After the attacks on JBS and Colonial Pipeline, the U.S. Treasury Department will likely consider increasing its enforcement of anti-money-laundering laws and adopt new reporting requirements for cryptocurrency transactions.
In ransomware attacks, hackers demand payments after locking victims out of their computer networks; de-anonymizing payments could create a disincentive for these hackers to continue pushing such ransomware extortion schemes. Currently, hackers use digital currencies as a way to avoid regulations within the traditional financial system. If the Treasury Department applies many of the same anti-money-laundering laws to cryptocurrency transactions, it could assist in identifying the cybercriminals (and perhaps lessen the number of attacks).
What would help make these regulations effective? Well, requiring disclosure of who is using the digital wallet and where the crypto-currency ransom is being sent would be a start. Lawmakers may also want to consider oversight of the exchange of cryptocurrencies for other currencies (such as the U.S. dollar). The problem? U.S. regulations of cryptocurrency would not reach overseas, which is often where cybercriminals cash out their funds. Of course, U.S. authorities could use sanctions to prevent exchanges from transacting in U.S. dollars unless all participants agree to utilize a crypto-reporting system.
Of course, this is not the first time that this oversight has been discussed. Late last year, the Treasury Department proposed a rule to require banks and exchanges to report transactions over $10,000 using digital wallets NOT hosted by a financial institution. This is similar to the existing rules for cash withdrawals over that amount. This type of reporting rule would assist law enforcement in tracking money flows for cybercrime.
Crypto exchanges already have to report on customers’ suspicious transactions. The proposed rule would add reporting for when unhosted wallets are involved, regardless of whether the transaction is considered suspicious. Unhosted wallets are similar to anonymous bank accounts.
This proposed rule came after U.S. companies were warned that paying ransom to hackers could violate U.S. sanctions. That warning encouraged companies to cooperate with law enforcement in order to protect themselves from liability for erroneously paying a ransom to an entity on the sanction list.
A Treasury Department spokeswoman said that the proposed rule for reporting crypto- transactions “is actively moving through the rulemaking process” after receiving thousands of comments in response.
When cyber-attacks on large businesses like JBS and Colonial Pipeline affect consumers’ gas prices and the availability of meat at the grocery store, it likely will lead to increased public scrutiny and a call for action on cryptocurrency and other issues tied to ransomware.
Of course, the underlying issue in these ransomware attacks is the lax (or lack of) security safeguards to protect data housed at these companies that have been (and will be) under attack. Businesses should focus on security and prevention to stop these attacks from happening, and from having to negotiate and pay a ransom at all.
Copyright © 2021 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XI, Number 161