Skip to content
Risk Fraud & Compliance

US Treasury issues DeFi-focused illicit finance risk assessment in response to sector growth & criminal abuse

Brett Wolf  Regulatory Intelligence

· 5 minute read

Brett Wolf  Regulatory Intelligence

· 5 minute read

As decentralized finance becomes a more attractive venue for illicit activities and illegal scams, the US Treasury recently issued a risk assessment on this fledgling sector

The United States Treasury Department has issued a first-of-its-kind illicit finance risk assessment for the decentralized finance (DeFi) sector. Treasury’s move was prompted by the recent growth of DeFi platforms, non-compliance with U.S. anti-money laundering rules and sanctions, and the role DeFi services have played in criminal activity linked to North Korea, cybercriminals, ransomware attackers, thieves, and scammers.

“What we’ve really seen… is how quickly the DeFi space has grown over the past couple of years, and we’ve also seen the unfortunate, significant use of DeFi services in the context of large heists… as well as other forms of illicit finance,” said Brian E. Nelson, Treasury Under-Secretary for Terrorism & Financial Intelligence. His comments came during an online discussion held recently by the Association of Certified Anti-Money Laundering Specialists (ACAMS).

So-called DeFi platforms allow users to lend, borrow, and save, usually in crypto assets and stablecoins, without using banks.

“While it is true the space is relatively small and that it’s a relatively small proportion of the illicit finance we face in the United States… it is a sector that’s growing very rapidly and the risk is growing along with it,” Nelson said, adding that the use of DeFi by “serious threat actors” such as North Korea “is the reason why we believe it’s so critical to address this now.”

Message to the private sector

The private sector should use the findings of the new risk assessment to inform their own risk mitigation strategies and to take clear steps, in line with anti-money laundering and countering the financing of terrorism (AML/CFT) regulations and sanctions obligations, to prevent illicit actors from abusing DeFi services, Treasury said.

In a statement announcing the release of the 42-page risk assessment, Treasury said there was currently no generally accepted definition of DeFi, adding that the term “broadly refers to virtual asset protocols and services that purport to allow some form of automated peer-to-peer transactions, often through use of self-executing code known as ‘smart contracts’ based on blockchain technology.” Criminals can exploit vulnerabilities, including the fact that many DeFi services with AML/CFT obligations fail to implement them, Treasury said.

“Risk assessments play a foundational role in promoting understanding of the illicit finance risk environment and more effectively protecting the integrity of the U.S. financial system,” Nelson said in Treasury’s written statement. “Our assessment finds that illicit actors, including criminals, scammers, and North Korean cyber-actors are using DeFi services in the process of laundering illicit funds.”

DeFi vulnerabilities

The primary vulnerability exploited by illicit actors stems from DeFi services’ failure to comply with AML/CFT regulations and sanctions obligations, the assessment said.

Criminals use a variety of techniques and services to launder ill-gotten gains, such as trading virtual assets for less traceable alternatives, sending virtual assets through mixers, and placing virtual assets in liquidity pools as a form of layering, the statement noted. “In many cases, criminals use DeFi services for these purposes without being required to provide customer identification information,” the statement said. “This can make DeFi services more appealing to criminals than centralized (virtual asset service providers), which are more likely to implement AML/CFT measures.”

Other vulnerabilities include the potential for some DeFi services to fall outside the scope of existing AML/CFT rules, weak or non-existent AML/CFT controls for DeFi services in other jurisdictions, and poor cybersecurity controls by DeFi services, which enable the theft of funds, Treasury said.

Treasury’s risk assessment also included six recommendations for U.S. government action to mitigate the illicit finance risk associated with DeFi services. They are:

        1. Strengthen U.S. AML/CFT supervision of virtual asset activities.
        2. Assess possible enhancements to the U.S. AML/CFT regulatory regime as applied to DeFi services.
        3. Continue research and engage with the private sector to support an understanding of developments in the DeFi ecosystem.
        4. Continue to engage with foreign partners.
        5. Advocate for cyber-resilience in virtual asset firms, testing of code, and robust threat information sharing.
        6. Promote responsible innovation of mitigation measures.

Treasury also posed several questions and said it welcomes public input. The questions included:

        • What factors should be considered to determine whether DeFi services are considered a financial institution under the Bank Secrecy Act (BSA)?
        • How can the U.S. government encourage the adoption of measures to mitigate illicit finance risks… including by DeFi services that fall outside of the BSA definition of a financial institution?
        • Are there additional recommendations for ways to clarify and remind DeFi services that fall under the BSA definition of a financial institution of their existing AML/CFT obligations?
        • How can the U.S. AML/CFT regulatory framework effectively mitigate the risks of DeFi services that currently fall outside the BSA definition of a financial institution?
        • How should AML/CFT obligations vary based on the different types of services offered by DeFi firms?