Cybersecurity: Legislation

Senate Passes Russia Sanctions Amendment

By Ed Stein
Monday, June 19, 2017, 10:30 AM

Last week, the Senate took a significant step towards imposing additional sanctions on Russia. The latest step came in the form of an amendment to S.722, the Countering Iran's Destabilizing Activities Act. The amendment had solid bipartisan sponsorship going onto the floor and it passed with overwhelming bipartisan support, as did the final bill. The amendment’s sponsors included the chairmen and ranking members of both the Banking and Foreign Relations committees. (Perhaps the most surprising sponsor was Sen. Corker (R-TN) who just over a month ago seemed less-than-enthused about imposing additional sanctions on Russia.)

If enacted into law in its current form, the new provisions in the amended Senate bill would achieve three main objectives: (1) codify current sanctions that were imposed under executive order by the Obama administration; (2) effectively stop the president from lifting sanctions on Russia without bicameral congressional approval; and (3) impose several new sanctions (e.g., targeting malicious cyber actors and their facilitators) and compel the president to either make designations or explain why he is declining to do so. The provisions also impose a number of reporting requirements that will require the administration to report on what it is (or is not) doing to facilitate congressional oversight.

In this post, I will focus on several new or noteworthy provisions of the bill.

 

Building Off Past Efforts

In many ways, the Russia amendments are the latest permutation of several standalone bills that have been floating around the Senate for a while (and which were summarized in this earlier post). In addition to codifying Obama Administration-era executive orders, imposing new sanctions, and ensuring congressional review like previous bills, this bill continues to target facilitators through secondary sanctions and often (though not always) employs the menu model of sanctions whereby the president selects a certain number of measures to impose from a larger list. Additionally, this bill continues to define “knowingly” to capture negligent conduct. For example, sanctions may be imposed on a person who should have known that their conduct materially assisted a malicious cyber actor.

Additionally, this bill continues to include enhanced waiver language. As discussed in the previous post, the bill continues the trend of ever more demanding standards for what the president must certify in order to waive sanctions. Here, it is not sufficient for the president to certify that the sanctions waiver is “important,” “necessary,” or even “essential.” Rather, the president’s waiver must include a certification that waiving sanctions “is in the vital national security interests of the United States; or … will further the enforcement of this title.” This language reflects the Senate’s insistence on congressional control over the lifting of sanctions. In line with this design, in eleven places the amendment requires the president to impose one or more sanctions (by using “shall” language). And in a number of places, the bill simply replaces permissive language in previous statutes with mandating language.

 

Russia Sanctions Review Act

The bill includes a broad review provision (titled the Russia Sanctions Review Act of 2017) that covers pretty much all Russia-related sanctions. Specifically, before terminating, waiving, or even issuing a license that “significantly alters United States’ foreign policy with regard to the Russian Federation,” the president must report his proposed action and give Congress 30 days to review it (under expedited procedures).

Interestingly, the required content of the president’s report is detailed in what could be called the Art of the Deal provision, which requires the president to identify what concessions he received (or will receive) from the Russians in exchange for any sanctions relief:

(3) DESCRIPTION OF TYPE OF ACTION.—Each report submitted under paragraph (1) with respect to an action described in paragraph (2) shall include a description of whether the action—

(A) is not intended to significantly alter United States’ foreign policy with regard to the Russian Federation; or

(B) is intended to significantly alter United States’ foreign policy with regard to the Russian Federation.

(4) INCLUSION OF ADDITIONAL MATTER.—

(A) IN GENERAL.—Each report submitted under paragraph (1) that relates to an action that is intended to achieve a reciprocal diplomatic outcome shall include a description of—

(i) the anticipated reciprocal diplomatic outcome;

(ii) the anticipated effect of the action on the national security interests of the United States; and

(iii) the policy objectives for which the sanctions affected by the action were initially imposed.

(B) REQUESTS FROM BANKING AND FINANCIAL SERVICES COMMITTEES.—The Committee on Banking, Housing, and Urban Affairs of the Senate or the Committee on Financial Services of the House of Representatives may request the submission to the Committee of the matter described in clauses (ii) and (iii) of subparagraph (A) with respect to a report submitted under paragraph (1) that relates to an action that is not intended to achieve a reciprocal diplomatic outcome.

So if the quid is sanctions relief, the president must be able to point to some quo he will get from the Russians ahead of time because the bill requires him to report it to Congress before actually lifting any sanctions. As a practical matter, this means that each time the president wants to delist an entity or even grant a substantial license, he will have to report his intention ahead of time, explain what he expects to get (or what he already got) in exchange, and be prepared for questions from both houses of Congress. That's likely to be onerous.

Congressional jurisdiction is split between the banking and foreign relations committees. The Senate Foreign Relations and House Foreign Affairs Committees will review any measures “intended to achieve a reciprocal diplomatic outcome,” while the Senate Banking and House Financial Services Committees will review any remaining measures. Of course, this implicates the same questions about efficacy that arose in the Iran context.

Another interesting tidbit is that this review process applies not only to financial sanctions, but also to real estate deals. Specifically, the president must explain—and Congress gets to review—any action which undoes the Obama Administration’s shuttering two Russian-owned compounds in Maryland and New York. A few weeks back, the Washington Post reported that the Trump Administration was considering taking this step, and it appears some folks on Capitol Hill may have noticed.

 

Codification (and Modification) of Preexisting Sanctions

The bill largely tracks earlier bills in terms of codifying the various Russia-related executive orders. But the amendment also directs the Office of Foreign Assets Control to make some modifications to EO 13662’s sectoral sanctions:

●Directive 1: Financing provided to persons identified under Directive 1 (targeting the financial services sector) would have to mature in 14 days or less (vice 30).

●Directive 2: Financing provided to persons identified under Directive 2 (targeting the energy sector) would have to mature in 30 days or less (vice 90).

●Directive 4: The amendment expands the prohibitions on exportation of good, services, and technology involving offshore energy projects to include relevant projects “in which a Russian energy firm is involved.”

 

New Sanctions

The bill also tracks earlier bills in terms of the new sanctions it seeks to impose. Nevertheless, there are a few interesting alterations.

Cyber Actors. Unlike earlier bills, the this one defines the “significant activities undermining cybersecurity” to include:

 

(1) significant efforts—

(A) to deny access to or degrade, disrupt, or destroy an information and communications technology system or network; or

(B) to exfiltrate, degrade, corrupt, destroy, or release information from such a system or network without authorization for purposes of—

(i) conducting influence operations; or

(ii) causing a significant misappropriation of funds, economic resources, trade secrets, personal identifications, or financial information for commercial or competitive advantage or private financial gain;

(2) significant destructive malware attacks; and

(3) significant denial of service activities. 

So there’s still no clarity on what is “significant,” and this language does not resolve the conduct questions mentioned in my previous post—but the bill does offer more clarity on what kinds of cyber activity are relevant. I’ll leave to others who know more about cyber to comment, but it seems like this definition can be construed to capture pretty much any malicious cyber activity. And notably, while earlier bills permitted the president to impose cyber sanctions, the amendment requires it.

Energy Pipelines. The bill seems to tone down potential sanctions against those investing in pipelines. Specifically—and in a departure from an earlier bill—this provision would permit, but not require, the president to impose relevant sanctions.

Sanctions Evaders. The bill includes strong secondary sanctions provisions targeting those who help designated persons evade sanctions:

(a) IN GENERAL.—The President shall impose the sanctions described in subsection (b) with respect to a foreign person if the President determines that the foreign person knowingly, on or after the date of the enactment of the Countering Russian Influence in Europe and Eurasia Act of 2017—

(1) materially violates, attempts to violate, conspires to violate, or causes a violation of any license, order, regulation, or prohibition contained in or issued pursuant to any covered Executive order; or

(2) facilitates significant deceptive or structured transactions for or on behalf of—

(A) any person subject to sanctions imposed by the United States with respect to the Russian Federation; or

(B) any child, spouse, parent, or sibling of an individual described in subparagraph (A).

The provision essentially targets foreign persons who do pretty much anything that they should have known would cause a violation. It also seems to import anti-money laundering efforts (cross-citing to the regulation defining “structuring”), targeting those who facilitate the financial activities of designated persons or family members (who some have suggested might help designees evade sanctions). 

 

Reports

The bill is full of provisions requiring reports and studies on everything from oligarchs to media outlets. While it is certainly true that these reports don’t write themselves (and thus consume time that could be spent doing other things), they can be very valuable for congressional staffers. Not only do they offer insights into what the administration is (or is not) doing, but they provide discrete action points that can form the basis of briefings, hearings, letters, and basically any other oversight activity imaginable. They can also help inform future legislation. For example, if you think the administration is not doing enough to target high-level Russian officials or politically exposed persons, a report on their activities, assets, and exposure to U.S. jurisdiction could be useful. And it can force an administration to devote attention to and justify its positions on matters it may be ignoring.

For example, within a year, the administration must report on “interagency efforts in the United States to combat illicit finance relating to the Russian Federation.” This report is to include not only efforts to “disrupt illicit financial flows linked to” Russia, but also efforts at the Justice Department to investigate and prosecute relevant major cases. Interestingly, the report also requires the administration to report private sector outreach activities, “including information sharing efforts to strengthen compliance efforts by entities, including financial institutions, to prevent illicit financial flows.” This is significant. As David Cohen, former Undersecretary of the Treasury for Terrorism and Financial Intelligence, observed in the organized crime context, financial institutions play a central role in disrupting illicit finance threats:

As we all know, financial institutions serve as the front line of defense against [transnational criminal organizations].  By virtue of their similarly transnational structures and their indispensable role in modern commerce, financial institutions act as both the plumbing and the gatekeepers of the global financial system. Importantly, TCOs do not see shell companies, front companies, or lax jurisdictions as alternatives to the regulated global financial system, but merely as points of access into that system.  For Treasury, therefore, the most important battleground in the fight against TCOs remains the regulated financial sector. … We are constantly looking for ways to foster more dynamic, real-time information sharing, between our government and financial institutions, between financial institutions, and between law enforcement agencies around the world. Receiving more accurate information from the private sector enhances our ability to combat illicit actors, while getting better information in the hands of the private sector is a force multiplier for our efforts. Therefore, in addition to issuing public advisories, we also alert financial institutions to individuals, entities, or organizations engaged in or suspected of money laundering or terrorist financing through a secure channel.  And we have begun exploring new ways of enhancing this flow of information from government to industry by providing more context to financial institutions to make the information even more valuable to them.

And as Jamal El-Hindi, the acting FinCEN Director, recently noted in the terrorist financing context, “The reporting by financial institutions is an essential component in identifying foreign terrorist fighters, financial and logistical facilitators, and their methods of moving funds.”

Indeed, it is interesting (and perhaps not surprising to followers of U.S. counter-illicit finance efforts) that the bill also requires reporting on efforts to “[e]xpand the number of real estate geographic targeting orders or other regulatory actions … to degrade illicit financial activity relating to [Russia] in relation to the [U.S.] financial system.” For those who may not be familiar with the subject, then-FinCEN Director Shasky Calvery and a former colleague provided context in this fantastic analysis:

[I]nternational illicit actors continue to exploit the intersection of corporate secrecy and all-cash transactions to move their dirty money into the US real estate market. An increase in the percentage of cash purchases at the top of the market by money launderers, whether foreign corrupt officials and drug traffickers, or domestic Ponzi scheme fraudsters … can trickle down to cause financial pain for ordinary people. Crime obviously harms communities, but the proceeds of crime are also damaging. In short, when criminals move their dirty money into the real estate market, American consumers and businesses suffer. … FinCEN has longstanding concerns about the vulnerability of this portion of the real estate market to abuse by money launderers, and is seeking to learn more about the best way to address the problem through enhanced information gathering tools like the [real estate geographic targeting orders]. ... Part of FinCEN’s goal is to determine which of these real estate professionals are best positioned to shed some light on the least transparent portion of the real estate industry. FinCEN is taking a deliberate approach to the issue and is determined to find the right way to confront money laundering in the US real estate sector, wherever it is found.

 

National Strategy for Combating Terrorist and Other Illicit Financing

The bill doesn't only require reports on past or ongoing efforts. It also helps ensure all of the various executive branch stakeholders are thinking strategically (and with each other) about how to most effectively combat illicit financial activity:

(a) IN GENERAL.—The President, acting through the Secretary [of the Treasury], shall, in consultation with the Attorney General, the Secretary of State, the Secretary of Homeland Security, the Director of National Intelligence, and the appropriate Federal banking agencies and Federal functional regulators, develop a national strategy for combating the financing of terrorism and related forms of illicit finance.

The inclusion of the bank regulators (for all the reasons discussed above, and more) is important. It's easy to forget how challenging compliance can be for even very-well intentioned financial institutions. Even if they are able to avoid billions of dollars in Justice Department fines, they still face regular examinations from their regulators. And this doesn't include the reputational risk from a mistake, or efforts to avoid being overly cautions (derisking). In the face of illicit finance threats to the U.S. financial system and in light of the need for responsive action from financial institutions, having the regulators in the room is necessary. And the bill makes abundantly clear that the private sector is to be considered in countering illicit finance efforts going forward. It requires data to be shared with financial institutions where possible, and that the strategy consider the role financial institutions play:

(6) THE ROLE OF THE PRIVATE FINANCIAL SECTOR IN PREVENTION OF ILLICIT FINANCE.—A discussion of ways to enhance partnerships between the private financial sector and Federal departments and agencies with regard to the prevention and detection of illicit finance, including— (A) efforts to facilitate compliance with laws aimed at stopping such illicit finance while maintaining the effectiveness of such efforts; and (B) providing guidance to strengthen internal controls and to adopt on an industry-wide basis more effective policies.

All of this will likely signal to financial institutions (and to any in the administration who may not be aware) that Congress takes international illicit finance threats and the attendant regulatory frameworks seriously and will remain engaged on these issues.

 

National Security Council

Last, but certainly not least, the amendment would amend the National Security Act of 1947 to include the Secretary of the Treasury as a statutorily-specified member of the National Security Council. That would mean more meetings for Secretary Steven Mnuchin, presently the only Senate-confirmed official at Treasury. In a 2012 New York Times op-ed, Robert Kimmitt, former Deputy Treasury Secretary, called for this very change, arguing that “the Treasury secretary, who has primary authority on economic and financial issues in the cabinet, should be at every meeting to advise on how economic and security issues intersect, and to ensure that the United States is using its economic and financial strength in the most effective way.” Previously Treasury heads have attended NSC meetings on a case-by-case, invitation basis.