The US Department of the Treasury has published its first-ever analysis of the potential hazards from decentralized finance (DeFi) services, concluding that DeFi platforms that are non-compliant with anti-money laundering (AML) and counter-terrorism financing (CFT) regulations pose the most significant current illicit finance risk.
The report finds that DeFi services frequently have a governing body that exercises centralized control and oversight.
The report also warns that DeFi services frequently do not implement AML/CFT controls or other processes to identify customers, allowing instant and pseudonymous layering of proceeds. And as a result, DeFi has rather become a hotbed for criminals, hackers, and malicious actors from the Democratic People's Republic of Korea (DPRK) to launder proceeds from crime.
The Treasury has recommended assessing possible enhancements to US AML/CFT requirements and DeFi service rules, as well as seeking input from the private sector to inform future action.
“Clearly, we can't do this alone,” said Brian Nelson, Treasury's undersecretary for terrorism and financial intelligence. “We call on the private sector to use the findings of the risk assessment to inform your own risk-mitigation strategies.”
The report also highlights the need to strengthen AML/CFT regulatory supervision and provide additional guidance to the private sector on compliance checks for DeFi services. It further recommends that DeFi service providers register with appropriate regulators and establish and maintain adequate AML/CFT controls to prevent criminal exploitation.
Although DeFi can pose challenges in identifying the individuals behind business activities, the report emphasized that services are subject to the Bank Secrecy Act, regardless of whether they are centralized or decentralized.
According to Nelson, some entities claiming to be fully decentralized may engage in activities more similar to traditional finance than they claim. Thus, despite their claims to the contrary, they are not truly decentralized. Nelson suggests that these entities are “decentralized in name only.”
The Market Structure
The 40-page 2023 DeFi Illicit Finance Risk Assessment report was released on Wednesday and talks about DeFi services in relation to the AML/CFT regulatory obligations.
In the United States, AML/CFT obligations are determined by the activities a person engages in. Financial institutions like banks, mutual funds, broker-dealers, money services businesses (MSBs), futures commission merchants (FCMs), and introducing brokers are required to comply with AML and CFT regulations.
These obligations include implementing an effective AML program and maintaining records and reporting requirements, such as suspicious activity reporting (SAR) requirements.
The Commodities Future Trading Commission (CFTC), Financial Crimes Enforcement Network (FinCEN), and Securities and Exchange Commission (SEC) regulate such activities, and the degree to which a person is centralized does not affect the AML/CFT obligations of financial institutions, said the report.
If a DeFi service conducts business wholly or in substantial part in the US and accepts and transmits virtual assets, it is likely to qualify as a money transmitter and be subject to the same AML/CFT obligations as a money transmitter offering services in fiat currency, it added. The report also noted that the degree of decentralization has no bearing on these obligations as long as the service meets the definition of a financial institution under the BSA or other regulatory frameworks.
The report states that while the crypto industry has claimed that there is insufficient regulatory clarity in the DeFi space, particularly concerning what qualifies as a security, which regulators to register with, and whether DeFi services meet the definition of a financial institution, CFTC, FinCEN, and SEC argue that they have provided guidance and enforcement actions over the last decade to clarify regulatory obligations. These agencies have also emphasized that the automation of certain functions through smart contracts or computer code does not affect the obligations of financial institutions offering covered services, it added.
Furthermore, DeFi services with any sort of presence in the US or led by any of its citizens must comply with economic sanctions programs administered and enforced by the Treasury's Office of Foreign Assets Control (OFAC). Non-U.S. persons, too, have OFAC sanctions compliance obligations in some circumstances. These obligations are the same regardless of whether a transaction is denominated in virtual assets or traditional fiat currency.
DeFi Services Not Functionally Decentralized
While discussing the elements of centralization in DeFi services, the report points out that the decentralization of DeFi services can be affected by governance structures, access points to the service, and the settlement layer upon which the service is built.
As such, DeFi services may claim to be fully decentralized, but in reality, that is not the case at all, it stated. In fact, despite claims of complete decentralization, governance structures are often present in DeFi services, the report said, noting, in certain instances, the owner or operator of a DeFi service retains an administrative key, which grants them the ability to modify or disable the service's smart contracts based on the contract's specifications.
The report further noted that governance purports to be managed by a DAO, and governance tokens allow participants to introduce and vote on proposals determining the function of a blockchain or protocols.
However, the process of introducing and voting on decisions, the percentage of votes that constitute passage of a decision, and how a decision is implemented vary significantly by DeFi service. Moreover, the concentration of governance tokens or voting rights could also result in a small number of persons exercising a high degree of control.
Application developers are further critical to DeFi services' usability, and information provided via applications can be integral to transactions using DeFi infrastructure. Settlement layer blockchains can also vary in degrees of decentralization, it said.
Most blockchains on which DeFi services operate are permissionless, meaning that users require no prior approval to participate in network activities, reads the report, adding, some blockchains, however, are more centralized than others, and this can affect the degree of decentralization of the DeFi services built upon them.
Illicit Finance Threats
While covering illicit finance threats, the report talks about how DeFi services are vulnerable to abuse by illicit actors, including cybercriminals and fraudsters, who turn to them for laundering their illegal proceeds.
Criminals exploit cybersecurity weaknesses to compromise DeFi services and steal virtual assets, said the report noting North Korea, under pressure from international sanctions, increasingly steals crypto from both centralized Virtual Asset Service Providers (VASPs) and DeFi services.
Money laundering is a significant issue associated with DeFi services, and criminals use various methods and services, such as exchanging virtual assets for other virtual assets and using cross-chain bridges, mixers, and liquidity pools as a form of layering to launder their proceeds, it said.
According to the report, chain hopping is used to make it more difficult for law enforcement to trace financial transactions; mixers to obscure the source, destination, or amount of a transaction, and liquidity pools to generate funds from trading fees, creating challenges for investigators attempting to trace illicit proceeds.
These services are attractive to criminals because they are not required to provide customer identification information, making it easier for them to use the services without detection, said the report.
While discussing various types of illicit activities, it further covered ransomware attacks, which have become more severe and sophisticated in recent years. The other type is theft, with cybercriminals exploiting vulnerabilities in smart contracts governing DeFi services to steal virtual assets worth billions of dollars. Fraud and scams are also seeing a sharp increase in losses related to virtual assets reported by multiple US government agencies.
The report also discusses drug trafficking organizations growing more comfortable using virtual assets to launder funds and the DPRK's involvement in illicit crypto-related activities to generate revenue for its unlawful weapons programs.
Causes for Vulnerabilities in DeFi
The Treasury's illicit finance risk assessment of the DeFi report has identified that non-compliant DeFi services operating in the US, which do not implement AML/CFT controls or other processes to identify customers, are responsible for the existing vulnerabilities in DeFi services.
Such DeFi services allow the layering of proceeds to take place instantaneously and pseudonymously, using long strings of alphanumeric characters rather than names or other personally identifying information.
DeFi services engaged in activity covered by the BSA have AML/CFT obligations, and all DeFi services subject to US jurisdiction have sanctions compliance obligations, regardless of their status as covered financial institutions, as per the report.
Disintermediation is another contributing factor, as it allows users of unhosted wallets to maintain custody of and transfer their digital assets without involving a regulated financial institution. In this case, DeFi services that fall outside the current definition of a financial institution under the BSA may not implement AML/CFT measures.
Illicit actors can also take advantage of regulatory arbitrage due to the cross-border nature and gaps in AML/CFT regimes, allowing VASPs, including certain DeFi services, to operate abroad with insufficient or no AML/CFT controls, thereby posing a threat to the US financial system, the report said.
The report highlights the need for increased regulatory oversight of DeFi services to mitigate risks with DeFi.
For mitigation measures, the report explains the regulatory frameworks at the global and domestic levels for DeFi services and explores the mitigating effects of elements specific to the virtual asset and DeFi ecosystem. The report notes that these measures may partially mitigate illicit finance risks but do not sufficiently address the identified vulnerabilities.
The US AML/CFT regulatory framework is considered a foundational mitigation measure to address illicit finance risks associated with DeFi services operating in the country. Work in international forums, particularly the FATF, can also play an essential role in developing standards and promoting the implementation of those standards to address illicit finance risks associated with DeFi services, it said.
Transactions involving DeFi services often occur on the public blockchain, and the pseudonymous transaction data is viewable and traceable on a blockchain's public ledger, which the report said can support investigations by authorities to trace illicit proceeds' movements. (Click here to learn about the differences between public vs. private blockchain)
Nonetheless, the challenge of mitigating illegal financial activities in the decentralized finance (DeFi) arena cannot be underestimated. While public blockchain data offers some insight, its inherent limitations pose significant hurdles. The pseudonymous nature of these digital ledgers, coupled with user tactics like mixers, cross-chain bridges, and anonymity-enhanced cryptocurrencies (AECs), can effectively cloud the trail of transactions. As a result, tracking and tracing activities within the DeFi space becomes increasingly complex and demanding.
The Treasury further points out that several crypto industry participants are exploring measures to increase privacy for crypto transactions, including the use of Layer 2 technology, or private blockchains, for which public ledgers won't be viewable and blockchain tracing won't be applicable.
While DeFi users may need to access centralized VASPs to exchange virtual assets for fiat currency to buy goods and services, reliance on AML/CFT programs of centralized VASPs only partially mitigates the risks related to non-compliant DeFi services, it noted.
According to the report, many centralized VASPs are themselves non-compliant with international AML/CFT standards and often based in jurisdictions with weak or non-existent AML/CFT requirements. Additionally, there are identified cases of centralized VASPs that are subject to these requirements and yet fail to implement the requisite AML programs for the services they provide.
The agency said the further adoption of virtual assets might reduce the necessity of centralized VASPs as on- and off-ramps for many transactions. While most merchants, businesses, and financial institutions do not accept virtual assets as a means of payment presently, as virtual assets become more widely accepted. And once that happens, we will see increasing use of virtual assets as a means of payment directly, reducing reliance on centralized VASPs, it added.
Actions Recommended to Address the Risks
The report recognizes that DeFi space is a minor portion of the overall virtual asset ecosystem, and illicit activities mostly occur using fiat currency or traditional assets instead of crypto. Nevertheless, the report suggests that further action is needed to address the risks associated with DeFi services.
The report recommended several actions, including strengthening the US AML/CFT supervision of crypto activities. The US government should work to strengthen the existing supervisory and enforcement functions to increase compliance with AML/CFT and other regulatory requirements, including DeFi services with BSA obligations, it said, adding: the regulators should provide additional guidance to the industry to clarify how applicable regulations apply to DeFi services.
Assessing possible enhancements to the US AML/CFT regulatory regime as applied to DeFi services is another action that can be taken. The assessment also recommends enhancing the regime as applied to DeFi services by closing any identified gaps in the BSA to ensure that certain DeFi services do not fall outside the scope of its definition of financial institutions.
Moreover, the report suggests the government should continue working with foreign partners to close gaps in implementing international standards regarding virtual assets and VASPs. Additionally, the US should share the findings of this report with foreign partners and encourage them to assess risks with DeFi services and to develop and implement mitigation measures.
The US government should also continue to monitor any changes in the DeFi ecosystem that could affect illicit finance risks or the application of AML/CFT obligations to entities in the space, it said. This can be done through research and engagement with the private sector.
The report further calls for the authorities to continue to advocate for DeFi services to institute real-time analytics, monitoring, and rigorous testing of code to identify vulnerabilities and respond to suspicious activity as well as share information with virtual asset firms and the public about potential threats and mitigation measures that firms can take to improve defenses.
The US government should engage with developers to promote innovation that seeks to mitigate the illicit finance risks of DeFi services, it said, adding policymakers and regulators should also seek and assess necessary changes in regulation or guidance to support these developments.
Seeking Public Input
In conclusion, the report recommends that the US government should take several steps to address the risks associated with DeFi services, including strengthening AML/CFT supervision, enhancing the US AML/CFT regulatory regime, engaging with foreign partners, promoting cyber resilience, and responsible innovation of mitigation measures.
By implementing these recommendations, the US government can better safeguard the US financial system from illicit activities facilitated through DeFi services, said the report.
As part of the recommended actions, the Treasury also seeks public input on addressing regulatory challenges posed by DeFi services.
Questions include determining whether DeFi services fall under the BSA definition of a financial institution, encouraging risk mitigation measures for non-BSA DeFi services, and clarifying AML/CFT obligations for BSA-defined DeFi services. Varying AML/CFT obligations for different DeFi service types are also being considered.