- This risk assessment explores how illicit actors are abusing what is commonly referred to as decentralized finance (DeFi) services as well as vulnerabilities unique to DeFi services.
- The findings will inform efforts to identify and address potential gaps in the United States’ anti-money laundering and countering the financing of terrorism (AML/CFT) regulatory, supervisory, and enforcement regimes for DeFi.
- There is currently no generally accepted definition of DeFi, even among industry participants, or what characteristics would make a product, service, arrangement or activity “decentralized.”
- The term broadly refers to virtual asset protocols and services that purport to allow for some form of automated peer-to-peer (P2P) transactions, often through the use of self-executing code known as “smart contracts” based on blockchain3 technology.
- This term is frequently used loosely in the virtual asset industry, and often refers to services that are not functionally decentralized.
- The degree to which a purported DeFi service is in reality decentralized is a matter of facts and circumstances, and this risk assessment finds that DeFi services often have a controlling organization that provides a measure of centralized administration and governance.
The assessment finds that illicit actors, including ransomware cybercriminals, thieves, scammers, and Democratic People’s Republic of Korea (DPRK) cyber actors, are using DeFi services in the process of transferring and laundering their illicit proceeds.
- To accomplish this, illicit actors are exploiting vulnerabilities in the U.S. and foreign AML/CFT regulatory, supervisory, and enforcement regimes as well as the technology underpinning DeFi services.
- In particular, this assessment finds that the most significant current illicit finance risk in this domain is from DeFi services that are not compliant with existing AML/CFT obligations.
In the United States, the Bank Secrecy Act (BSA) and related regulations5 impose obligations on financial institutions to assist U.S. government agencies in detecting and preventing money laundering.
- The BSA imposes such obligations on a wide range of financial institutions, and determining whether an entity, including purported DeFi services, is a covered financial institution will depend on specific facts and circumstances surrounding its financial activities.
- However, a DeFi service that functions as a financial institution as defined by the BSA, regardless of whether the service is centralized of decentralized, will be required to comply with BSA obligations, including AML/CFT obligations.
- A DeFi service’s claim that it is or plans to be “fully decentralized” does not impact its status as a financial institution under the BSA.
- Despite this, many existing DeFi services covered by the BSA fail to comply with AML/CFT obligations, a vulnerability that illicit actors exploit.
- A lack of a common understanding among industry participants of how AML/CFT obligations may apply to DeFi services exacerbates this risk.
- This assessment recommends strengthening U.S. AML/CFT supervision and, when relevant, enforcement of virtual asset activities, including DeFi services, to increase compliance by virtual asset firms with BSA obligations.
- In tandem, federal regulators should conduct further engagement with industry, in line with previous guidance, public statements, and enforcement actions, to explain how relevant laws and regulations, including securities, commodities, and money transmission regulations, apply to DeFi services,, and take additional regulatory actions and publish further guidance informed by this engagement as necessary.
- The assessment also finds that to the extent a DeFi service falls outside the current definition of a financial institution under the BSA, referred to as “disintermediation” in this assessment, a vulnerability may exist due to the reduced likelihood that such DeFi services would choose to implement AML/CFT measures.
- The assessment recommends enhancing the U.S. AML/CFT regulatory regime by closing any identified gaps in the BSA to the extent that they allow certain DeFi services to fall outside of the BSA’s definition of financial institution.
- Additionally, poor cybersecurity practices by DeFi services, which enable theft and fraud of consumer assets, also present risks for national security, consumers, and the virtual asset industry
- The ability to use data from the public blockchain in addition to the development of industry driven compliance solutions for DeFi services can also help mitigate some illicit finance risks.
- Nonetheless, the U.S. government should also seek to further promote the responsible innovation of compliance tools for the industry, an avenue many in the private sector are already pursuing.
- This assessment recognizes that the virtual asset ecosystem, including DeFi services, is changing rapidly.
- The U.S. government will continue to conduct research and engage with the private sector to support its understanding of developments in the DeFi ecosystem, and how such developments could affect the threats, vulnerabilities, and mitigation measures to address illicit finance risks.
- The Department of the Treasury (Treasury) welcomes stakeholder input on these questions.
"The ability to use data from the public blockchain in addition to the development of industry driven compliance solutions for DeFi services can also help mitigate some illicit finance risks."
The assessment finds that illicit actors, including criminals, scammers, and North Korean cyber actors are using DeFi services in the process of laundering illicit funds.
The U.S. government will continue to conduct research and engage with the private sector to support its understanding of developments in the DeFi ecosystem, and how such developments could affect the threats, vulnerabilities, and mitigation measures to address illicit finance risks.
The Department of the Treasury (Treasury) welcomes stakeholder input on these questions.
Today the U.S. Department of the Treasury published the 2023 DeFi Illicit Finance Risk Assessment, the first illicit finance risk assessment conducted on decentralized finance (DeFi) in the world. The assessment considers risks associated with what are commonly called DeFi services. While there is currently no generally accepted definition of DeFi, the term broadly refers to virtual asset protocols and services that purport to allow some form of automated peer-to-peer transactions, often through use of self-executing code known as “smart contracts” based on blockchain technology. This term is frequently used loosely by the private sector, often for services that are not functionally decentralized.
Actors like the Democratic People’s Republic of Korea (DPRK), cybercriminals, ransomware attackers, thieves, and scammers are using DeFi services to transfer and launder their illicit proceeds. They are able to exploit vulnerabilities, including the fact that many DeFi services that have anti-money laundering and countering the financing of terrorism (AML/CFT) obligations fail to implement them.
“Risk assessments play a foundational role in promoting understanding of the illicit finance risk environment and more effectively protecting the integrity of the U.S. financial system,” said, Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Our assessment finds that illicit actors, including criminals, scammers, and North Korean cyber actors are using DeFi services in the process of laundering illicit funds. Capturing the potential benefits associated with DeFi services requires addressing these risks. The private sector should use the findings of this assessment to inform their own risk mitigation strategies and to take clear steps, in line with AML/CFT regulations and sanctions obligations, to prevent illicit actors from abusing DeFi services.”
The primary vulnerability that illicit actors exploit stems from non-compliance by DeFi services with AML/CFT and sanctions obligations. DeFi services engaged in covered activity under the Bank Secrecy Act have AML/CFT obligations regardless of whether the services claim that they currently are or plan to be decentralized. Other vulnerabilities include the potential for some DeFi services to be out of scope for existing AML/CFT obligations, weak or non-existent AML/CFT controls for DeFi services in other jurisdictions, and poor cybersecurity controls by DeFi services, which enable the theft of funds.
While risk assessments are primarily designed to identify the scope of an issue, the study also includes recommendations for U.S. government actions to mitigate the illicit finance risks associated with DeFi services. These include:
strengthening U.S. AML/CFT regulatory supervision
considering additional guidance for the private sector on DeFi services’ AML/CFT obligations
assessing enhancement to address any AML/CFT regulatory gaps related to DeFi services
The DeFi risk assessment builds upon Treasury’s other recent national risk assessments and furthers the work outlined in Executive Order 14067 on “Ensuring Responsible Development of Digital Assets.” It also includes a request for input from the private sector to inform next steps; Treasury welcomes feedback about the assessment.