The U.S. Department of the Treasury on April 06, 2023, released a report, titled Illicit Finance Risk Assessment of Decentralized Finance (DeFi). The report indicates significant potential risks associated with decentralized finance and its adverse impact on the efforts to counter terrorist financing and money laundering activities.
The report outlines the key finding and recommendations to identify and address potential gaps and make DeFi less susceptible to exploitation by bad actors or criminals.
What is Decentralized Finance or DeFi?
DeFi does not have a generally accepted definition but it broadly refers to virtual assets and services that allow peer-to-peer transactions through self-executing code based on public blockchain technology. DeFi lacks a centralized intermediary, posing unique threats and risks in the form of illicit financial activities.
The DeFi technology is presented in four layers:
- The Settlement Tier: This tier involves the recording of transactions, wherein participants have addresses that can hold virtual assets and interact with each other.
- The Asset Tier: These are virtual assets, such as coins and tokens, in a DeFi service.
- The Protocol Tier: This tier entails code deployment and execution on a blockchain and may include smart contracts or auxiliary software.
- The Application Tier: This refers to the front-end user interface or application programming interfaces (APIs) and codes that allow users or participants to interact with smart contracts, i.e., self-executing code or programs stored on a blockchain.
Although DeFi services are an important part of the virtual asset ecosystem, they represent only a small portion of the total activity in virtual asset markets.
Illicit Finance Risk Assessment of DeFi – Key Findings of the U.S. Treasury Report
Threat actors, such as scammers, ransomware attackers, and state-sponsored and financially motivated cybercriminals, such as the North Korean cyber actors, use DeFi services to move and launder illicit proceeds.
These threat actors often take advantage and exploit vulnerabilities that stem due to non-compliance by DeFi services with sanctions and AML/CFT obligations.
Other vulnerabilities include,
- DeFi services that are out of scope for existing AML/CFT obligations
- Weak or non-existent AML/CFT controls for DeFi services in foreign jurisdictions
- Poor cybersecurity controls by DeFi services
- Lack of cybersecurity and audits in DeFi services
- Concentrated administrator rights
In the United States, the Bank Secrecy Act (BSA) obligates a wide range of financial institutions, including DeFi services, to detect and prevent money laundering and terror financing activities.
A DeFi service – centralized or decentralized – functioning as a financial institution per BSA must comply with BSA/AML/CFT obligations.
The report also recognizes that some DeFi may fall outside the BSA’s current definition of a financial institution. Referred to as ‘disintermediation’ in the assessment report, these DeFi services have a reduced likelihood of implementing AML/CFT measures, resulting in gaps in identifying and reporting suspicious activities to law enforcement and competent authorities.
Globally, according to the Financial Action Task Force (FATF)—the global standard-setting body for AML/CFT—DeFi services that lack an entity with sufficient control or influence over the service may not be explicitly subject to AML/CFT obligations, potentially leaving DeFi services with gaps in other jurisdictions.
Treasury Department Recommendations
The risk assessment report suggests recommendations to mitigate the illicit finance risks associated with DeFi services, which include:
- Reinforcing the US AML/CFT regulatory supervision
- Address AML/CFT regulatory gaps in DeFi services
- Provide additional guidance on AML/CFT obligations for the private sector on DeFi services’ AML/CFT obligations
- Increase compliance by virtual asset firms with BSA obligations
- Engage with foreign jurisdictions to incorporate FATF standards and close the FATF implementation gaps in DeFi services
- Advocate for DeFi services to implement real-time analytics, monitoring, and rigorous testing of code
Further, the Treasury Department also seeks public input on the risk assessment. It poses several questions considered part of the recommendations above for public comments, such as
- What factors should be considered to determine whether DeFi Service is a financial institution under the BSA?
- How can the U.S. AML/CFT regulatory framework effectively mitigate the risks of DeFi services that currently fall outside of the BSA definition of a financial institution?
- Are there additional recommendations for clarifying the DeFi services covered by the BSA?
- How should AML/CFT obligations vary based on the different types of DeFi services?
Meet AML/CFT Compliance with Consulting-Led Approach
Non-compliance, cybersecurity vulnerabilities, and lack of implementation of the AML/CFT standards in DeFi Services pose greater risks and vulnerabilities, enabling state-sponsored and financially motivated threat actors to transfer and launder illicit proceeds.
AML/CFT obligations include requirements to establish and implement an effective AML/CFT program and reporting, including suspicious activity reporting (SAR) requirements.
Anaptyss helps banks and other financial institutions, including DeFi services strengthen their anti-money laundering and countering finance for terrorism (AML/CFT) capabilities.
Our proprietary Digital Knowledge Operations™ (DKO™)-based approach combines domain expertise and digital solutions in a customized manner to help financial institutions fulfill AML/CFT obligations.
Interested in more specific guidance for AML/CFT Compliance?
Write to us: [email protected].