Unpacking Treasury’s DeFi Risk Assessment

Today, the United States Treasury Department released its Illicit Finance Risk Assessment of Decentralized Finance (the “assessment”). 

The assessment comes as a response to the September 2022 White House framework for digital assets, which specifically asked Treasury to provide a risk assessment for DeFi. The assessment attempts to define DeFi — a term that, according to Treasury, is “often used loosely in the virtual asset industry” — and enumerates a number of illicit finance risks.

Most notably, however, Treasury opines that DeFi activities could fall under the Bank Secrecy Act’s (BSA) onerous anti-money laundering (AML) obligations. This is the first time we have seen this strong of a view from the U.S. government. Finally, the assessment seeks industry engagement on what compliance could look like in a decentralized space, particularly on how to encourage DeFi services to implement some form of AML controls.  

The assessment is the most comprehensive discussion of DeFi to date by the U.S. government, and  advances the view that even truly (and somewhat) decentralized services should implement AML compliance. Actively implementing traditional AML compliance is, in some respects, at odds with the potential of DeFi – that is, the reliance on disintermediated software rather than teams of compliance officers.

Here are some key takeaways from the assessment:

Definitions matter

In the DeFi space, there has been much discussion of definitions. This is because there are several flavors of decentralized finance. 

In the Financial Action Task Force’s (FATF) October 2021 guidance, the global AML standard setter proposed an “owner/operator” test which holds that "creators, owners and operators… who maintain control or influence," may be a virtual asset service provider beholden to AML obligations, even if the project may seem decentralized. FATF, in the first discussion of DeFi and AML, asserted that indicia of control include exerting control over the project or maintaining an ongoing relationship with users. 

Treasury takes a page from FATF, stating that, “There is currently no generally accepted definition of DeFi, even among industry participants, or what characteristics would make a product, service, arrangement or activity ‘decentralized.’” Treasury explains that the term is used broadly to refer to protocols and services that enable peer-to-peer transactions through the use of self-executing software. Treasury, like FATF, attempts to distinguish between actually decentralized software and entities that simply call themselves DeFi yet have centralized attributes.

While the assessment spends some time on definitions, it does not land on one. Whether or not a service is decentralized, or “DeFi-in-name-only,” remains a case-by-case review. This case-by-case review will become very important when it may determine a regulatory obligation.

The big story: Certain DeFi services could have AML obligations under the BSA

The report notes that AML obligations in the U.S. are activity-based, and asserts that the BSA requires entities acting like financial institutions to “establish and implement an effective anti-money laundering program,” and comply with OFAC sanctions. Treasury asserts that “[w]hile the degree to which a person is centralized could impact the service it provides, persons engaging in the activities of financial institutions as defined by the BSA, regardless of whether they are centralized or decentralized, will have these obligations.” 

The aforementioned point is critically important, as it will arguably drop DeFi services, based wholly on software, in the same bucket as large financial institutions with compliance teams and other resources necessary to implement AML obligations.

“For example, if a DeFi service does business wholly or in substantial part in the United States and accepts and transmits virtual assets from one person to another person or location by any means, then it most likely would qualify as a money transmitter and have the same AML/CFT obligations as a money transmitter offering services in fiat currency. The degree to which a service is decentralized has no bearing on these obligations so long as the service meets this definition.”

Criminals still need off ramps

The assessment enumerates a number of illicit finance risks within the DeFi ecosystem. Those risks are essentially the same as those within the centralized crypto space. The report calls out money laundering, ransomware, theft, such as flash loans and hacks, and scams such as pig butchering.

In terms of money laundering, the assessment discusses the use of “DeFi services” such as cross chain bridges, Decentralized Exchanges (DEXs), mixers and liquidity pools to launder funds. In other words, the assessment asserts that DeFi is being used for layering of illicit funds in the money laundering process. The report does, however, acknowledge – consistent with what we see on-chain – that illicit actors rely on centralized exchanges to exit funds and convert to more usable fiat currencies. In other words, “all roads lead to VASPs” for money laundering. Centralized VASPs are required to have AML controls, and, those that don’t, and the countries that house them, are the target of regulators and international standard setters.

One notable vulnerability in DeFi highlighted by the report is the proliferation of hacks and theft on the DeFi ecosystem. According to TRM 2022 was a record year for hacks with about $3.7 billion in stolen funds. Attacks against DeFi projects were particularly common, with approximately 80 percent of all stolen funds, or $3 billion, involving DeFi victims. Cross chain bridge hacks were 15x larger than other exploits. However, we have also seen blockchain intelligence tools, and incident response efforts, become more sophisticated for tracing and tracking the funds stolen from the DeFi ecosystem.

Check out this TRM Talks on cross-chain tracing and following the funds in DeFi related exploits.

There are ways to mitigate the risks

While the focus is on risks, the assessment does spend significant time on ways to mitigate those risks, including the use of current AML regulatory frameworks like the BSA and the global implementation of FATF standards. While the report points out that public blockchains allow for greater transparency and thus the use of blockchain intelligence for financial crime investigations, Treasury asserts that investigations are limited by the pseudonymity of wallets and transactions making it difficult to connect them to real world entities. While Treasury argues that this is compounded by the use of mixers and anonymity enhancing cryptocurrencies, blockchain intelligence tools like TRM continue to evolve with these emerging technologies. 

Treasury points to potential technology solutions for risk mitigation including blockchain intelligence tools, digital identity and zero knowledge proofs with “[m]any potential solutions designed to support various elements of compliance with AML/CFT obligations while maximizing user privacy, including through digital identity technology to support identity verification by DeFi services that can be informed by a user’s transaction history on the public blockchain.”

Treasury calls for a collaborative effort

While most of the report lays out risks and vulnerabilities, the final few pages call on the U.S. government to work with industry to “further explain how applicable regulations apply to DeFi services,” and issue additional guidance based on feedback. Treasury also calls for continued research of what, it acknowledges, is an evolving technology, private sector engagement, and a focus on cyber resilience for the DeFi sector. In addition, Treasury calls on the U.S. government to engage with private sector entities building tools in an effort to promote innovative solutions. 

The recommendations of the report are summarized as: 

• Strengthen U.S. AML/CFT Supervision of Virtual Asset Activities
• Assess Possible Enhancements to the U.S. AML/CFT Regulatory Regime as Applied to DeFi Services
• Continue Research, Private Sector Engagement to Support Understanding of Developments in DeFi Ecosystem
• Continue to Engage with Foreign Partners
• Advocate for Cyber Resilience in Virtual Asset Firms, Testing of Code, and Robust Threat Information Sharing
• Promote Responsible Innovation of Mitigation Measures

Conclusion

While Treasury makes clear that the risk assessment does not “establish new supervisory expectations,” it provides a detailed window into how Treasury views the role of AML obligations in the DeFi ecosystem and previews a broader global discussion on who and how to regulate in a truly decentralized space.

The  risk assessment, indeed does what it set out to do – that is, assess risk. But it is also important to acknowledge the opportunities that DeFi holds both for finance but also for tackling financial crime. These were highlighted by TRM’s Ari Redbord in his opening remarks of the recent CFTC Technology Advisory Committee (TAC) meeting here. In short, as Ari explained, “DeFi enables an ecosystem of peer-to-peer financial services untethered from many of the issues that plague our current system. Peer-to-Peer cross border value transfer at the speed of the internet. That is the promise.” Blockchain technology, as acknowledged by the report, also has the power to improve the effectiveness of financial crime compliance as regulators now have the ability to view financial transactions in real time on an immutable ledger.

For much more on DeFi check out TRM’s Ari Redbord’s statement at the CFTC’s Technology Advisory Committee (TAC) meeting here and TRM Talks DeFi Roundtable here.

Learn more

TRM's Ari Redbord sits down with US Treasury's Caroline Horres to discuss the risk assessment and how Treasury views the emerging technology- register here.