March 24, 2022

FinCEN Identifies Red Flags Following Russia Sanctions


On March 7, 2022, the US Financial Crimes Enforcement Network (“FinCEN”) issued an alert advising all financial institutions to be vigilant against efforts to evade US sanctions and other restrictions imposed in response to the Russian Federation’s invasion of Ukraine.1 FinCEN’s alert also identifies red flag indicators. This Legal Update summarizes some of the key points that FinCEN highlighted to assist financial institutions in identifying suspected sanctions evasion activity.


Since February 2022, following the invasion of Ukraine by Russia, the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) has implemented several sanctions actions related to the Russian financial services sector pursuant to Executive Order 14024.2 OFAC has also imposed sanctions on Russian Federal President Vladimir Putin, Minister of Foreign Affairs Sergei Lavrov, and 24 Belarusian individuals and entities who supported and facilitated the Russian invasion of Ukraine.3 More recently, OFAC and the US Department of State sanctioned a number of Russian elites and their family members, identified certain property of these persons as blocked and sanctioned Russian intelligence-directed disinformation outlets.4 OFAC has also issued a new round of sanctions targeting Russian and Kremlin elites, oligarchs and political and national security leaders who have supported President Putin’s invasion of Ukraine.5 Following the imposition of these sanctions, FinCEN published a number of red flag indicators to assist financial institutions in recognizing sanctions evasion attempts by Russian and Belarusian actors.

Sanctions Evasion Attempts Using the US Financial System

In its alert, FinCEN warns that Russian and Belarusian actors may seek to evade sanctions through non-sanctioned financial institutions. In light of this risk, FinCEN encourages financial institutions to look for the following red flags:

  • Use of corporate vehicles (such as shell companies) to obscure ownership, source of funds or countries involved.
  • Use of shell companies to conduct international wire transfers.
  • Use of third parties to shield the identities of sanctioned persons or politically exposed persons.
  • Accounts that are experiencing a sudden rise in value without a clear economic or business rationale.
  • Jurisdictions previously associated with Russian financial flows that are identified as having a notable increase in new company formations.
  • Newly established accounts that attempt to send or receive funds from sanctioned institutions or institutions removed from the Society for Worldwide Interbank Financial Telecommunication (SWIFT).
  • Non-routine foreign exchange transactions that may indirectly involve Russian financial institutions (for example, the Central Bank of the Russian Federation may attempt to use import or export companies to engage in foreign transactions).

Sanctions Evasion Using Cryptocurrency 

FinCEN also mentions that sanctioned persons, illicit actors and their related networks may attempt to use cryptocurrency and anonymizing tools to evade US sanctions. To prevent such efforts by sanctioned actors and affiliated persons, FinCEN recommends that financial institutions look for the following red flag indicators: 

  • A customer’s transactions are initiated from or sent to IP addresses from non-trusted sources, previously flagged addresses, sanctioned jurisdictions and the like.
  • A customer’s transactions are connected to cryptocurrency addresses listed on OFAC’s Specially Designated Nationals and Blocked Persons List.
  • A customer uses a cryptocurrency exchange or foreign-located money service business in a high-risk jurisdiction.

Possible Ransomware Attacks and Other Cybercrime

FinCEN also reminds financial institutions of the dangers posed by Russian-related ransomware campaigns6 and encourages such institutions to look for the following red flags:

  • A customer receives cryptocurrency from an external wallet and immediately initiates multiple, rapid trades among multiple cryptocurrencies with no apparent related purpose, followed by a transaction off the platform, in a possible attempt to obfuscate a transaction.
  • A customer initiates a transfer of funds involving a cryptocurrency mixing service.
  • Blockchain tracing software identifies a customer as having direct or indirect exposure to a CVC transaction that is related to a ransomware attack.

Reminder of Relevant Bank Secrecy Act Obligations and Tools

In addition, FinCEN reminds financial institutions of their relevant Bank Secrecy Act (“BSA”) obligations, such as filing Suspicious Activity Reports (“SAR”). A financial institution has a SAR filing obligation if it knows, suspects or has reason to suspect that a transaction or series of transactions conducted or attempted by, at or through the financial institution involves money laundering, BSA violations, terrorist financing, corruption or certain other crimes, including sanctions evasion.7 If a financial institution detects suspicious activity related to Russian sanctions evasion, FinCEN requests that it file a SAR by using the key term “FIN-2022-RUSSIASANCTIONS” in SAR Field 2 (Filing Institution Note to FinCEN) and the narrative.

FinCEN also mentions that financial institutions and other entities may have other reporting requirements, which may not have an obvious connection to Russia-related illicit activities but may ultimately be highly useful to law enforcement.8 FinCEN also encourages financial institutions to use the safe harbor authorized by section 314(b) of the USA PATRIOT Act to voluntarily share information with one another about possible terrorist financing or money laundering. FinCEN likely will heavily rely on these channels of information to combat sanctioned actors’ attempts to evade US sanctions and the growing threat of ransomware attacks. 

FinCEN also reminds financial institutions that they are required to comply with their due diligence obligations. FinCEN specifically mentions how various financial institutions may need to follow the Customer Due Diligence Rule regarding the identification of beneficial owners of legal entity customers, implement a due diligence program for private banking accounts held for non-US persons according to section 312 of the USA PATRIOT Act or comply with other general obligations related to due diligence and Anti-Money Laundering (“AML”) compliance. FinCEN’s emphasis on due diligence may indicate that financial institutions’ compliance policies and procedures will be under greater scrutiny as FinCEN tries to grapple with the current Ukraine crisis.


The US response to Russia’s invasion of Ukraine highlights the intersection of sanctions, AML and corruption risk. Given the rapid developments around the Ukraine crisis, Russian sanctions developments have continued and are likely to continue at a steady pace. Accordingly, financial institutions should continue to monitor developments and remain vigilant for Russia-related ransomware attacks and sanctions evasion red flags while ensuring that they comply with all applicable BSA/AML due diligence requirements and reporting obligations. Financial institutions should in particular ensure that their financial crimes compliance programs facilitate regular collaboration between legal and compliance subject matter experts to ensure the rapid identification and mitigation of these interrelated threats.


Please visit Mayer Brown’s Ukraine Crisis page on our 10Hundred portal for additional analysis of the crisis’s evolving impact on business worldwide.

1 Please refer to Mayer Brown’s previous Legal Updates regarding the sanctions measures taken by the United States and several allied countries: Tamer A. Soliman, Jason Hungerford, Paulette Vander Schueren, Ori Lev, Yoshihide Ito, Jing Zhang, Andrew Olmem, Gretel Echarte Morales, Edouard Gergondet, Anjani D. Nadadur and Libby Reynolds, New US, UK and EU Sanctions Against Russia (Feb. 22, 2022),; and Tamer A. Soliman, Jason Hungerford, Paulette Vander Schueren, Ori Lev, Yoshihide Ito, Jing Zhang, Andrew Olmem, Gretel Echarte Morales, Edouard Gergondet, Anjani D. Nadadur, Libby Reynolds and Ellen L. Aldin, Following “First Wave” of Sanctions, US and Allies Impose Sweeping New Restrictions Targeting Russian Banks, Elites and Access to Goods and Technology (Feb. 24, 2022),

2 See Exec. Order No. 14024, Blocking Property With Respect To Specified Harmful Foreign Activities of the Government of the Russian Federation, 86 Fed. Reg. 20219 (Apr. 15, 2021).

3 See Press Release, US Dep’t of the Treasury (“Treasury”), U.S. Treasury Imposes Sanctions on Russian Federation President Vladimir Putin and Minister of Foreign Affairs Sergei Lavrov (Feb. 25, 2022); See Press Release, Treasury, U.S. Treasury Targets Belarusian Support for Russian Invasion of Ukraine (Feb. 24, 2022).

4 See Press Release, Treasury, Treasury Sanctions Russians Bankrolling Putin and Russia-Backed Influence Actors (Mar. 3, 2022).

5 See Press Release, Treasury, Treasury Sanctions Kremlin Elites, Leaders, Oligarchs, and Family for Enabling Putin’s War Against Ukraine (Mar. 11, 2022). Today, on March 24, 2022, OFAC also designated dozens of Russian defense companies, 328 members of the Russian State Duma and the head of Russia’s largest financial institution as key enablers of Russia’s invasion of Ukraine. See Press Release, Treasury, U.S. Treasury Sanctions Russia’ Defense-Industrial Base, the Russian Duma, and Its Members, and Sberbank CEO (Mar. 24, 2022).

6 Please refer to Mayer Brown’s Legal Update regarding OFAC and FinCEN’s guidance on how to address potential ransomware demands. Rajesh De, David A. Simon, Tamer A. Soliman, Ori Lev, Matthew Bisanz, and Joshua M. Silverstein, OFAC and FinCEN Communicate Ransomware Expectations in New Guidance (Oct. 5, 2020),

7 31 C.F.R. § 1020.320.

8 Some of these reporting obligations may pertain to Currency Transaction Reports, Report of Cash Payments Over $10,000 Received in a Trade or Business (Form 8300), and Reports of International Transportation of Currency or Monetary Instruments, among others.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.