Paying a Ransom could be an Australian Money Laundering Offence

The use of ransomware by criminals is a significant and growing threat to all organisations, particularly businesses.  Recent attacks on the Colonial Pipeline company in the United States which shut off a major US fuel pipeline significantly disrupting supplies and on JBS Foods, the world’s largest meat producer, have highlighted the danger the crime type poses.  While those attacks were carried out on US companies, Australia has not been immune.  Ransomware attacks have been perpetrated on four major Queensland hospitals, UnitingCare Queensland, Nine Entertainment and the Lion Beverage Company to name a few. 

So, what is a ransomware attack?  According to the Australian Cyber Security Centre (ACSC), “ransomware is a type of malicious software (malware). When it gets into your device, it makes your computer or its files unusable. Cybercriminals use ransomware to deny you access to your files or devices. They then demand you pay them to get back your access”. This is reportedly what happened in the Colonial Pipeline incident. And in Australia, research has shown that where Australian companies have been the victim of a ransomware attack, some have paid the ransom to the hackers to regain access to their computer systems or to retrieve stolen data or both.

The ACSC offers advice to organisations on how to protect themselves from such attacks including: “We recommend you do not pay the ransom. There is no guarantee paying the ransom will fix your devices. It can also make you vulnerable to future attacks”. I agree with that advice but would advise readers, if they are an Australian citizen, Australian resident, or an Australian company, to not pay the ransom because paying it could amount to an offence against Australian money laundering law.

Now this might surprise some people.  What has money laundering law got to do with paying criminals to get your own property back or to get access to a computer system they own?  Well, in brief, the payment of a ransom could amount to money laundering because under Division 400 of the Criminal Code Act, a law of the Commonwealth of Australia, the payment would amount to an instrument of crime.  Division 400 of the Criminal Code Act (Cth) defines an instrument of crime as:  “money or other property is an instrument of crime if it is used in the commission of, or used to facilitate the commission of, an offence against a law of the Commonwealth, a State, a Territory or a foreign country that may be dealt with as an indictable offence (even if it may, in some circumstances, be dealt with as a summary offence).   It is not the intention of this article to fully discuss Commonwealth money laundering law as it would not be practical here.  But payments to the criminals, to regain access to blocked files or to secure their return if stolen, would amount to being used in the commission of the crime or to facilitate it.  When received by the cybercriminals the money becomes the proceeds of a crime. Commonwealth money laundering law applies to the instruments of crime for all indictable offences against Commonwealth, Territory, or foreign law.  It applies to instruments of crime in relation to State indictable offences in limited circumstances and these primarily involve where the money or property is moved or transferred during or for the purposes of the importation or exportation of goods to or from Australia; or via the use of a postal, telegraphic, telephonic, or other like service within the Commonwealth’s constitutional authority; or outside Australia. 

Other instruments of crime involved in ransomware incidents that could snare an individual or an organisation in a money laundering offence include any phones, computers and other communication devices or systems used to communicate with any of the criminals involved in the attack to discuss the ransom and/or return of any data or used to make any payment to the criminals. It does not only involve the method of payment.

A person can be convicted of money laundering where they have full knowledge of the intended use of any funds or property or are reckless or negligent as to the intended use of the funds.  And depending on the value of any money or property involved and the level of knowledge held, the penalties can be severe. Up to life imprisonment if the payer has intention to pay the ransom and the money or property involved is worth $10 million or more.  And whether a person or an organisation is convicted or not of money laundering, their involvement in paying a ransom could trigger the powerful non-conviction based forfeiture provisions of Commonwealth law, potentially rendering all assets they control liable to forfeiture.

The defence of duress is available under Commonwealth law for victims of ransomware who make payments to the cybercriminals.  However, that defence is subject to conditions as prescribed in Section 10.2 Criminal Code Act 1995.  A person or organisation making any payment must reasonably believe that a threat has been made and that it will be carried out unless an offence is committed (the payment of the ransom); there is no reasonable way that the threat can be rendered ineffective; and the conduct is a reasonable response to the threat.  While it is court that decides whether a person or an organisation met those tests, any victim would need to demonstrate that they took steps to render the threat ineffective and those steps were reasonable.  This would include for example contacting the ACSC and seeking its advice and reporting the crime to the Australian Federal Police (AFP) and seeking its assistance. 

When reporting a ransom demand to the AFP, the person or organisation should request that the AFP undertake or consider undertaking a controlled operation involving the payment of funds or any property to the criminals under Part IAB Crimes Act 1914 (Cth).  Where that occurs, any civilian participant authorised to take part in the controlled operation, is deemed not to be criminally responsible for the offence.  Involvement by a civilian participant in a controlled operation to pay the ransom, provides greater protection than the duress provisions.  Any controlled operation is at the discretion of the AFP and where it decides not to conduct one, the victim of the ransomware demand should get its reasons for not doing so in writing.  Whether or not the AFP undertakes a controlled operation, a request from the person or organisation would be strong evidence that it did everything reasonable before being compelled to make any payment.  The engagement of a solicitor or barrister with extensive experience in handling AFP matters would be a distinct advantage.

And it is not just the direct victims of the ransomware attack that are at risk of being implicated in money laundering.  Any bank or remittance business (in relation to money) or virtual currency exchange (in relation to virtual currency) risk being charged with money laundering, if they knowingly or a reckless or negligent in transferring a ransom to cybercriminals.  Any controlled operation, if undertaken, would need to capture those entities as well.

It is probably unlikely that any Australian authority would pursue a money laundering case against a victim of ransomware if the victim paid a ransom to secure the release of their computer systems and or return of their stolen data.  But a victim in those circumstances needs to be careful. A money laundering action can be undertaken using the criminal law provisions in Division 400 or by using the powerful Commonwealth civil forfeiture laws, which do not require any person to be convicted of a crime.  Readers should note that the AFP has pursued and continues to pursue victims of “cuckoo smurfing” which is a money laundering technique perpetrated by international crime syndicates.  Using that method, criminal’s highjack legal funds sent by remittance agents and substitute it with the proceeds of crime.  The people sending and receiving the money have no knowledge that the criminals are doing it.  The AFP then seeks the forfeiture of any criminal funds that have been deposited into the accounts held by innocent victims.  The AFP is pursuing that action against victims because it believes, mistakenly, that it will stop the criminals from using that technique.  It is not.  But given the AFP action in relation to victims of cuckoo smurfing, it is highly plausible that the AFP could act against victims of ransomware for the same illogical reason.  For example, if a ransom was paid and partially or fully recovered, the AFP might seek to restrain and forfeit the funds.

Australian money laundering law would also apply to other circumstances where a ransom is paid by an Australian citizen, resident, or Australian company.  For example, a ransom paid to secure the release of a person kidnapped either in Australia or offshore.

The advice offered by the ACSC would be enhanced if organisations stopped treating criminal risk in silos.  Far too often, as a consultant, when I am examining various compliance programmes, for example, anti-money laundering & counter-terrorism financing programmes, I see that they have been developed in isolation from other programmes, such as anti-bribery & corruption, anti-slavery, and cybercrime programmes.  That approach ignores the risk posed by polycriminal groups, is ineffective as gaps between programmes are ignored and is inefficient as many programmes have common elements which are often re-examined leading to time and money being wasted.  All criminal risk should be assessed at the same time, and mitigation measures developed to prevent, identify, and report crimes.  Without a comprehensive approach to criminal risk, individuals and organisations will not only become a victim of crime, but also fall foul of Australian money laundering and forfeiture law.

Please note this article expresses an opinion only.  It does not constitute legal or financial advice and does not take into account individual circumstances. It is highly recommended to seek specialist advice before taking any action in relation to the issues raised in this article.

Chris Douglas is the owner of Malkara Consulting, a consultancy firm that specialises in the provision of training and advice in relation to financial crime including money laundering, terrorist financing, corruption and bribery, financial investigations, and proceeds of crime law. He is a former Australian police officer with the elite Australian Federal Police (AFP) for 31 years where he was involved in drug trafficking, people smuggling, human trafficking, corruption, organised crime, and fraud investigations.

He may be contacted at Chris.douglas@malkaraconsulting.com.