FinCEN Alerts Credit Unions of Potential Russian Sanction Evasion Efforts


(From NAFCU Compliance Blog) – FinCEN issued FIN-2022-Alert001 to credit unions about the potential of sanction evasion activity. This alert warns credit unions the Russian government and sanctioned individuals may attempt to evade sanctions through the use of non-sanctioned financial institutions and financial institutions in other countries. In the alert, FinCEN has identified several red flag indicators that may help a credit union detect sanction evasion activities.

Sanction Evasion Attempts Using the U.S. Financial System

FinCEN has identified seven select red flag indicators that may improve a credit union’s detection of activity by parties, designed to circumvent sanctions.

  • Use of corporate vehicles to hide (i) ownership, (ii) source of funds, or (iii) countries involved, particularly sanctioned jurisdictions.
  • Use of shell companies to conduct international wire transfers, often involving financial institutions in jurisdictions distinct from company registration.
  • Use of third parties to shield the identity of sanctioned parties and/or [politically exposed persons] (PEPs) seeking to hide the origin or ownership of funds, for example, to hide the purchase or sale of real estate.
  • Accounts in jurisdictions or with financial institutions that are experiencing a sudden rise in value being transferred to their respective areas or institutions, without a clear economic or business rationale.
  • Jurisdictions previously associated with Russian financial flows that are identified as having a notable recent increase in company formations.
  • Newly established accounts that attempt to send or receive funds from a sanctioned institution or an institution removed from the Society for Worldwide Interbank Financial Telecommunication (SWIFT).
  • Non-routine foreign exchange transactions that may directly involve sanctioned Russian financial institutions, including transactions that are inconsistent with activity over the prior 12 months. For example, [Russia’s Central Bank] may seek to use import or export companies to engage in foreign exchange transactions on its behalf and to obfuscate its involvement.

Sanction Evasion Using Convertible Virtual Currency (CVC)

FinCEN also identified the use of virtual currency as a way some Russian parties may skirt international sanctions. FinCEN does acknowledge the impracticability of Russia as a country to use this method, but still identifies the use of convertible virtual currency as a practice sanctioned individuals may employ. FinCEN addresses the following as potential red flags that may indicate sanction evasion using convertible virtual currency.

  • A customer’s transactions are initiated from or sent to the following types of Internet Protocol (IP) addresses: non trusted sources; locations in Russia, Belarus, and other FATF-identified jurisdictions with [anti-money laundering (AML), countering the financing of terrorism (CFT), and counter proliferation (CP)] deficiencies, and comprehensively sanctioned jurisdictions; or IP addresses previously flagged as suspicious.
  • A customer’s transactions are connected to CVC addresses listed on OFAC’s Specially Designated Nationals and Blocked Persons List.
  • A customer uses a CVC exchanger or foreign-located MSB in a high-risk jurisdiction with AML/CFT/CP deficiencies, particularly for CVC entities and activities, including inadequate “know-your-customer” or customer due diligence measures.

Possible Ransomware Attacks and Other Cybercrime

FinCEN also reiterates concerns for potential ransomware and other cybercrimes on U.S. financial institutions. The agency lists several red flag indicators that may be indicative of a ransomware or other cybercrime.

  • A customer receives CVC from an external wallet, and immediately initiates multiple, rapid trades among other CVCs, followed by a transaction off the platform. This may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.
  • A customer initiates a transfer of funds involving a CVC mixing service.
  • A customer has either direct or indirect receiving transaction exposure identified by blockchain tracing software as related to ransomware.

FinCEN emphasizes a credit union’s obligation to file a suspicious activity report (SAR) if the credit union knows, suspects, or has reason to suspect a transaction, including any suspicious transaction that may be associated with ransomware attacks, may violate the bank secrecy act (BSA) and AML requirements. Credit unions are also reminded a nexus may exist among other BSA reporting requirements, such as Currency Transaction Reports (CTR) and Report of Cash Payments Over $10,000 Received in a Trade or Business (Form 8300), and Russian-related sanction evasion activity. These BSA reporting requirements may help sanction enforcement.

Credit unions may want to review the most recent FinCEN alerts on Russian sanctions to ensure their own BSA/AML procedures and programs are up to date. In addition, credit unions may want to continue monitoring for changes as the situation remains fluid.