considered “unauthorized” if the member gave the individual access to the account and did not notify the credit union that transfers by that person were no longer permissible. Therefore, the transaction would not be considered “unauthorized” under 12 CFR 1005.2(m)(1).


12 CFR 1005.2(m)(1)

Compliance Alerts

National Credit Union Administration

Interagency Statement on Supervisory and Enforcement Practices Regarding the Mortgage Servicing Rules in Response to the Continuing COVID-19 Pandemic and CARES Act: The NCUA issued letter to credit 21-CU-14 to inform credit unions of a joint statement issued by the NCUA and other federal financial institution regulatory agencies. The joint statement announces that the agencies believe the temporary supervisory and enforcement flexibility in the April 2020 joint statement is no longer necessary. The agencies will now apply their normal supervisory and enforcement authorities to address any noncompliance or violations of RESPA mortgage servicing rules that occur after the date of this interagency statement.

Consumer Financial Protection Bureau

HMDA Open-end Line of Credit Threshold Adjustment Reminder: The CFPB released a reminder to financial institutions that the threshold for reporting HMDA data about open-end lines of credit will adjust to 200 open-end lines of credit, effective Jan. 1, 2022.

Financial Crimes Enforcement Network

Advisory on Ransomware and the Use of Financial System to Facilitate Ransom Payments: FinCEN issued Advisory FIN-2021-A004 to replace and update a previous advisory on ransomware and the use of the financial system to facilitate ransom payments.

Office of Foreign Assets Control

OFAC has updated the SDN list as of Nov. 15. The last update prior to this was Oct. 29.

­­­­­­­Questions? Contact the Compliance Hotline: 1.800.546.4465;

Posted in Compliance News, Compliance News, Compliance Question.