Markets Wired

The United States exposes the identity of and imposes sanctions on two members of the Russian government-aligned hacktivist group.

WASHINGTON — Today, the United States designated Yuliya Vladimirovna Pankratova (Pankratova) and Denis Olegovich Degtyarenko (Degtyarenko), two members of the Russian hacktivist group Cyber Army of Russia Reborn (CARR) for their roles in cyber operations against U.S. critical infrastructure. These two individuals are the group’s leader and a primary hacker, respectively.

“CARR and its members’ efforts to target our critical infrastructure represent an unacceptable threat to our citizens and our communities, with potentially dangerous consequences,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States has and will continue to take action, using our full range of tools, to hold accountable these and other individuals for their malicious cyber activities.”

This designation follows several other recent U.S. Treasury actions to combat Russia-based cyber criminals. These include the May 7, 2024 designation of Dmitry Khoroshev, also known as LockBitSupp, who is a leader of the LockBit ransomware group, and the February 20, 2024 designation of LockBit affiliates Ivan Kondratiev and Artur Sungatov. According to the Department of Justice, LockBit has targeted over 2,500 victims worldwide and is alleged to have received more than $500 million in ransom payments. Furthermore, on January 23, 2024, the U.S. Treasury, in coordination with Australia and the United Kingdom, designated Alexander Ermakov, who was responsible for the October 2022 infiltration of one of Australia’s largest private health insurers, Medibank. 

A focus on Critical infrastructure

Since 2022, CARR, which also uses the name Cyber Army of Russia, has conducted low-impact, unsophisticated DDoS attacks in Ukraine and against governments and companies located in countries that have supported Ukraine. In late 2023, CARR started to claim attacks on the industrial control systems of multiple U.S. and European critical infrastructure targets. Using various unsophisticated techniques, CARR has been responsible for manipulating industrial control system equipment at water supply, hydroelectric, wastewater, and energy facilities in the U.S. and Europe. 

In January 2024, CARR claimed responsibility for the overflow of water storage tanks in Abernathy and Muleshoe, Texas, posting video of the manipulation of human-machine interfaces at each facility on a public forum. The compromise of the industrial control systems resulted in the loss of tens of thousands of gallons of water. Additionally, CARR compromised the supervisory control and data acquisition (SCADA) system of a U.S. energy company, giving them control over the alarms and pumps for tanks in that system. Despite CARR briefly gaining control of these industrial control systems, instances of major damage to victims have thus far been avoided due to CARR’s lack of technical sophistication. 

Pankratova, also known as YUliYA online, is a Russian cybercriminal and the leader of CARR. Pankratova commands and controls CARR’s operations. Pankratova has acted as a spokesperson for CARR.

 

Degtyarenko, also known as Dena online, is a Russian cybercriminal and a primary hacker for CARR. Degtyarenko was behind the compromise of the SCADA system of a U.S. energy company. In early May 2024, Degtyarenko developed training materials on how to compromise SCADA systems and was possibly looking to distribute the materials to external groups. 

OFAC is designating Pankratova and Degtyarenko pursuant to E.O. 13694, as amended, for being responsible for or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector.

SANCTIONS IMPLICATIONS

As a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons. 

In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person. 

The power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information concerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s Frequently Asked Question 897 here. For detailed information on the process to submit a request for removal from an OFAC sanctions list, please click here.

Click here for more information on the individuals designated today.

WASHINGTON — Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating and identifying as blocked property a dozen persons and vessels, respectively, that have played a critical role in financing the Houthis’ destabilizing regional activities as part of the network of Sa’id al-Jamal. Today’s action includes Indonesia-based Malaysian and Singaporean national Mohammad Roslan Bin Ahmad and People’s Republic of China (PRC)-based Chinese national Zhuang Liang, who have facilitated illicit shipments and engaged in money laundering for the network. Sa’id al-Jamal’s network continues to provide tens of millions of dollars in revenue to the Houthis in Yemen through its shipment of Iranian commodities, including oil, a funding stream underpinning the Houthis’ ongoing attacks against commercial shipping in the Red Sea. This action targets numerous aspects of this illicit network across the spectrum of its operations, from clients and facilitators to insurance providers, vessels, and ship management firms. 

“Today’s action underscores our focus on disrupting the Houthis’ sprawling network of financial facilitators, shell companies, and vessels, that enables the primary source of funding for the group’s destabilizing activities,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson. “Treasury will continue disrupt the actors who are critical to this network’s operations, as well as the Houthis’ ability to further destabilize the region and threaten international commerce.”

Today’s action is being taken pursuant to the counterterrorism authority Executive Order (E.O.) 13224, as amended. OFAC designated Sa’id al-Jamal pursuant to E.O. 13224, as amended, on June 10, 2021, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, Iran’s Islamic Revolutionary Guard Corps – Qods Force (IRGC-QF). The IRGC-QF was designated pursuant to E.O. 13224 on October 25, 2007, for providing support to multiple terrorist groups. The U.S. Department of State’s designation of Ansarallah (commonly known as the Houthis) as a Specially Designated Global Terrorist group, pursuant to E.O. 13224, as amended, became effective on February 16, 2024.

KEY INTERNATIONAL ILLICIT FINANCE AND SHIPPING FACILITATORS 

Malaysian and Singaporean national Mohammad Roslan Bin Ahmad (Royston), also known as Royston Wu Chiren or Mohammad Roslan Royston, is an Indonesia-based illicit shipment facilitator who provides ship management and brokering services for Sa’id al-Jamal’s network. Royston has facilitated the Sa’id al-Jamal network’s shipments to Malaysia. Royston has also brokered vessels for illicit Russian and Venezuelan trade.

PRC-based businessman Zhuang Liang (Zhuang) has engaged in money laundering and other finance-related schemes for the Sai’d al-Jamal network, including working with Sa’id al-Jamal and the IRGC-QF to further Sa’id al-Jamal’s illicit business operations. Zhuang has similarly assisted Sa’id al-Jamal business partner and Houthi-affiliate Abdi Nasir Ali Mahamud (Mahamud) in circumventing sanctions by illicitly providing him access to the international financial system.  

OFAC designated Mahamud concurrently with Sa’id al-Jamal for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, Sa’id al-Jamal. Today, OFAC is updating Mahamud’s entry on the Specially Designated Nationals and Blocked Persons List (SDN List) to reflect his use of a Somali diplomatic passport, D00015633, to travel internationally. Sa’id al-Jamal has similarly traveled under the alias Ahmad Saeidi with Iran-issued passports U63475649 and E49297849, each of which is also being added to the SDN List today. 

Zhuang and Royston are being designated pursuant to E.O. 13224, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, Sa’id al-Jamal. 

ILLICIT SHIPPING NETWORK

Sa’id al-Jamal’s network relies on numerous, seemingly innocuous, companies in multiple jurisdictions to illicitly generate tens of millions of dollars of revenue. Seychelles- registered, Thailand and Singapore-based Ascent General Insurance Company has provided insurance to vessels that were identified as blocked property of those sanctioned for providing support to Sa’id al-Jamal. United Arab Emirates (UAE)-based Fornacis Energy Trading Co. L.L.C has purchased and shipped tens of millions of dollars’ worth of Iranian cargo for the Sa’id al-Jamal network.

Ascent General Insurance Company and Fornacis Energy Trading Co. L.L.C are being designated pursuant to E.O. 13224, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, Sa’id al-Jamal. 

Marshall Islands-registered and UAE-based Barco Ship Management Inc (Barco) is the ship manager and commercial manager of multiple vessels, including the Panama-flagged WANJI (IMO: 9215103), which has been utilized by Sa’id al-Jamal’s network for illicit shipments to the UAE worth tens of millions of dollars. Barco additionally manages and operates the Panama-flagged vessel OCEANIC II (IMO: 9275995) and the Panama-flagged vessel TIREX (IMO: 9203772).  Like Barco, the Marshall Islands-registered Sea Knot Shipping Inc. has used the vessel MIROVA DYNAMIC (IMO: 9237618) to transport illicit shipments worth tens of millions of dollars for Sa’id al-Jamal. 

Barco and Sea Knot Shipping Inc. are being designated pursuant to E.O. 13224, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, Sa’id al-Jamal. The WANJI, OCEANIC II, and TIREX are being identified as blocked property in which Barco has an interest. MIROVA DYNAMIC is being identified as blocked property in which Sea Knot Shipping Inc. has an interest. 

UAE-based Alpha Shine Marine Services L.L.C is the ship manager of the Panama-flagged vessel KASPER (IMO: 9293143), which has been used by the Sa’id al-Jamal network to facilitate millions of dollars’ worth of illicit trade under forged shipping documents. 

Alpha Shine Marine Services L.L.C is being designated pursuant to E.O. 13224, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, Sa’id al-Jamal. The KASPER is being identified as blocked property in which Alpha Shine Marine Services L.L.C has an interest. 

SANCTIONS IMPLICATIONS

As a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons. 

In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person. 

The power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information concerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s Frequently Asked Question 897 here. For detailed information on the process to submit a request for removal from an OFAC sanctions list, please click here.

Click here for more information on the individuals and entities designated and vessel identified today.

###

Action Taken in Coordination with Partners in U.S. and Mexico 

WASHINGTON — Today Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the Abdul Karim Conteh Human Smuggling Organization (Karim HSO), a transnational criminal organization (TCO) based in Tijuana, Mexico. Human smuggling is a federal crime in which criminals smuggle noncitizens into the United States, as well as transport and harbor noncitizens already in the country illegally, all in deliberate violation of U.S. immigration laws. Together with Department of Homeland Security and Department of Justice components, and other U.S. and foreign partners, OFAC targets these networks to disrupt their finances and illicit profits and ultimately dismantle their operations, which threaten the national security of the United States.

“Today’s action, in close partnership with our U.S. and international partners, disrupts the ability of those seeking to exploit and endanger desperate individuals in search of a better life for themselves and their loved ones,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Treasury, as part of the Administration’s effort to address the crisis on our Southwest border, remains committed to using our tools to degrade the ability of groups like the Karim HSO to engage in these illicit operations.”

Today’s action would not have been possible without the cooperation, support, and ongoing collaboration between OFAC, the U.S. Attorney’s Office for the Southern District of California, the Human Rights and Special Prosecutions Section of the Department of Justice, U.S. Border Patrol, San Diego Sector’s Anti-Smuggling Unit, Homeland Security Investigations (HSI) San Diego, the HSI Human Smuggling Unit, Internal Revenue Service – Criminal Investigations, the Federal Bureau of Investigation, and U.S. Customs and Border Protection’s National Targeting Center International Interdiction Task Force. This designation was enabled by key data from Treasury’s Financial Crimes Enforcement Network (FinCEN).

Additionally, OFAC coordinated this action with the Government of Mexico, including La Unidad de Inteligencia Financiera (UIF), Mexico’s Financial Intelligence Unit.

DISRUPTING THE ABDUL KARIM CONTEH HUMAN SMUGGLING ORGANIZATION 

In violation of U.S. immigration laws, the Tijuana, Mexico-based Karim HSO for years has smuggled migrants into the United States for its own financial gain. In addition to providing migrants with fraudulent documents, members of the Karim HSO leverage the U.S. financial system to receive payments for their illicit smuggling operations. The Karim HSO’s standard methodology is to transport migrants to the United States border and advise them on how to cross the border illegally. The Karim HSO’s reach extends both regionally and globally; for example, the Karim HSO maintains affiliations in, and has coordinated the movement of migrants through, Nicaragua. 

 

Sierra Leonean national Abdul Karim Conteh (Karim), the leader of the human smuggling organization sanctioned today, is responsible for smuggling thousands of migrants from Africa, China, the Middle East, Russia, Central Asia, and other jurisdictions into the United States. Karim’s wife, Mexican national Veronica Roblero Pivaral (Veronica), plays a variety of critical roles in the organization, ranging from driving migrants to the U.S. border to receiving payments for smuggling operations. 

Images of Karim and Veronica, both of whom have used false identities in their illicit activity

In addition to Karim and Veronica, OFAC today sanctioned Togolese national Pasaman Francis Marin Abbe Pidoukou (Pasaman) and Sierra Leonean national Issa Kamara (Issa). Both members of the Karim HSO, Pasaman and Issa are responsible for facilitating the transport of migrants for the Karim HSO. 

Treasury’s sanctions also complement an indictment returned by a federal grand jury sitting in the U.S. Attorney’s Office for the Southern District of California. For information on actions previously taken by the U.S. Department of Justice, please see this link.

OFAC’s action today sanctioned the Karim HSO pursuant to Executive Order (E.O.) 13581, as amended by E.O. 13863 (hereafter, “E.O. 13581, as amended”), for being a foreign person that constitutes a significant TCO. OFAC sanctioned Karim, Veronica, Pasaman, and Issa pursuant to E.O. 13581, as amended, for having acted or purported to act for or on behalf of, directly or indirectly, the Karim HSO. 

PREVIOUS TREASURY ACTIONS AGAINST HUMAN SMUGGLING ORGANIZATIONS

Today’s action builds on actions that OFAC has taken in the last year to address the national security threat posed by human smuggling. For example, on July 11, 2024, OFAC sanctioned Tren de Aragua pursuant to E.O. 13581, as amended. Tren de Aragua is a Venezuela-based TCO engaging in human smuggling and trafficking, gender-based violence, money laundering, illicit drug trafficking, and other criminal activities.

On December 14, 2023, OFAC sanctioned the Malas Mañas TCO and several members pursuant to E.O. 13581, as amended. The Malas Mañas TCO is a human smuggling and narcotics trafficking organization based in Sonora, Mexico, with operations across the Southwest Border.

Additionally, on June 16, 2023, OFAC sanctioned the Hernandez Salas TCO and its leader, among others, pursuant to E.O. 13581, as amended. The Hernandez Salas TCO, based in Mexicali, Mexico, has facilitated thousands of illegal entries into the United States since at least 2018. 

Furthermore, on January 13, 2023, FinCEN issued an alert providing trends, typologies, and red flag indicators to help financial institutions better identify and report transactions potentially related to human smuggling along the U.S. Southwest Border. This alert followed an increase in attempted illegal border crossings in 2021 and 2022.

SANCTIONS IMPLICATIONS

As a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons. U.S. persons may face civil or criminal penalties for violations of E.O. 13581, as amended.

In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entity and individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person. 

The power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information concerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s Frequently Asked Question 897 here. For detailed information on the process to submit a request for removal from an OFAC sanctions list, please click here.

For more information on the individuals and entity designated today, click here.

###

As Prepared for Delivery

Good afternoon. I would like to extend my thanks to Representative Beatty and her team for bringing us together today and thank you to everyone here for joining us. I would also like to thank you, Representative Beatty, for your comments during Secretary Yellen’s hearing last week.

I am Brian Nelson, Treasury’s Under Secretary for Terrorism and Financial Intelligence. My office is responsible for leading U.S. government efforts to counter illicit finance and using financial tools to respond to national security threats.

Illicit finance—and the serious crimes it enables around the world—is detrimental to American cities, towns, communities, families, and individuals. And its impact often hits close to home. 

In 2021, eight individuals were sentenced to prison for laundering $44 million in drug proceeds to Mexico through local cell phone store front companies based here in Columbus. In addition to other narcotics—including 34 kilograms of heroin—the investigation and prosecution found 76 grams of fentanyl.

For context, the Drug Enforcement Administration estimates that 2 milligrams of fentanyl is a potentially lethal dose—meaning 76 grams of fentanyl could equate to as many as 38,000 potentially lethal doses. Far too many American families—including far too many here in Ohio—have been devastated by the opioid crisis, and we are committed to stopping narcotrafficking funds from flowing through our borders.

Illicit finance is also detrimental to law-abiding American businesses. Shell and front companies can disrupt fair business competition, making it harder for American small business owners to make a living. In March of this year, an individual was sentenced to federal prison for using shell companies to defraud local Columbus businesses out of more than $10 million. The allegations highlighted that the individual used millions of embezzled dollars meant for legitimate business contracts to instead buy a $1.4 million yacht, a Mercedes-Benz valued at nearly $165,000, an amphibious plane, and luxury watches, among other items.

Stopping illicit finance is a whole-of-U.S. government effort, and the Treasury Department is no exception.  As part of the Biden-Harris Administration’s first-ever U.S. Strategy on Countering Corruption, we are prioritizing regulatory actions necessary to curb illicit finance by increasing transparency; protecting our economy and national security; and detecting and deterring serious crimes like narcotrafficking, fraud, terror financing, and corruption. We have been hard at work to close loopholes and make sure the U.S. financial system is not a welcome mat for kleptocrats, criminals, and U.S. adversaries seeking to exploit it.

I briefly spoke about the misuse of shell and front companies earlier in the context of cases here in Columbus. Opaque corporate structures are a favorite tool of criminals to launder, hide, and store dirty money in the United States. In order to support law enforcement, national security, and intelligence efforts to uncover this illicit activity, we are prioritizing effective implementation of the bipartisan Corporate Transparency Act.

The Corporate Transparency Act requires many companies doing business here in the United States to report some basic information to the Federal government about the real people who own or control them. Centralizing this information and making it available to law enforcement will help untangle complicated corporate structures, leading to fewer dead ends in investigations. I know Director Gacki is going to speak to this in more detail, but I want to emphasize this law’s importance in helping to hold bad actors accountable, from fraudsters and tax cheats to international weapons traffickers. 

America’s thriving business community is vital to our economy. As we prioritize these important national security imperatives, we have also considered business owners every step of the way to avoid introducing redundant regulations or unnecessary red tape into their day-to-day operations. We know that running a business is not easy, and we’ve taken into account feedback and comments about the potential burden of these new regulations. 

Further, our efforts to reduce potential business burden are rooted in extensive research. We continue to study and assess the national security risk environment, which allows us to tailor regulations to the most salient threats. In the spirit of transparency, these risk assessments are public: Most recently this year, we published our Money Laundering, Terrorist Financing, and Proliferation Financing Risk Assessments, which highlight the significant illicit finance threats, vulnerabilities, and risks facing the United States.

In order to address these threats, we’re prioritizing a regulatory agenda that promotes transparency and closes loopholes. A key piece of this puzzle is protecting the U.S. housing market from abuse by bad actors that attempt to fly under the radar. Illicit actors often exploit American real estate, including here in Ohio, to launder or park the proceeds of corruption, drug trafficking, and other illicit activity. In fact, one study estimates that at least $2.3 billion in illicit funds flowed through the U.S. real estate market from 2015 to 2020. 

This is especially concerning in the residential real estate market, given that many American neighborhoods are experiencing affordable housing crises. Earlier this year, consistent with our Congressional mandate under the Bank Secrecy Act, Treasury issued a proposal to help level the playing field for legitimate homebuyers and protect our housing market from distortion. This proposed rule would require more transparency for residential real estate transfers involving legal entities and trusts, which would support law enforcement as they investigate illicit activity. We are working expeditiously to publish a final rule.

This effort builds on years of data from our successful Geographic Targeting Order program—which has required similar transparency in certain jurisdictions—as well as extensive dialogue with the real estate industry, financial institutions, transparency groups, law enforcement, Congress, intergovernmental partners, and other key stakeholders in this effort. 

Similarly, we continue to diligently track illicit finance risks in the commercial real estate sector and evaluate options to increase transparency. 

Also earlier this year, Treasury published a regulatory proposal to help protect the investment adviser sector from abuse. Broadly, this proposal aims to standardize obligations across the sector that would require investment advisers to maintain programs to counter money laundering and terror financing, which help to detect and deter illicit finance. Our proposal addresses gaps and vulnerabilities that, for example, risk allowing Chinese state actors to quietly gain access to sensitive and emerging U.S. technologies by investing in early-stage companies, putting American innovation and legitimate investors at a disadvantage. 

In tandem with this regulatory proposal, we published a risk assessment specific to the investment adviser sector that makes public our findings from years of closely studying national security, money laundering, and terror financing risks present in the industry. Our goal in making this information public is to support governments and the private sector in managing risk, addressing threats, and detecting and deterring illicit financial activity.  We are also working quickly to publish a final rule.

As we work to implement the Corporate Transparency Act and finalize our regulatory proposals, we continue our dialogue with business owners, industry professionals, transparency groups, members of Congress, interagency experts, law enforcement, and other key stakeholders about how we can streamline processes and provide clarity.  

This is truly a collective effort, and we cannot do it alone. Together with your partnership, we can stop bad actors from disadvantaging law-abiding small businesses, abusing our financial system, and putting our national security at risk.

And we are doing so in a global context. I mentioned earlier that the Biden-Harris Administration’s Strategy on Countering Corruption created a roadmap for many of our current priorities. But our objectives don’t exist in a vacuum. Because money knows no borders, we continue to engage with our counterparts around the world to set standards and best practices for fighting illicit finance and to eliminate havens for dirty money. As the world’s largest economy, we have a unique responsibility to uphold these standards and lead by example.

I know we have a lot to discuss today, so I’ll turn it over to Director Andrea Gacki, who leads the Financial Crimes Enforcement Network, or FinCEN. Thanks again for joining us, and I look forward to the conversation.

###

 

WASHINGTON – Today, the U.S. Department of the Treasury and the Financial Services Sector Coordinating Council (FSSCC) published a suite of resources to share with financial services institutions on effective practices for their secure cloud adoption journey. These deliverables are the result of a year-long public-private partnership of the Financial and Banking Information Infrastructure Committee (FBIIC) and the FSSCC.

To provide leadership support for this joint effort the U.S. Department of the Treasury established the Cloud Executive Steering Group (CESG) in May 2023 at the direction of the Financial Stability Oversight Council (FSOC), to help close the gaps identified in Treasury’s landmark report on the Financial Services Sector’s Adoption of Cloud Services. The documents published today are intended to arm financial institutions of all sizes with effective practices for secure cloud adoption and operations, and to establish a continuing effort and partnership to begin to address the gaps identified in Treasury’s report, which include:  

• Establishing a common lexicon that may be used by financial institutions and regulators in discussions regarding cloud.
• Enhancing information sharing and coordination for examination of cloud service providers.
• Assessing existing authorities for cloud service provider (CSP) oversight. 
• Establishing best practices for third-party risk associated with cloud service providers, outsourcing, and due diligence processes to increase transparency.
• Providing a roadmap for institutions considering comprehensive or hybrid cloud adoption strategies including an update to the Financial Sector’s Cloud Profile.
• Improving transparency and monitoring of cloud services for better “security by design.”

“The completion of these two efforts is the culmination of nearly two years of collaboration to further protect our financial system,” said Deputy Secretary of the Treasury, Wally Adeyemo. “The CESG is now a proven model and a new way for the financial services sector to effectively address our most significant cybersecurity challenges.” 

“Our financial system is essential infrastructure for the entire economy, and it is deeply reliant on a handful of powerful Big Tech cloud service providers,” said Consumer Financial Protection Bureau Director Rohit Chopra. “Our work will help protect the financial industry from outages and disruption by leveling the playing field between financial firms of all sizes and big cloud service providers.”

“Banks and other financial services firms know they must adapt to new technologies, but many have been uncertain as to how to do so safely and soundly,” said Acting Comptroller of the Currency Michael J. Hsu. “Today’s publications mark a significant step forward by providing a roadmap and helpful resources for banks of all sizes. These documents also clarify cloud service providers’ responsibilities for ensuring a secure and resilient financial system.”

“These documents are an important step forward in the CESG’s effort to make the cloud safer and more resilient within and beyond the financial services industry,” said Bill Demchak, Chairman and CEO, PNC Financial Services Group. “The strong partnership between public- and private-sector leaders allows us to take a more holistic, collaborative approach to defending against evolving threats.”

The CESG model represents an unprecedented level of public-private partnership between Treasury, FBIIC, FSSCC, and cloud service providers (CSPs). Clear explanations for the utility and application of the documents can be found here, on the U.S. Treasury website.  The website also includes links to the FSSCC-led outputs so that financial institutions can consult them at any part of their cloud services adoption journey and risk management process. 

The FSSCC led the following workstreams: 

• The Cloud Profile 2.0, authored collectively by the FSSCC Cloud Profile Workstream and the Cyber Risk Institute (CRI), is intended to serve as a cloud security implementation plan for financial institutions of all sizes and functions.  The Cloud Profile 2.0 is an extension of the Cybersecurity Profile created by CRI, which is a tool based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.  It provides a framework for both financial institutions and CSPs and will serve as a common tool developed to assist financial institutions in ensuring secure cloud implementation, while allowing the document to evolve as standards change over time.
• The Financial Sector Cloud Outsourcing Issues and Considerations document seeks to address challenges raised in the Treasury Cloud Report related to transparency, resource gaps, exposure to operational incidents originating at CSPs, and contract negotiation dynamics.  The document, authored collectively by the FSSCC Cloud Outsourcing Issues and Considerations Workstream and the American Bankers Association (ABA) with support from the Securities Industry and Financial Markets Association (SIFMA), identifies a non-exhaustive list of key considerations for developing contractual provisions between financial institutions and CSPs to address risks, regulatory and supervisory compliance expectations when using cloud services. These key considerations should be used as a voluntary reference tool by financial institutions during the contract negotiation phase of onboarding a CSP to appropriately address cybersecurity, resilience, and third party-due diligence expectations, and to enable compliance with growing financial services regulatory requirements and supervisory expectations.
• The Transparency and Monitoring for Better “Secure-by-Design” document, authored collectively by the FSSCC Transparency and Monitoring Secure-by-Design Workstream and the Financial Services Information Sharing and Analysis Center (FS-ISAC), is comprised of two outputs for financial institutions with workloads running in CSP environments. The first is a service inter-dependency and resilience model that is a combination of service transparency, architecture best practices, and more detailed information about how a CSP manages the resiliency of its own services.  The second proposes packaged cloud configurations that provide baseline security outcomes expected in financial services infrastructure and simplifies financial institutions’ deployment of CSP workloads (“security by default/design” and “one-click” security) that make is easy for financial institutions to quickly turn on secure infrastructure with minimal engineering.

The FBIIC led the following workstreams: 

• The Cloud Lexicon is a foundational document that captures the most prominent terms used by cloud service providers and financial services sector consumers for a single repository and refence points.  The development of the Cloud Lexicon was led by the Office of the Comptroller of the Currency (OCC), and will enable CSPs and financial services sector institutions of all sizes to speak in standardized terms when negotiating contract terms, establishing security schema, and adhering to regulatory standards.  The document is based on a review of publications from several standard setting bodies and industry associations, and included interviews and feedback from financial institutions, regulators, and CSPs.
• The Coordinated Information Sharing and Examinations Initiative, led by the Consumer Financial Protection Bureau (CFPB), is a collaborative effort that addresses coordination of examinations and information sharing related to CSPs, under the respective agency’s legal authorities. The documented process will support enhanced coordination between agencies to monitor and address risks to both the financial sector and consumers that can arise from financial institutions’ engagement with CSPs.   

This collective set of deliverables is intended to highlight opportunities to leverage CESG deliverables into the broader regulatory, oversight, and examination schema, and strengthen the shared responsibility model for cloud services provision in the financial services sector.

Under joint FBIIC and FSSCC leadership, the U.S. Treasury and FSSCC plan to publish additional items related to cloud cyber incident response coordination and cloud concentration risk as they are completed throughout the year.

For more information on the published cloud effort documents, please go to: https://home.treasury.gov/about/offices/domestic-finance/financial-institutions/cloud-executive-steering-group

*The Financial and Banking Information Infrastructure Committee, or FBIIC, is a committee consisting of 18 member organizations from across the regulatory community at both the federal and state level. The Department of the Treasury’s Assistant Secretary for Financial Institutions chairs the committee. [ https://www.fbiic.gov/ ]

**The Financial Services Sector Coordinating Council, or FSSCC, is an industry-led, non-profit organization that coordinates critical infrastructure and homeland security activities within the financial services industry. Their members consist of financial trade associations, financial utilities, and the most critical financial firms. [ https://fsscc.org/ ]

###