6 AMLD and OFAC Regulations on Ransomware Attacks

Thursday, 14/01/2021 | 12:54 GMT by Ella Rosenberg
  • 6 AMLD not only affects the EU internal market but the global financial sphere.
6 AMLD and OFAC Regulations on Ransomware Attacks
FM

The miraculous concept of the EU directives is that it not only affects the EU internal market but the global financial sphere.

A clear-cut example of such an effect is 6 AMLD. 6 AMLD, the new anti-money laundering directive, enforces the new anti-money laundering regime globally. Thus, the directive discusses the following aspects:

  1. Criminal liability - legal and natural persons which are registered as UBOs/nominee directors will fall under intense scrutiny for criminal liability in the respective member states.
  2. The conversion/transfer of property deriving from countries from outside the EU will undergo even more intense scrutiny.
  3. Aiding/abetting or even attempting to conduct alleged money laundering activity will be punishable (in the respective member state) as a criminal offence.
  4. Member states will not be able to issue mitigated circumstance penalties. They are obliged to issue proportionate and dissuasive criminal penalties.
  5. Member states are under the strict obligation to issue additional sanctions for money laundering.
  6. Specific sanctions for legal persons include enhanced judicial enforcement and closing of the institution and increased fines.

New OFAC Advisory Notice on Potential Sanctions Risks Facilitating Ransomware Payments

Although, this is not the only piece of legislation that has hit waves across the financial realm. The new OFAC advisory notice on potential sanctions, which risks facilitating ransomware payments, has demonstrated a new

Aviel Marciano

Aviel Marciano

zero-tolerance approach for financial institutions, enabling the ransomware payment. Furthermore, OFAC has taken the advisory notice a step further and issued a license for ransom payments. Therefore, OFAC will review this on a case-by-case basis. With that in mind, victims of ransom are encouraged to report the cases to OFAC.

It seems that both the directive and the advisory notice are not correlated, yet this is far from the truth. The proximity of implementation of 6 AMLD to the publication of the notice sheds light on a very unattractive truth. Ransomware payments in the crypto industry are slowly, but quite surely, being monitored both by EU and US regulators. In practice, this means an ad-hoc and hands-on regulatory approach to crypto payments in ransom cases.

EU and US Markets Should Tighten and Sharpen Their in-House Cyber Practices

Furthermore, in practice, this means that EMIs and crypto exchanges, which are operating in the EU and US markets, should tighten and sharpen their in-house cyber practices, issue best practices for privacy rights, appoint a much-needed DPO and create an overall system of checks and balances towards their respective clients and business partners.

The misconception that the US and EU markets are not intertwined is a grave undertaking. This can be viewed as a mistake of not anticipating the regulatory and AML market.

Presently, financial institutions need to pay attention to their AML and due diligence practices as the borders of the EU and US are not confined to geography alone. The age of globalization has stretched and blurred these borders. Thus, only time will tell whether these borders will remain tangible.

Miss Ella Rosenberg, an EU Regulatory and Defense Fintech Expert, and Mr Aviel Marciano, an HLS and due diligence expert, produced this article as a combined effort.

The miraculous concept of the EU directives is that it not only affects the EU internal market but the global financial sphere.

A clear-cut example of such an effect is 6 AMLD. 6 AMLD, the new anti-money laundering directive, enforces the new anti-money laundering regime globally. Thus, the directive discusses the following aspects:

  1. Criminal liability - legal and natural persons which are registered as UBOs/nominee directors will fall under intense scrutiny for criminal liability in the respective member states.
  2. The conversion/transfer of property deriving from countries from outside the EU will undergo even more intense scrutiny.
  3. Aiding/abetting or even attempting to conduct alleged money laundering activity will be punishable (in the respective member state) as a criminal offence.
  4. Member states will not be able to issue mitigated circumstance penalties. They are obliged to issue proportionate and dissuasive criminal penalties.
  5. Member states are under the strict obligation to issue additional sanctions for money laundering.
  6. Specific sanctions for legal persons include enhanced judicial enforcement and closing of the institution and increased fines.

New OFAC Advisory Notice on Potential Sanctions Risks Facilitating Ransomware Payments

Although, this is not the only piece of legislation that has hit waves across the financial realm. The new OFAC advisory notice on potential sanctions, which risks facilitating ransomware payments, has demonstrated a new

Aviel Marciano

Aviel Marciano

zero-tolerance approach for financial institutions, enabling the ransomware payment. Furthermore, OFAC has taken the advisory notice a step further and issued a license for ransom payments. Therefore, OFAC will review this on a case-by-case basis. With that in mind, victims of ransom are encouraged to report the cases to OFAC.

It seems that both the directive and the advisory notice are not correlated, yet this is far from the truth. The proximity of implementation of 6 AMLD to the publication of the notice sheds light on a very unattractive truth. Ransomware payments in the crypto industry are slowly, but quite surely, being monitored both by EU and US regulators. In practice, this means an ad-hoc and hands-on regulatory approach to crypto payments in ransom cases.

EU and US Markets Should Tighten and Sharpen Their in-House Cyber Practices

Furthermore, in practice, this means that EMIs and crypto exchanges, which are operating in the EU and US markets, should tighten and sharpen their in-house cyber practices, issue best practices for privacy rights, appoint a much-needed DPO and create an overall system of checks and balances towards their respective clients and business partners.

The misconception that the US and EU markets are not intertwined is a grave undertaking. This can be viewed as a mistake of not anticipating the regulatory and AML market.

Presently, financial institutions need to pay attention to their AML and due diligence practices as the borders of the EU and US are not confined to geography alone. The age of globalization has stretched and blurred these borders. Thus, only time will tell whether these borders will remain tangible.

Miss Ella Rosenberg, an EU Regulatory and Defense Fintech Expert, and Mr Aviel Marciano, an HLS and due diligence expert, produced this article as a combined effort.

About the Author: Ella Rosenberg
Ella Rosenberg
  • 18 Articles
  • 6 Followers
About the Author: Ella Rosenberg
Ms. Rosenberg focuses on EU Law and regulation within the financial, defence, art, and maritime sectors. She has broad experience in digital banking and crypto licensing, implementation of AML/CTF regulatory frameworks for defence companies and art galleries, anti human trafficking, regtech software, tokenization of maritime logistics, formation of compliance teams, AML and Privacy for publicly listed companies. She serves as the leading of contact of EU Law in the Middle East, and has published at defence and financial magazines, consulted governmental entities on CTF and AML and has worked directly with FIUs in the EU and the GCC. Holds an LLB in EU Law from the European Law School, Maastricht University and an LLM in Company and Commercial Law from Erasmus School of Law, Erasmus University Rotterdam; is the head of the Eramus University Alumni Network in Israel, and is a board member of the Israel Security Business Union.
  • 18 Articles
  • 6 Followers

More from the Author

Retail FX

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}