The law – The Cyber (Sanctions) (Overseas Territories) Order 2020 – came into effect three years ago in 2020 in several overseas British territories including Anguilla, Cayman, Montserrat, Turks and Caicos and the Virgin Islands (British).
The rationale behind the Order? Create a cross-border enforcement mechanism to better limit the ability of malicious threat actors to operate or profit from their (cyber) criminal activity. Per the explanatory note:
The sanctions imposed include an asset-freeze on persons designated by the Council of the European Union as persons who are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for, or are otherwise involved in, cyber-attacks or attempted cyber-attacks, as well as persons associated with such persons.
In effect, once a party has been designated as having responsibility for a cyber attack, the Ordinance serves to prohibit anyone in in the various British Overseas Territories (including financial institutions) from providing any support to the designated person by way of dealing with their assets. A blacklist, if you will.
The language used in the Ordinance to describe assets is ‘funds or economic resources’. The latter, presumably to ensure coverage of bitcoin and other digital currency often favoured by cybercriminals in the modern dispensation, where the applicable local laws may not consider them funds.
Another consequence of the Ordinance: since the relevant sanction list will be updated periodically, the Ordinance created an implied obligation for individuals and institutions in Turks and Caicos to monitor the designated list. In other words: an ongoing compliance obligation.
Method not new
The method of legislating to automatically give effect to a centralised sanctions list is not new. The same approach is applied in the wider context of anti-terrorism laws.
Many Caribbean territories have laws on the books making an offence of, among other things, providing funds if the funds are to be used in full or in part by a person in respect of whom a terrorist designation order or counter-proliferation order is in force. Such orders are typically made after a party has been designated a terrorist by the United Nations Security Council. Typically, the UN Security Council will maintain a list of sanctioned persons and individual countries will have laws on the books automatically blacklisting those persons. See some regional examples from St. Lucia, Trinidad and Guyana here, here and here.
That said, the Ordinance is, to my knowledge, the first time that a cybercrime-specific iteration of this legislative approach has been applied in the Caribbean.