6 AMLD and OFAC Regulations on Ransomware Attacks
The miraculous concept of the EU directives is that it not only affects the EU internal market but the global financial sphere.
A clear-cut example of such an effect is 6 AMLD. 6 AMLD, the new anti-money laundering directive, enforces the new anti-money laundering regime globally. Thus, the directive discusses the following aspects:
- Criminal liability – legal and natural persons which are registered as UBOs/nominee directors will fall under intense scrutiny for criminal liability in the respective member states.
- The conversion/transfer of property deriving from countries from outside the EU will undergo even more intense scrutiny.
- Aiding/abetting or even attempting to conduct alleged money laundering activity will be punishable (in the respective member state) as a criminal offence.
- Member states will not be able to issue mitigated circumstance penalties. They are obliged to issue proportionate and dissuasive criminal penalties.
- Member states are under the strict obligation to issue additional sanctions for money laundering.
- Specific sanctions for legal persons include enhanced judicial enforcement and closing of the institution and increased fines.
Although, this is not the only piece of legislation that has hit waves across the financial realm. The new OFAC advisory notice on potential sanctions, which risks facilitating ransomware payments, has demonstrated a new zero-tolerance approach for financial institutions, enabling the ransomware payment. Furthermore, OFAC has taken the advisory notice a step further and issued a license for ransom payments. Therefore, OFAC will review this on a case-by-case basis. With that in mind, victims of ransom are encouraged to report the cases to OFAC.
It seems that both the directive and the advisory notice are not correlated, yet this is far from the truth. The proximity of implementation of 6 AMLD to the publication of the notice sheds light on a very unattractive truth. Ransomware payments in the crypto industry are slowly, but quite surely, being monitored both by EU and US regulators. In practice, this means an ad-hoc and hands-on regulatory approach to crypto payments in ransom cases.