Key Takeaways

• On April 6, 2023, the U.S. Department of the Treasury (“Treasury”) published the 2023 DeFi Illicit Finance Risk Assessment (“Assessment”),[1] which “explores how illicit actors are abusing what is commonly referred to as decentralized finance (“DeFi”) services” and related anti-money laundering and countering the financing of terrorism (“AML/CFT”) vulnerabilities unique to DeFi services.

• The Assessment makes clear that a DeFi service that functions as a financial institution as defined by the U.S. Bank Secrecy Act (“BSA”) must comply with the BSA’s AML/CFT requirements. The “degree to which a service is decentralized has no bearing on these obligations” and “the automation of certain functions through smart contracts … does not affect the obligations.”

• The Assessment provides an extensive set of definitions for various DeFi activities.[2] DeFi market actors should understand how their activities fit within these definitions, analyze the AML/CFT implications of their activity, and craft strategies to mitigate their BSA compliance risk.

• DeFi market actors should strongly consider devoting resources to building proactive AML/CFT solutions that leverage the unique characteristics of blockchain technology, such as digital identity technology to support identity verification; blockchain analytics; zero-knowledge proofs; and programmatic compliance through smart contracts.

• Specific smart contract-based solutions suggested by the Assessment include restricting transaction frequency, enforcing threshold limits for certain customer types, and leveraging oracles to screen against virtual asset wallet addresses appearing on sanctions lists and blocking sanctioned addresses.

Background and Scope

The Assessment was drafted by Treasury’s Office of Terrorist Financing and Financial Crimes (“TFFC”), in consultation with multiple U.S. agencies, including the Departments of Homeland Security, Justice, and State; the Commodity Futures Trading Commission (“CFTC”); Office of the Comptroller of the Currency; and the Securities and Exchange Commission (“SEC”). The TFFC also considered over 75 responses to Treasury’s requests for comments.

The Assessment notes that it “does not alter any existing legal obligations, issue any new regulatory interpretations, or establish any new supervisory expectations.” Importantly, the Assessment “recognizes that most money laundering, terrorist financing, and proliferation financing by volume and value of transactions occurs in fiat currency or otherwise outside the virtual asset ecosystem via more traditional methods” and notes that DeFi accounts for “only a relatively small portion of total activity in virtual asset markets.”

Key Findings

Threat actors are exploiting DeFi to launder illicit funds.

The Assessment finds that illicit actors, including ransomware cybercriminals, thieves, scammers, and Democratic People’s Republic of Korea (“DPRK”) cyber actors, are using DeFi to launder illicit funds by exploiting vulnerabilities in the U.S. and foreign AML/CFT regulatory, supervisory, and enforcement regimes as well as the technology underpinning DeFi services.

DeFi services are often centralized despite claims of decentralization.

The Assessment finds that “[f]requently, DeFi services purport to run without the support of a central company, group, or person, despite having a controlling organization that provides a measure of centralized administration or governance (e.g., through a decentralized autonomous organization [(‘DAO’)], concentrated ownership or governance rights, administrative keys, or otherwise).” According to the Assessment, in practice many DeFi services feature governance structures such as management functions, fixing problems with code, altering the functionality of smart contracts, or retaining an administrative key that enables the holder to alter or disable a DeFi service’s smart contracts.

DeFi services must comply with the BSA regardless of whether they claim to be centralized or decentralized.

The Assessment finds that a DeFi service that functions as a “financial institution” as defined by the BSA is required to comply with the BSA’s AML/CFT requirements regardless of whether the DeFi service claims that it is or plans to be “fully decentralized.” The Assessment finds that despite this, many DeFi services fail to comply with the BSA. According to the Assessment, “if a DeFi service does business wholly or in substantial part in the United States and accepts and transmits virtual assets from one person to another person or location by any means, then it most likely would qualify as a money transmitter and have the same AML/CFT obligations as a money transmitter offering services in fiat currency.”

The DeFi market requires increased oversight and guidance to drive compliance with BSA obligations.

The Assessment “recommends strengthening U.S. AML/CFT supervision and, when relevant, enforcement of virtual asset activities, including DeFi services, to increase compliance by virtual asset firms with BSA obligations.” The Assessment also recommends that federal regulators further engage with industry to explain how relevant laws and regulations apply to DeFi services and publish additional guidance.

Market Concepts[3]

DeFi’s Four “Layers”

According to the Assessment, DeFi “broadly refers to virtual asset protocols and services that purport to allow for some form of automated peer-to-peer (P2P) transactions, often through the use of self-executing code known as ‘smart contracts.’”[4] The Assessment defines four “layers” of DeFi: (1) the settlement tier, which consists of the blockchain network that supports DeFi transactions and smart contracts; (2) the asset tier, which consists of the “virtual assets (coins and tokens) utilized in a DeFi service, including native tokens”; (3) the protocol tier, which consists of the code deployed to and executed on a blockchain network, including smart contracts and auxiliary software; and (4) the application tier, which consists of “front-end user interfaces, application programming interfaces (APIs), and other code that allow participants to interact with  the smart contracts and are primarily hosted off-chain.”

Elements of DeFi Centralization

The Assessment discusses the wide range of activity on the spectrum between fully centralized and fully decentralized, depending on the governance structure, access points to the service, and the settlement layer on which the service is constructed. With respect to governance, the Assessment discusses DAOs and references the DAO Report and the CFTC enforcement action against Ooki DAO. The Assessment notes that “the use of governance tokens does not necessarily equate to decentralization … and the ownership of voting rights for many governance tokens can be highly concentrated,” resulting in a small number of persons being able to exercise a high degree of control.

Addressing the application layer of DeFi, the Assessment explains that DeFi users “usually rely on applications or websites that make interacting with DeFi services more user-friendly” and as a result application developers “can have meaningful effects on the degree to which users are able to use a DeFi service” even if they “purport not to exercise ‘control’” over the service’s smart contracts or governance structure. The Assessment also notes that in instances where DeFi users lock their funds in a smart contract, sometimes “an individual, group of individuals, or entity will retain an administrative key … to that smart contract or otherwise be able to change the smart contract and, as such, may have effective control over participant assets.” As to the settlement layer, the Assessment states that blockchains with a small number of validators or other groups who can effectively control the consensus mechanism may result in concentrated decision-making for approving transactions (e.g., which transactions to approve and in what order).

Illicit Finance Threats

The Assessment uses its DeFi service provider typologies to explain how DeFi is used to launder money derived from various criminal activities including ransomware, theft, fraud, scams, and proliferation finance. For each of these criminal activities, the Assessment provides statistics and case studies on activities such as code exploits, flash loan attacks, rug pulls, pig butchering, and darknet markets. Specific examples include a November 2022 report on ransomware and prior enforcement actions involving Mango Markets, Silk Road, Baller Ape NFTs, Frosties NFTs, Tornado Cash, and the Axie Infinity Hack.

The Assessment further explains how DEXs and Cross-Chain Bridges can be used to convert one virtual asset into another to obfuscate the transaction trail or obtain assets that are more liquid or more difficult to trace. The Assessment also cites Decentralized Mixers as a means to “obfuscate the source, destination, or amount involved in a transaction” and notes that illicit actors can store criminal proceeds in liquidity pools to generate additional funds. According to the Assessment, after using DeFi services, criminals often use centralized virtual asset service providers (“VASPs”) with weak AML/CFT controls to convert funds from virtual assets to fiat.

AML/CFT Vulnerabilities

Compliance Failures

The Assessment discusses various AML/CFT vulnerabilities in the DeFi market, including failure to comply with the BSA: “DeFi services at present often do not implement AML/CFT controls or other processes to identify customers, allowing layering of proceeds to take place instantaneously and pseudonymously.” It also notes that the lack of a clear organizational structure for DeFi services poses challenges for conducting supervision and enforcement against violations.

Disintermediation

The Assessment also cites vulnerabilities related to DeFi services that facilitate peer-to-peer transfers of virtual assets from users of “self-custodied” or “unhosted” wallets. According to the Assessment, in the event that such “disintermediated” services fall outside the current definition of a financial institution under the BSA, “a vulnerability may exist due to the reduced likelihood that such DeFi services would choose to implement AML/CFT measures like assessing illicit finance risks, establishing an AML program, or reporting suspicious activity.”

Regulatory Arbitrage and Cybersecurity Risks

The Assessment highlights the ongoing AML/CFT vulnerability involving regulatory arbitrage and notes “the lack of implementation of international AML/CFT standards by foreign countries, which enables illicit actors to use DeFi services with impunity in jurisdictions that lack AML/CFT requirements.” The Assessment also highlights the cybersecurity risks of DeFi and advocates for improved cybersecurity practices by DeFi firms. In this regard, the Assessment cites specific risks related to the public availability of source code used in DeFi services. According to the Assessment, this could lead to “widespread exploits if code reused in multiple DeFi services contains vulnerabilities.”

Recommended Actions

The Assessment makes the following recommendations:

• Strengthen U.S. AML/CFT Supervision of Virtual Asset Activities.
• Assess Possible Enhancements to the U.S. AML/CFT Regulatory Regime as Applied to DeFi.
• Continue Research and Private Sector Engagement to Support Understanding of Developments in DeFi.
• Continue to Engage with Foreign Partners.
• Advocate for Cyber Resilience in Virtual Asset Firms, Testing of Code, and Robust Threat Information Sharing.
• Promote Responsible Innovation of Mitigation Measures.

Request for Public Input

The Assessment closes by posing questions and seeking public comment on topics such as (i) what factors should be considered in determining whether a DeFi service is a “financial institution” under the BSA, (ii) how to clarify when DeFi services fall under the “financial institution” definition, (iii) how the U.S. can encourage DeFi services to adopt measures to mitigate illicit finance risks, and (iv) how DeFi services’ AML/CFT obligations should vary based on the type of service offered.

Conclusion

The Assessment signals that Treasury intends to increase its focus on the DeFi sector and expects DeFi market actors to integrate AML/CFT compliance into their services. DeFi market actors should devote significant resources to designing and implementing a proactive AML/CFT compliance strategy that leverages the unique aspects of blockchain technology and is informed by qualified AML/CFT professionals.

[View source.]