Lately, I’ve found myself applying for foreign exchange to purchase a car. These days, foreign exchange control mechanisms have become even more structured. The process now requires purchasers to go online to the Central Bank’s website and then to the facilitating bank each time they need to complete a transfer. One can only guess that this added bureaucracy helps account for how and where the country spends its precious foreign resources.
The need to track how money leaves the country exists for several reasons, including compliance requirements. Regulations such as the U.S. Bank Secrecy Act (BSA), the EU’s Anti-Money Laundering Directive (AMLD), and Barbados’ Money Laundering and Financing of Terrorism (Prevention and Control) Act, 2011 provide the legal framework for preventing and controlling money laundering and terrorism financing. These laws mandate that financial institutions and businesses monitor transactions, report suspicious activity, and prevent funds from supporting illegal activities.
While I understand and agree with the need for such regulations, I couldn’t help but find the process exhausting—and I was only executing a one-off transaction. Imagine compliance officers who oversee hundreds of transactions daily. One business executive recently expressed his frustration, saying, “The requirement of compliance is outstripping economic viability of businesses.” I understood his point. In our attempt to meet increasingly detailed compliance requirements, we’ve become part of a globalised system that is overcomplicating business operations.
Ironically, I was conducting Data Privacy training when this realisation hit me. As ransomware attacks continue to surge globally, with businesses and governments paying billions in ransoms annually, a question came to mind. Is there an AML requirement to disclose to regulators when a business pays hackers a ransom to regain access to its systems?
As far as I know, AML regulations are primarily based on Know Your Customer (KYC) principles. These regulations require financial institutions to flag suspicious transactions. However, they typically focus on preventing money laundering through a business’ operations rather than reporting forced transactions. But given its links to organised crime and terrorist financing, would paying a ransom trigger an AML red flag?
The more I explored this cyber-AML-ransomware connection, the more questions arose. Does the Central Bank track how much money is being paid to hackers annually? As an industry professional, such information would be invaluable in demonstrating the impact of cybersecurity threats on our economy. Nationally, this data could help shape policies that better protect businesses and financial systems.
Foreign exchange (FX) reserves are lifelines for small states, enabling imports, servicing debt, and stabilising currencies. However, unrecorded capital outflows—such as ransomware payments—drain these reserves without contributing to economic activity. Small states, reliant on narrow revenue streams like tourism and remittances, are particularly vulnerable to FX leakage.
For example, a Caribbean business hit by ransomware might pay attackers in untraceable cryptocurrency, bypassing central bank oversight. Over time, such leaks erode confidence in financial systems. They also create vulnerabilities that contribute to external shocks, such as devaluations or inflation spikes.
Ransomware operators exploit weak regulatory oversight in small states to launder payments. The most common methods include:
• Cryptocurrency Transactions: Ransoms paid in Bitcoin or Monero bypass traditional banking systems, avoiding FX controls.
• Informal Money Transfer Networks: Attackers may demand payments in foreign currencies through informal financial systems that lack reporting requirements.
One of the weakest sectors in cybersecurity has been the legal profession, particularly attorneys-at-law. Poor policies, inadequate processes, and limited investment in technology have made them highly susceptible to cyberattacks like ransomware.
In 2024, the Barbados Government Compliance Unit conducted a risk assessment. While it did not establish a direct link, it identified ransomware as an area of concern—particularly in relation to AML red flags such as:
• Unusual Transaction Patterns: Sudden, large cash transactions that deviate from normal business activity.
• Lack of Economic or Legal Justification: Payments inconsistent with a client’s known operations.
• Industry Irregularities: Transactions that do not align with standard practices in each sector.
This reinforces the urgent need for stronger cybersecurity measures across all professional sectors, especially those handling sensitive client information and financial transactions.
The economic stakes are high, particularly for small states like Barbados. Unaccounted FX outflows weaken currency stability by reducing reserves, making currencies more vulnerable to speculative attacks. They also reduce fiscal space, leaving governments with less foreign exchange to invest in critical sectors such as healthcare or infrastructure.
While compliance reporting has primarily fallen on the financial services sector, perhaps it is time to broaden this responsibility to non-financial sectors. Small states must mandate ransomware payment reporting, treating ransom payments as AML-reportable events. Strengthening cryptocurrency regulations is also crucial, requiring exchanges to monitor transactions linked to ransomware.
Addressing ransomware payments within AML frameworks is not just a regulatory necessity—it is an economic imperative. As small states navigate financial compliance, cybersecurity must become a core component of risk management. Ignoring these leaks in the system not only weakens financial stability but also exposes businesses and economies to greater threats. The question is no longer whether stricter oversight is needed, but how quickly we can implement measures to safeguard national security and economic resilience.
Steven Williams is the executive director of Sunisle Technology Solutions and the principal consultant at Data Privacy and Management Advisory Services. He is a former IT advisor to the Government’s Law Review Commission, focusing on the draft Cybercrime bill. He holds an MBA from the University of Durham and is certified as a chief information security officer by the EC Council and as a data protection officer by the Professional Evaluation and Certification Board (PECB). Steven can be reached at Mobile: 246-233-0090; Email: steven@dataprivacy.bb
The post The hidden drain: How ransomware payments evade AML controls and threaten small economies appeared first on Barbados Today.
