A Quick Look at the Key Points of the U.S. Treasury Department’s 2023 DeFi Illegal Financing Risk Assessment

On April 7, 2023, the U.S. Department of the Treasury released the DeFi Illicit Finance Risk Assessment. The assessment is a response to the September 2022 White House Digital Assets Framework, which specifically asked the Treasury Department to provide a risk assessment for DeFi.

According to the U.S. Department of the Treasury, this is the world’s first illicit financial risk assessment for DeFi. Jinse Finance takes you through the main points of DeFi illegal financing risk assessment.

This risk assessment explores how illicit actors can abuse services commonly referred to as decentralized finance (DeFi), and the vulnerabilities specific to DeFi services. The results of the assessment will inform the identification and addressing of potential enforcement against DeFi in the U.S. Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) regulatory, supervisory and enforcement regime.

Currently, even among industry players, there is no universally accepted definition of DeFi, or what characteristics would make a product, service, arrangement or activity "decentralized." The term broadly refers to virtual asset protocols and services that claim to allow some form of automated peer-to-peer (P2P) transactions, often through the use of self-executing code, or "smart contracts," based on blockchain technology. The extent to which a so-called DeFi service is actually decentralized is a matter of fact and circumstances, and this risk assessment finds that DeFi services typically have a controlling organization that provides some degree of centralized management and governance reason.

The assessment found that illicit actors, including ransomware cybercriminals, thieves, scammers, and Democratic People’s Republic of Korea (DPRK) cyber actors, are using DeFi services to transfer and launder their ill-gotten gains. To achieve this goal, illicit actors are exploiting vulnerabilities in U.S. and foreign AML/CFT regulatory, supervisory, and enforcement regimes, as well as in the technology that powers DeFi services. In particular, the assessment found that the most important current illicit financial risk in this sector comes from DeFi services that do not comply with existing anti-money laundering/combating terrorism obligations.

In the United States, the Bank Secrecy Act (BSA) and related regulations stipulate that financial institutions are obliged to assist US government agencies in detecting and preventing money laundering. The Bank Secrecy Act imposes such obligations on a wide range of financial institutions, and determining whether an entity, including so-called DeFi services, is a financial institution will depend on the specific facts and circumstances of its financial activities. However, **DeFi services that are financial institutions defined by the BSA, regardless of whether the service is centralized or decentralized, must comply with BSA obligations, including anti-money laundering/combating terrorism obligations. A DeFi service's claim that it is or plans to be "fully decentralized" does not affect its status as a financial institution under the BSA. **

Nonetheless, many existing DeFi services covered by the BSA fail to comply with AML/CFT obligations, a weakness exploited by illicit actors. This risk is exacerbated by a lack of common understanding among industry players on how AML/CFT obligations apply to DeFi services. ** In some cases, industry suppliers may have deliberately sought out decentralized virtual asset services in order to avoid triggering AML/CFT obligations, without recognizing that these obligations will not be enforced as long as the supplier continues to provide services covered by BSA regulation still applies. **At the same time, some DeFi services developed with opaque organizational structures may pose serious challenges to supervision, as well as applicable statutory and regulatory obligations where DeFi services do not comply with their AML/CFT obligations. Execution brings challenges.

**The review recommends strengthening U.S. anti-money laundering/counter-terrorist financing regulation and, where relevant, enforcement of virtual asset activities, including DeFi services, to improve virtual asset firms’ compliance with BSA obligations. **Meanwhile, based on previous guidance, public statements, and enforcement actions, federal regulators should further engage with the industry to explain how relevant laws and regulations, including securities, commodities, and currency transmission regulations, apply to DeFi services, and take additional actions as necessary. Regulatory action and issuance of further guidance based on this engagement.

The assessment also found that there may be loopholes if DeFi services fall outside the current definition of a financial institution under the BSA, referred to in this assessment as “disintermediation,” because such DeFi services choose to implement anti-money laundering/ Reduced likelihood of counter-terrorism measures. To the extent that DeFi services fall outside the scope of the BSA, this could lead to vulnerabilities in the ability of DeFi services to identify and block illegal activities, as well as identify and report suspicious activities to law enforcement and other authorities. Globally, DeFi services that lack entities that have sufficient control or influence over the service may not be exempt from AML/CFT, according to standards set by the Financial Action Task Force (FATF), the global standard-setting body for AML/CFT The clear constraints on the obligations of doctrine, which may lead to potential divergence of DeFi services in other jurisdictions. This assessment recommends strengthening the U.S. AML/CFT regulatory regime and closing any identified loopholes in the Bank Secrecy Act that prevent certain DeFi services from being classified as financial under the Bank Secrecy Act. Defined scope of institution.

**Other identified loopholes include the failure of many other countries to implement international AML/CFT standards, which allows illicit actors to use DeFi services in jurisdictions that lack AML/CFT requirements without be punished. **In addition, the poor network security measures of DeFi services, allowing user assets to be stolen and fraudulent, also poses risks to national security, users and the virtual asset industry. The assessment recommends increased engagement with foreign partners to drive stronger implementation of international AML/CFT standards and advocates for virtual asset firms to improve cybersecurity practices to reduce these vulnerabilities.

The assessment highlights that the existing AML/CFT regulatory framework in the United States, coupled with the progressive implementation of global AML/CFT standards applicable to virtual assets, mitigates the identified vulnerabilities to a limited extent. This is partly due to DeFi services currently relying on centralized Virtual Asset Service Providers (VASPs) for fiat currency. Centralized VASPs, which in this report refer to VASPs that do not claim to be decentralized, tend to have simpler internal structures than DeFi services, are always covered by FATF standards, and are more likely to Implement anti-money laundering/anti-terrorism measures.

In addition to developing industry-driven compliance solutions for DeFi services, the ability to use public chain data can also help mitigate some illicit financial risks. However, these measures and the transparency afforded by public blockchains will not in themselves adequately address identified vulnerabilities, and blockchain analysis cannot replace the importance of applying AML/CFT controls by regulated financial intermediaries. Nonetheless, the U.S. government should also seek to further promote responsible innovation in the industry's compliance tools, an avenue that many in the private sector are already pursuing.

The assessment recognizes that the virtual asset ecosystem, including DeFi services, is changing rapidly. The U.S. Government will continue to conduct research and engage with the private sector to support an understanding of the development of the DeFi ecosystem and how these developments impact threats, vulnerabilities, and mitigations to address illicit financial risks. Finally, this assessment raises several issues that will be considered as part of the assessment's recommended actions to address illicit financial risks, including issues related to the handling of DeFi services that do not fall within the BSA's definition of a financial institution, and those that require further clarification regulatory domain.

Treasury welcomes stakeholder input on these issues.