U.S. Banks Are Prepared for Russia Sanctions, but Concerns Grow About Potential Hacks

Several major financial institutions declined to comment publicly on their plans in light of sanctions, but retaliatory hacks are a major worry, several individuals connected to the U.S. banking industry said. One of the people added that Biden administration officials have told banks they intend to share intelligence among multiple U.S. agencies in order to mount a quick response, but the officials haven’t spelled out what any response might be.

On Thursday, the Treasury Department issued a directive banning U.S. financial institutions from opening or maintaining correspondent banking accounts for Russia’s biggest bank, Sberbank, and its subsidiaries, effectively cutting them off from the U.S. financial system starting on March 26. The directive is part of the latest sanctions package from the Biden administration that also includes sanctions on Russian state-owned VTB Bank and new debt and equity restrictions on more than a dozen Russian entities.

The U.S. and its allies unveiled further, sweeping sanctions against Russia after Moscow launched what President Biden called “an unprovoked and unjustified attack” on Ukraine late Wednesday night New York time.

Over the past two days, Western nations imposed a first round of sanctions on six Russian banks and on Russian sovereign debt, as well as on several wealthy Russians linked to Mr. Putin’s inner circle. The U.S. sanctions froze assets held by the blacklisted companies and individuals within U.S. jurisdictions and prohibited U.S.-based individuals and firms from doing business with them, unless permitted by the U.S. Treasury Department.

Despite the prospect of an increasingly harsh sanction regime, U.S. banks likely have operational processes and procedures in place to ensure compliance with U.S. sanctions, according to Eric Young, a former chief compliance officer for French bank BNP Paribas SA’s Americas region. He said the financial-services industry dealt with the impact from Russia’s annexation of Crimea in 2014 and has gained experience managing multiple evolving sanctions regimes and other trade restrictions in recent years, including those related to China and Venezuela.

Mr. Young added that the Ukraine crisis has evolved over many weeks and that the Biden administration said ahead of time that sanctions would be a response to a further incursion into the country.

Many banks employ former staffers from the U.S. Treasury Department’s Office of Foreign Assets Control, which implements and enforces sanctions, in their own compliance departments, enabling them to better navigate what can be a complicated regime.

Yet, “how fast, how soon and how quickly this [sanctions regime] escalates will be a true test to all industries, including the financial industry,” said Mr. Young, who is now a senior managing director at consulting firm Guidepost Solutions LLC.

Even for banks with no direct operations or business in Russia, an expansion of sanctions could mean more scrutiny from U.S. regulators of their correspondent banking relationships with overseas financial institutions, Mr. Young said.

Banks are required to conduct enhanced due diligence and know-your-customer onboarding processes when doing business with foreign financial institutions to ensure compliance with U.S. sanctions laws, but correspondent relationships are typically complex and could have layers of customers. This also could become more challenging if the conflict expands beyond Russia and Ukraine, he said.

“The challenge with correspondent banking is knowing the customers of your customer and the ultimate beneficial owners [of entities],” said Mr. Young.

U.S. banks could also be subject to retaliatory cyberattacks from Russia in response to the sanctions measures from the West, said Alex Zerden, a former U.S. Treasury official in the Obama and Trump administrations.

“It’s the question about what intentional and unintentional impact could be” from the sanctions, said Mr. Zerden, now the principal of financial technology and risk advisory firm Capitol Peak Strategies LLC.

U.S. officials have for weeks been warning businesses about hacks, either as direct retaliation for U.S. action in Ukraine or as indirect spillover threats for cyberattacks on Ukrainian-based businesses. Officials said they aren’t currently monitoring any specific threats against U.S. firms.

Russia has previously employed cyberattacks during periods of tension with Ukraine. In 2017, hackers linked to Russia launched the so-called NotPetya cyberattack, which affected not only entities in Ukraine but also in Europe and the U.S.

Last week, Deputy Treasury Secretary Wally Adeyemo, together with officials from the Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation, met with 11 banking executives to discuss cyber threats. The Ukraine crisis wasn’t mentioned in the Treasury readout from the meeting, but the panel discussed efforts to protect the cybersecurity infrastructure and to deter malicious cyber activities.

The Financial Services Information Sharing and Analysis Center, a Reston, Va.-based industry consortium that seeks to reduce cybersecurity risks in the global financial system, has issued guidance to its members on proactive measures they can take to defend their systems and data, FS-ISAC Chief Executive Steve Silberstein said in a statement.

The group advises a few best practices, including encrypting network traffic and implementing access control to limit what users can do in a database, according to the guidance.

“Our global intelligence team is continuing to actively assess the situation through enhanced monitoring and cross-border threat intelligence sharing across the financial services sector,” Mr. Silberstein said.

— David Uberti contributed to this article.

Write to Mengqi Sun at [email protected] and Richard Vanderford at [email protected]