On March 4, 2022, the California Department of Financial Protection and Innovation (DFPI) issued a reminder to its financial institution licensees regarding their obligations in light of the Russian invasion of Ukraine: comply with U.S. sanctions on Russia, and employ safeguards to protect against attempts to use virtual currency transfers to evade sanctions and mitigate cybersecurity threats. The DFPI’s advice applies broadly to all financial institutions however, since all U.S. persons are subject to the regulations issued by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), which administers and enforces economic and trade sanctions against targeted foreign countries and regimes based on U.S. foreign policy and national security goals.
The DFPI’s memorandum to its licensees (Memo) comes in the wake of the rapidly evolving situation in Ukraine and Russia, as a result of which OFAC has added Russian individuals and entities to the Specially Designated Nationals (SDN) List. According to OFAC’s webpage that houses the SDN List, these individuals and entities are known to be “owned or controlled by, or acting for or on behalf of” Russia, and as such “[t]heir assets are blocked and U.S. persons are generally prohibited from dealing with them.” Additionally, “more limited, yet stringent, sanctions have been placed on several Russian entities with respect to their ability to raise debt and equity and/or with respect to their correspondent and payable-through accounts.” As a result of these added sanctions, the DFPI advises licensees to “[r]eview transaction monitoring and filtering programs to make any modification that is necessary to capture new sanctions,” and “[m]onitor all transactions going through their institution, particularly trade finance transactions and funds transfers, to identify and block transactions subject to sanctions, and follow OFAC’s direction regarding any blocked funds.”
DFPI’s Memo also notes that the Russian invasion significantly increases the risks that (1) “listed individuals and entities may use virtual currency transfers to evade sanctions” and (2) cybersecurity breaches will affect the U.S. financial sector. To mitigate these risks, DFPI advises that “licensees engaging in financial services using virtual currencies . . . should consider virtual currency-specific control measures including sanctions lists, [and] geographic screening,” and all licensees should, among other things, “[a]dopt core cybersecurity hygiene measures like multi-factor authentication, privileged access management, vulnerability management, and disabling or securing remote desktop protocol access.” DFPI further advises that “[l]icensees that do business in Ukraine and/or Russia should take increased measures to monitor, inspect, and isolate traffic from Ukrainian or Russian offices and service providers,” and “[l]icensees should segregate networks for Ukrainian or Russian offices from the global network.”