Frequently Asked Questions
Executive Order (E.O.) 13694, as amended on December 29, 2016, focuses on specific harms caused by significant malicious cyber-enabled activities, and directs the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on those persons he or she determines to be responsible for or complicit in activities leading to such harms. Acting pursuant to delegated authority, Treasury’s Office of Foreign Assets Control (OFAC) works in coordination with other U.S. government agencies to identify individuals and entities whose conduct meets the criteria set forth in E.O. 13694, as amended, and designate them for sanctions. Persons designated under this authority are added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).
E.O. 13694, as amended, is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government. [12-29-2016]
As with many of the sanctions programs that Treasury administers, U.S. persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they are not engaging in trade or other transactions with persons named on OFAC’s SDN List pursuant to E.O. 13694, as amended, or any entity owned by such persons.
As a general matter, U.S. persons, including firms that facilitate or engage in online commerce, are responsible for ensuring that they do not engage in unauthorized transactions or dealings with persons named on any of OFAC’s sanctions lists or operate in jurisdictions targeted by comprehensive sanctions programs. Such persons, including technology companies, should develop a tailored, risk-based compliance program, which may include sanctions list screening or other appropriate measures. An adequate compliance solution will depend on a variety of factors, including the type of business involved, and there is no single compliance program or solution suitable for every circumstance.
The names of, and identifying information for, all individuals and entities included on OFAC’s sanctions lists may be located via OFAC’s free, online search engine at the following URL: http://sanctionssearch.ofac.treas.gov. In addition, OFAC offers text and PDF versions of these lists for manual review and a number of data file versions of its lists that are designed to facilitate automated screening. Depending on the scale, sophistication, and risk profile of your business, you may consider one of the numerous commercially available screening software packages. [12-29-2016]
We anticipate that regulations to be promulgated will define “cyber-enabled” activities to include any act that is primarily accomplished through or facilitated by computers or other electronic devices. For purposes of E.O. 13694, malicious cyber-enabled activities include deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain. These activities are often the means through which the specific harms enumerated in the E.O. are achieved, including compromise to critical infrastructure, denial of service attacks, or massive loss of sensitive information, such as trade secrets and personal financial information.
E.O. 13694 is tailored to address cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. As this language indicates, it is intended to counter the most significant cyber threats that we face, whether they target our critical infrastructure, our companies, our citizens, or our economic health or financial stability.
The measures in this order are directed against significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms, and are not designed to prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities. The U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors.
Similarly, these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies, or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events
The measures in this order are designed to address the threat posed by individuals and entities engaged in significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms. These measures are not designed to prevent or interfere with legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems, or systems they are otherwise authorized to manage.
No. These sanctions are designed to target those actors whose malicious cyber-enabled conduct is reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. These measures are not intended to target victims of such activities, including the unwitting owners of compromised computers.
For more information about best practices for securing home networks and engaging in responsible online behavior, visit the Federal Trade Commission’s website at OnGuardOnline.gov.
The United States’ whole-of-government strategy to combat cyber threats draws from a broad range of tools and authorities to respond to the growing and evolving threat posed by malicious cyber actors. Similar to our approach to global threats from terrorists, narcotics traffickers, and transnational criminal organizations, we will use financial sanctions in the fight against malicious cyber actors as a complement to existing tools, including diplomatic outreach and law enforcement authorities.
As with all financial sanctions programs Treasury administers, these measures will be implemented in accordance with domestic law and our international obligations.
No. This authority does not target American whistleblower activity or constitutionally protected activity. The E.O. defines misappropriation to be the “taking or obtaining by improper means, without permission or consent, or under false pretenses.” Importantly, to be eligible for sanctions under this provision, an individual or entity must not only “misappropriate” information, but it must also do so with the purpose or effect of interfering with or undermining election processes or institutions.
GL 1Bauthorizes transactions and activities with the Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a. FSB) that are necessary and ordinarily incident to requesting, receiving, utilizing, paying for, or dealing in certain licenses and authorizations for the importation, distribution, or use of certain information technology products in the Russian Federation. It also authorizes transactions and activities necessary and ordinarily incident to compliance with rules and regulations administered by, and certain actions or investigations involving, the Federal Security Service.
This general license does not authorize U.S. persons to engage in transactions and activities with the Federal Security Service, except for the limited purposes described above, nor does it authorize the exportation, reexportation, or provision of any goods, technology, or services to the Crimea region of Ukraine.
GL 1B only authorizes certain transactions and activities with the Federal Security Service acting in its administrative and law enforcement capacities. The GL was issued in order to ensure that U.S. persons engaging in certain business activities in Russia that are not otherwise prohibited are not unduly impacted. All other transactions and activities involving any property subject to U.S. jurisdiction or within the possession or control of U.S. persons in which the Federal Security Service has an interest, including all other transactions and activities directly or indirectly with the Federal Security Service, remain prohibited unless exempt or otherwise authorized by OFAC.
No. GL 1B does not authorize the export of any goods, technology, or services directly or indirectly to the Federal Security Service or any other blocked person, except for the limited purposes of complying with rules and regulations administered by, and certain actions and investigations involving, the Federal Security Service or requesting certain licenses or authorizations for the importation, distribution, or use of information technology products in the Russian Federation.
No, the sanctions on the FSB do not apply to transactions by U.S. persons that are ordinarily incident to travel to or from Russia, including those transactions required to enter into or exit the country (i.e., complying with Russian border control requirements).
Once it has been determined that your institution is holding digital currency that is required to be blocked pursuant to OFAC’s regulations, you must ensure that access to that digital currency is denied to the blocked person and that your institution complies with OFAC regulations related to blocked assets. Institutions may choose, for example, to block each digital currency wallet associated with the digital currency addresses that OFAC has identified as being associated with blocked persons, or opt to use its own wallet to consolidate wallets that contain the blocked digital currency (similar to an omnibus account) titled, for example, “Blocked SDN Digital Currency.” Each of these methods is satisfactory, so long as there is an audit trail that will allow the digital currency to be unblocked only when the legal prohibition requiring the blocking of the digital currency ceases to apply. The institution is not obligated to convert the blocked digital currency into traditional fiat currency (e.g., U.S. dollars). Blocked digital currency must be reported to OFAC within 10 business days. Questions about whether a transaction should be blocked should be directed to OFAC at 202-622-2490 or email@example.com.
An institution may notify its customer that it has blocked digital currency pursuant to OFAC regulations. The customer has the right to apply for the unblocking and release of the digital currency.
To apply online to have the virtual currency released, please go to OFAC’s online application page.