Understanding the DeFi Illicit Finance Risk Assessment: Implications and Recommendations for Compliance in the Virtual Asset Space
The U.S. Department of the Treasury's 2023 DeFi Illicit Finance Risk Assessment summarizes the covert threats associated with decentralized finance (DeFi) services. This comprehensive evaluation focuses on the risks linked to DeFi services, spotlighting the vulnerability of these services to exploitation by malevolent entities like cybercriminals, ransomware attackers, thieves, and scammers, along with the Democratic People’s Republic of Korea (DPRK).
Interestingly, the assessment acknowledges the elusive nature of defining DeFi, noting that there is no generally accepted definition, even within the industry. DeFi is broadly understood to refer to automated peer-to-peer transactions facilitated via smart contracts based on blockchain technology. However, this definition is a matter of facts and circumstances, often determined by the degree to which a service is truly decentralized.
The assessment has identified that illicit actors are making use of DeFi services to launder and transfer illicit proceeds, exploiting regulatory, supervisory, and enforcement gaps both in the U.S. and abroad. The study underscores that the most significant risk arises from DeFi services that do not comply with existing AML/CFT obligations.
In the United States, the Bank Secrecy Act (BSA) imposes AML/CFT obligations on a wide range of financial institutions, potentially including DeFi services depending on the specifics of their financial activities. Whether a service claims to be "fully decentralized" does not change its status as a financial institution under the BSA. Nonetheless, the Treasuries report notes a significant number of DeFi services, purportedly under the BSA's jurisdiction, are failing to comply with these obligations, creating a dangerous loophole for illicit actors.
Furthermore, the assessment recognizes an industry-wide lack of clarity on how AML/CFT obligations apply to DeFi services, suggesting that some providers may decentralize their services deliberately to avoid these obligations. However, the Report maintains obligations continue to apply as long as covered services are provided. Certain DeFi services with opaque structures may also present challenges to supervision and enforcement.
In response to these findings, the assessment suggests several actions to mitigate the risks associated with DeFi services. Firstly, the U.S. needs to strengthen its AML/CFT regulatory supervision and enforcement in the virtual asset space. Engagement with the industry should be increased to clarify how existing laws and regulations apply to DeFi services.
The report also highlights the problem of “disintermediation,” where a DeFi service falls outside the current BSA definition of a financial institution. These services are less likely to implement AML/CFT measures, leaving potential gaps in efforts to disrupt illegal activities. Recommendations are made to close any such gaps within the BSA.
Other noted vulnerabilities include the lack of AML/CFT standards in foreign countries, and inadequate cybersecurity practices by DeFi services. To address these, the report recommends increased international collaboration for stronger AML/CFT implementation and improved cybersecurity practices.
It's noteworthy that the existing U.S. AML/CFT framework, along with the gradual implementation of global AML/CFT standards for virtual assets, have somewhat mitigated these risks. The report underscores the importance of data from the public blockchain and industry-driven compliance solutions for DeFi services, although these cannot fully offset the identified vulnerabilities.
Recognizing the rapidly evolving nature of the virtual asset ecosystem, the assessment emphasizes the need for ongoing research and engagement with the private sector to comprehend developments in the DeFi ecosystem.