6 AMLD and OFAC Regulations on Ransomware Attacks

6 AMLD not only affects the EU internal market but the global financial sphere.

The miraculous concept of the EU directives is that it not only affects the EU internal market but the global financial sphere.

A clear-cut example of such an effect is 6 AMLD. 6 AMLD, the new anti-money laundering directive, enforces the new anti-money laundering regime globally. Thus, the directive discusses the following aspects:

  1. Criminal liability – legal and natural persons which are registered as UBOs/nominee directors will fall under intense scrutiny for criminal liability in the respective member states.
  2. The conversion/transfer of property deriving from countries from outside the EU will undergo even more intense scrutiny.
  3. Aiding/abetting or even attempting to conduct alleged money laundering activity will be punishable (in the respective member state) as a criminal offence.
  4. Member states will not be able to issue mitigated circumstance penalties. They are obliged to issue proportionate and dissuasive criminal penalties.
  5. Member states are under the strict obligation to issue additional sanctions for money laundering.
  6. Specific sanctions for legal persons include enhanced judicial enforcement and closing of the institution and increased fines.

New OFAC Advisory Notice on Potential Sanctions Risks Facilitating Ransomware Payments

Although, this is not the only piece of legislation that has hit waves across the financial realm. The new OFAC advisory notice on potential sanctions, which risks facilitating ransomware payments, has demonstrated a new

Aviel Marciano
Aviel Marciano

zero-tolerance approach for financial institutions, enabling the ransomware payment. Furthermore, OFAC has taken the advisory notice a step further and issued a license for ransom payments. Therefore, OFAC will review this on a case-by-case basis. With that in mind, victims of ransom are encouraged to report the cases to OFAC.

It seems that both the directive and the advisory notice are not correlated, yet this is far from the truth. The proximity of implementation of 6 AMLD to the publication of the notice sheds light on a very unattractive truth. Ransomware payments in the crypto industry are slowly, but quite surely, being monitored both by EU and US regulators. In practice, this means an ad-hoc and hands-on regulatory approach to crypto payments in ransom cases.

EU and US Markets Should Tighten and Sharpen Their in-House Cyber Practices

Furthermore, in practice, this means that EMIs and crypto exchanges, which are operating in the EU and US markets, should tighten and sharpen their in-house cyber practices, issue best practices for privacy rights, appoint a much-needed DPO and create an overall system of checks and balances towards their respective clients and business partners.

Suggested articles

How Astra’s Decentralized Compliance Layer Fills a Legal Protection GapGo to article >>

The misconception that the US and EU markets are not intertwined is a grave undertaking. This can be viewed as a mistake of not anticipating the regulatory and AML market.

Presently, financial institutions need to pay attention to their AML and due diligence practices as the borders of the EU and US are not confined to geography alone. The age of globalization has stretched and blurred these borders. Thus, only time will tell whether these borders will remain tangible.


Miss Ella Rosenberg, an EU Regulatory and Defense Fintech Expert, and Mr Aviel Marciano, an HLS and due diligence expert, produced this article as a combined effort.


Got a news tip? Let Us Know