On March 4, 2022, the California Department of Financial Protection and Innovation (DFPI) reminded its financial institution licensees of their obligations in light of the Russian invasion of Ukraine: to comply with sanctions against Russia and using safeguards to protect against attempts to use virtual currency transfers to evade sanctions and mitigate cybersecurity threats. However, the DFPI’s advice broadly applies to all financial institutions, since all U.S. persons are subject to regulations issued by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), which administers and enforces economic sanctions. and trade against targeted foreign countries and regimes based on U.S. foreign policy and national security objectives.
The DFPI’s Memorandum to its Licensees (Memo) follows the rapidly evolving situation in Ukraine and Russia, following which OFAC added Russian individuals and entities to the list of Specially Designated Nationals (SDN). According to the OFAC webpage that hosts the SDN list, these people and entities are known to be “owned or controlled by, or acting for or on behalf of, ‘Russia, and as such'[t]their assets are blocked and US persons are generally prohibited from dealing with them”. In addition, “more limited, but stricter sanctions have been imposed on several Russian entities with respect to their ability to raise debt and equity and/or with respect to their correspondents and transit accounts”. Following these additional sanctions, the DFPI advises licensees to “[r]review transaction monitoring and screening programs to make any necessary changes to capture new sanctions” and “[m]monitor all transactions going through their institution, particularly trade finance transactions and remittances, to identify and block sanctioned transactions, and follow OFAC instructions regarding blocked funds.
The DFPI memo also notes that the Russian invasion significantly increases the risks that (1) “listed individuals and entities may use virtual currency transfers to evade sanctions” and (2) cybersecurity breaches affect the American financial sector. To mitigate these risks, the DFPI advises that “licensees engaging in financial services using virtual currencies. . . should consider virtual currency-specific control measures, including sanctions lists, [and] geographic selection”, and all licensees should, among other things, “[a]Adopt basic cybersecurity hygiene measures such as multi-factor authentication, privileged access management, vulnerability management, and disabling or securing remote desktop protocol access. DFPI further states that “[l]licensees doing business in Ukraine and/or Russia should take increased measures to monitor, inspect and isolate traffic from Ukrainian or Russian offices and service providers” and “[l]Licensees must separate the Ukrainian or Russian office networks from the global network.