FinCEN Issues Red Flags of Potential Sanction Evasion Attempts

Written By Haley Metteauer

On March 7, 2022, the Financial Crimes Enforcement Network ("FinCEN") issued an alert advising financial institutions to be vigilant in protecting their organizations from the potential efforts of bad actors intending to evade the sanctions put in place by the United States. 

In its alert, FinCEN provided a list of red flags that would indicate the exercise of these evasive maneuvers.

Red Flag Indicators for Evasion Attempts Using the U.S. Financial System

  • Use of corporate arrangements such as establishing a legal entity or legal arrangement, or third party agreements to hide the persons involved and the funds secured, or the origin thereof, particularly where the point of origin is in a sanctioned jurisdiction.

  • Use of corporate arrangements to conduct international wire transfers in which the receiving financial institution is located in a sanctioned jurisdiction that differs from the entity’s registered location.

  • Establishing financial relationships in jurisdictions or with financial institutions that are expected to experience a “sudden rise in value,” without any clear economic or business reason.

  • Sudden increases in company formations in areas or jurisdictions that previously engaged with Russia for financial relationships.

  • Establishing a financial account and attempting to send or receive funds from a “sanctioned institution or an institution removed from the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”).”

  • Engaging in foreign exchange transactions indirectly or directly involving a sanctioned Russian financial institution which appears to be inconsistent with the account’s activity over the past 12 months.

Red Flag Indicators for Evasion Attempts Using Convertible Virtual Currency (CVC)

  • If an institution’s customer initiates a transaction utilizing or involving “any of the following types of Internet Protocol (IP) addresses: non-trusted sources; locations in Russia, Belarus, FATF-identified jurisdictions with AML/CFT/CP deficiencies, and comprehensively sanctioned jurisdictions; or IP addresses previously flagged as suspicious.”

  • If an institution’s customer initiates a transaction utilizing or involving “CVC addresses listed on OFAC’s Specially Designated Nationals and Blocked Persons List.”

  • If an institution’s customer initiates a transaction utilizing “a CVC exchanger or foreign-located MSB in a high-risk jurisdiction with AML/CFT/CP deficiencies, particularly for CVC entities and activities, including inadequate “know-your-customer” or customer due diligence measures.”

Ransomware Attacks and Other Cybercrime

  • Where a customer received a CVC from an external digital asset wallet and, afterward, initiates “multiple, rapid trades” to other CVCs, this may indicate an attempt establish a complex “chain of custody” for the digital asset blockchains or to add complexities to the exchange of the asset so that the ownership or use of the asset is not easily traceable or identifiable.

  • A customer initiates a transfer of funds utilizing a CVC mixing service, which is defined by FinCEN as a mechanism that can be used to launder ransomware proceeds.

  • Where a customer has initiated or received a direct or indirect transaction that is signaled by blockchain tracing software as being related to or involving ransomware.

Haley Metteauer
Previous

NYDFS Announces Increases in Russian Sanction Enforcement Actions
Next

FASB Publishes Comments Received from Comment Request on Accounting Standards