The next statement of interest, and perhaps a less opaque reference is on the economic crime and corporate transparency bill: “A bill will be brought forward to further strengthen powers to tackle illicit finance, reduce economic crime and help businesses grow.”
From the lobby pack we find one of the main elements of the bill is: "Creating powers to more quickly and easily seize and recover cryptoassets, which are the principal medium used for ransomware. The creation of a civil forfeiture power will mitigate the risk posed by those who cannot be criminally prosecuted but use their funds to further criminality."
Throughout the world, countries are trying to restrict the options available for criminal gangs to monetise their actions.
The UK, EU, US and other countries have introduced legislation to make paying ransoms illegal in most circumstances. The UK, while considering such options, has to date taken a different approach.
The payment of a ransom is not of itself illegal in the UK. However, depending on who the money is paid to and in what circumstances, there are three key possible offences to be aware of:
1. Money laundering: It is an offence for a person to enter into an arrangement that they know or suspect facilitates the use or control of criminal property. However, a ransom payment may not be considered to be criminal property until it is in the hands of the attackers.
The available guidance is that, if the money was in all respects legal until it reached the hands of the cyber criminals, it is unlikely that a prosecution for money laundering would be regarded as being in the public interest (Proceeds of Crime Act 2002, s328).
2. Financing terrorism: It is an offence for a person to provide money if they know or have reasonable cause to suspect that it will or may be used for the purposes of terrorism. A ransom-payer will often not be aware nor have reasonable cause to suspect that the ransom will go to a group concerned with terrorism (Terrorism Act 2000 s15(3)).
3. Sanctions: It is an offence under sanctions law to make funds available directly or indirectly to a "designated" individual or entity. Those designated individuals appear on lists published by the Office of Financial Sanctions Implementation in the UK.
Provided that reasonable due diligence had been conducted it will not, however, be an offence under English law to make such a payment if you can show that you did not know or have reasonable cause to suspect that funds would be made available, directly or indirectly, to such a designated person.