Hey Compliance Nerd!
Lately there has been quite a few customers contacting us to buy bitcoin because their systems have been infected with ransomeware. I saw a tweet last week that suggested that we might get in trouble for this, but I couldn’t find any more information. Obviously I want to be able to help my customers, and I don’t want to do anything illegal.
I hear you! The bitcoin ransomeware problem has become so ugly that Public Safety Canada out a bulletin awhile back, and the RCMP discuss it in their cybersecurity overview. Unfortunately, for many people it’s less expensive and more efficient to simply pay the ransom (which is what the scammers are counting on). If that’s the case, there is nothing that prevents you from selling bitcoin to your customers to pay a ransom, but depending on where you’re doing business, there may be a few extra steps.
In Canada, if you’re a Money Service Business (MSB) or other regulated entity, you are required to submit reports, including Suspicious Transaction Reports to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). These reports are submitted when you have “reasonable grounds to suspect” that a transaction is related to money laundering or terrorist financing. The funny thing about a ransomware payment is that it’s related to fraud, but since the criminals don’t have the funds yet – it isn’t money laundering. We’ve reached out to FINTRAC to confirm this position, which they have taken in the past. Reporting entities that wish to err on the side of caution may file Suspicious Transaction Reports (STRs) related to ransomware activity.
This doesn’t, however, mean that you and/or your customer shouldn’t be reporting the scam to local law enforcement. A report can also be made to the Canadian Anti-Fraud Centre online or by phone (1-888-495-8501).
In the U.S., the process that reporting entities must follow is somewhat different. P. Faisal Islam, Director of AML Compliance for Bolt.com notes that under 18 U.S. Code § 1956 (Laundering of monetary instruments), and 18 U.S. Code 1957 there is a liability for entities that process the payment knowing that it is related to ransomware (or any other “specified unlawful activity”). This means that reporting entities operating in the U.S. should consider filing a Suspicious Activity Report (SAR) with the Financial Crimes Enforcement Network (FinCEN) for all cases involving ransomeware payments, a position that became very clear recently in a decision against coin.mx.
In all cases, keep a record of what you’ve done, and your rationale for doing so. This type of documentation is helpful to you if you are undergoing an examination, as it allows you to demonstrate to the regulator or examiner that you’ve taken action.
Ransomeware type scams in the U.S. can also be reported to the Internet Crime Complaint Center (IC3) which accepts reports online.