TRM Talks: Answering the Questions in Treasury's DeFi Risk Assessment

In April 2023, the US Department of the Treasury published its Illicit Finance Risk Assessment of Decentralized Finance. TRM’s Ari Redbord hosted a TRM Talks with experts on DeFi regulation, Rebecca Rettig, Chief Legal Officer at Polygon Labs; Michael Mosier, co-founder of Arktouros PLLC and former Acting Director of FinCEN; and Jai Ramaswamy, Chief Legal Officer of A16Z and former DOJ money laundering chief, to discuss questions posed in the risk assessment.

Watch the video replay to catch the full conversation and read our recap below for a quick overview of the main discussion points. 

‍US Treasury’s DeFi Risk Assessment is just a first step

The panelists welcomed Treasury’s Risk Assessment as, what Treasury’s Caroline Horres called a “discussion starter” in an earlier TRM Talks on the risk assessment. Before any rule setting occurs the risk assessment sets out, contextualizes and defines the risks around DeFi which our panelists agreed was the right approach.

Mr. Mosier praised the risk assessment’s “intellectual honesty” for framing the risks around DeFi as being of a “lower priority for industry and policymakers” than those linked to fiat currency or centralized cryptocurrency financial crime, given that it constitutes just a small proportion of the overall virtual assets market. He characterized the document as a “helpful signpost of how to prioritize addressing illicit finance risks.”

‍A key challenge facing industry is to align on a definition of “DeFi services” to determine the extent to which they fall under the current U.S. AML regime 

The risk assessment asserts that the Bank Secrecy Act (BSA) – the U.S. AML regime – applies to what it calls “DeFi services.” However, it is unclear what precisely is covered by this term, and the document itself acknowledges that sector participants conceive of DeFi in various – often inconsistent – ways. The document asks what factors should be considered to determine whether DeFi services are akin to financial institutions as defined by the BSA.

Ms. Rettig described this question as “one of the trickiest” in the risk assessment. In her view, while some “services” currently considered within the DeFi umbrella contain centralized aspects, this alone should not necessarily mean they are automatically defined as financial institutions. 

A central aspect to consider is the types of activities carried out by DeFi and whether they should all be placed in the same “financial services” bucket. For example, does being a multi-signature wallet holder really equate to the types of activities performed by securities or commodities brokers? Other relevant factors include the specific responsibilities of anybody whio could be deemed as a centralized point of contact within the software-based systems, as well as the definition of the term “financial institution,” which does not currently extend to software. According to Ms. Rettig, we should think practically about how and where regulation would attach in DeFi.

‍Existing blockchain intelligence tools work and are a vital resource in the fight against illicit finance

Deploying existing resources effectively – rather than attempting to build a new toolkit from scratch or extending the regulatory parameter – holds the key to addressing illicit finance vulnerabilities in the financial system.

Resourcing efforts should focus on where money laundering is occurring in the ecosystem, Mr. Ramaswamy continued, which means targeting on- and off-ramps, and the strategies that have already proved most successful. For example, Mr. Ramaswamy explained, “In most money laundering cases – particularly those occurring in offshore jurisdictions – prosecuting individuals is becoming increasingly difficult.” Instead, the interdiction model – disrupting illicit money flows via asset forfeiture – “has become a far more powerful tool in this ecosystem than it can be in traditional finance, because all you have to do … is identify proceeds with criminal activity.”

According to the discussion, extending the regulatory perimeter could also pose a number of legal concerns linked to data privacy and security that warrant careful attention. It will be important to balance civil liberties with the need for security as more and more people transact in an open and decentralized financial system.

‍Public-private sector collaboration is essential - both for mitigating DeFi risks beyond the reach of the BSA and for stemming broader AML/CFT non-compliance 

In terms of boosting BSA compliance in the DeFi space, Mr. Mosier emphasized that positive engagement with industry - that is, government working with and not against the DeFi sector - will be crucial. First, for seeking “natural alignment” on the extent to which DeFi falls within the BSA, and second for reminding industry players of their regulatory obligations.

In terms of broader DeFi risk mitigation, Mr. Ramaswamy highlighted that there are structures within Treasury that have been working on this area for some time - including the Office of Cybersecurity and Critical Infrastructure Protection (OCCIP). The private sector is similarly active in this space - with companies such as TRM sharing risk indicators independently of regulatory authorities. A big part of furthering Treasury’s work in this area will come from creating appropriate environments - similar to OCCIP - for information-sharing.

Mr. Ramaswamy noted that it’s possible that a Self-Regulatory Organization (SRO) model will start to emerge. An important aspect of its effectiveness hinges on cross-border information sharing, which is becoming easier with blockchain-based activity – due to the removal of much of the red tape and time constraints associated with traditional international information-sharing. Mr. Mosier pointed to Chainabuse, a community site for crowd sourced scams and fraud in crypto, as an example of industry leadership and collaboration. 

According to Ms. Rettig, industry has an opportunity to lead the way on shaping broader risk mitigation in the DeFi space, and should not be passive in waiting for legislation to emerge. 

‍The DeFi regulation debate does not stop here: other factors - including future blockchain use cases - should also be taken into consideration

The Risk Assessment poses a number of salient questions for industry to consider. Yet there are myriad other factors that should also be included in the conversation. 

For one thing, with DeFi usage still in its infancy, the exploration of its future potential could help inform the future legislative landscape, so that the regulatory environment benefits society in the long-run and does not undermine the positive future impact of DeFi. To this end, Ms. Rettig and Polygon Labs are currently exploring the value proposition for blockchains across a range of use cases - spanning finance, social media, art, sustainability initiatives and others - via TheValueProp, a database.

Other relevant considerations include the potential impact on data privacy and security, both from a potential extension of the regulatory perimeter and of increased international and public-private sector information-sharing. Despite the many benefits of the latter in the fight against illicit finance, society at large needs to think about the consequences of a “default public world” and the security pitfalls associated with offering up further cybersecurity vulnerabilities for bad state actors to exploit.

From this engaging and wide-ranging discussion, one thing is clear: Treasury’s Risk Assessment has provided rich food for thought and identified a number of focal areas for professionals to consider as the DeFi regulation debate moves forward into its next phase.