On March 7, the Financial Crimes Enforcement Network (“FinCEN”) issued an alert “advising all financial institutions to be vigilant against potential efforts to evade the expansive sanctions and other U.S.-imposed restrictions implemented in connection with the Russian Federation’s further invasion of Ukraine.” The press release is here. The alert itself is here.
FinCEN’s alert seeks to provide “red flags to assist in identifying potential sanctions evasion activity and reminds financial institutions of their Bank Secrecy Act (BSA) reporting obligations, including with respect to convertible virtual currency (CVC).” The alert stresses the following:
Since February 2022, and in response to Russia’s further invasion of Ukraine, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken several significant sanctions actions related to the Russian financial services sector pursuant to Executive Order (E.O.) 14024,8 including: a determination by the Secretary of the Treasury with respect to the financial services sector of the Russian Federation that authorizes sanctions against persons determined to operate or to have operated in that sector; correspondent or payable-through account and payment processing prohibitions on certain Russian financial institutions; the blocking of certain Russian financial institutions; expanding sovereign debt prohibitions to apply to new issuances in the secondary market; prohibitions related to new debt and equity for certain Russian entities; and a prohibition on transactions involving certain Russian government entities, including the Central Bank of the Russian Federation. OFAC also imposed sanctions on Russian Federation President Vladimir Putin, and Minister of Foreign Affairs Sergei Lavrov. In a related action, OFAC designated certain Belarusian persons, including financial institutions, due to Belarus’ support for, and facilitation of, the invasion. Most recently, OFAC and the U.S. Department of State intensified pressure on Russia by sanctioning numerous Russian elites and their family members, identifying certain property of these persons as blocked, and sanctioning Russian intelligence-directed disinformation outlets and defense-related firms.
FinCEN’s alert therefore observes that, due to these actions, sanctioned Russian and Belarusian actors may seek to evade sanctions. To that end, FinCEN offers the following potential “red flags” regarding such evasive behavior:
- Use of corporate vehicles (i.e. legal entities, such as shell companies, and legal arrangements) to obscure (i) ownership, (ii) source of funds, or (iii) countries involved, particularly sanctioned jurisdictions.
- Use of shell companies to conduct international wire transfers, often involving financial institutions in jurisdictions distinct from company registration.
- Use of third parties to shield the identity of sanctioned persons and/or PEPs seeking to hide the origin or ownership of funds, for example, to hide the purchase or sale of real estate.
- Accounts in jurisdictions or with financial institutions that are experiencing a sudden rise in value being transferred to their respective areas or institutions, without a clear economic or business rationale.
- Jurisdictions previously associated with Russian financial flows that are identified as having a notable recent increase in new company formations.
- Newly established accounts that attempt to send or receive funds from a sanctioned institution or an institution removed from the Society for Worldwide Interbank Financial Telecommunication (SWIFT).
- Non-routine foreign exchange transactions that may indirectly involve sanctioned Russian financial institutions, including transactions that are inconsistent with activity over the prior 12 months. For example, the Central Bank of the Russian Federation may seek to use import or export companies to engage in foreign exchange transactions on its behalf and to obfuscate its involvement.
Moreover, FinCEN offers the following red flags specific to sanctions and convertible virtual currency transactions, and regarding potential Russian-related ransomware campaigns:
- A customer’s transactions are initiated from or sent to the following types of Internet Protocol (IP) addresses: non-trusted sources; locations in Russia, Belarus, FATF-identified jurisdictions with AML/CFT/[counter-proliferation, or “CP”] deficiencies, and comprehensively sanctioned jurisdictions; or IP addresses previously flagged as suspicious.
- A customer’s transactions are connected to CVC addresses listed on OFAC’s Specially Designated Nationals and Blocked Persons List.
- A customer uses a CVC exchanger or foreign-located MSB in a high-risk jurisdiction with AML/CFT/CP deficiencies, particularly for CVC entities and activities, including inadequate “know-your-customer” or customer due diligence measures.
- A customer receives CVC from an external wallet, and immediately initiates multiple, rapid trades among multiple CVCs with no apparent related purpose, followed by a transaction off the platform. This may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.
- A customer initiates a transfer of funds involving a CVC mixing service.
- A customer has either direct or indirect receiving transaction exposure identified by blockchain tracing software as related to ransomware.
Finally, FinCEN requests that financial institutions reference this alert when filing Suspicious Activity Reports (“SARs”) by including the key term “FIN-2022-RUSSIASANCTIONS” in SAR field 2.