The US Department of the Treasury has released an Illicit Finance Risk Assessment of Decentralized Finance, which indicates that the Treasury Department sees significant risks associated with decentralized finance (DeFi) services and the potential impact on efforts to combat money laundering and terrorist financing.
Bank Secrecy Act compliance program requirements
The Bank Secrecy Act (BSA) imposes anti-money laundering (AML) and countering the financing of terrorism (CFT) obligations on “financial institutions,” such as banks, broker-dealers, and money services businesses (MSBs). MSBs include companies that provide money transmission services, which is a broad category encompassing significant amounts of fintech and virtual currency activity. Since 2013, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), which implements the BSA, has interpreted the MSB designation to apply to activities involving accepting, transmitting, exchanging and issuing virtual currencies. A covered financial institution subject to AML/CFT compliance program obligations must establish and implement an effective AML program and address record-keeping and reporting requirements, including requirements to file suspicious activity reports (SARs). Additionally, financial institutions that are MSBs are required to register with FinCEN.
Application of BSA requirements to DeFi services
The risk assessment indicates that the Treasury Department sees decentralization as generally immaterial to the analysis of whether activity is subject to the BSA. The report affirms that obligations for financial institutions under the BSA apply to DeFi services, if those services involve the activities of financial institutions as defined by the BSA. For example, according to the risk assessment, if a DeFi service accepts and transmits virtual assets from one person to another person or location by any means, then it most likely would qualify as a money transmitter (and therefore an MSB) and be subject to the same AML/CFT compliance program obligations as a money transmitter offering services in fiat currency.
On the other hand, the report recognizes that some DeFi services may fall outside the BSA definition of a financial institution, such as (depending on the specific facts and circumstances) some services that enable users who self-custody assets to interface with software that processes transactions automatically. The Treasury Department appears skeptical of such services, noting that many DeFi services “claim to be disintermediated by enabling automated P2P [peer-to-peer] transactions without the need for an account or custodial relationship.” Furthermore, the risk assessment describes DeFi services that fall outside the scope of the BSA could potentially “result in gaps in suspicious activity reporting and limit authorities’ collection of and access to information critical to supporting financial investigations.”
The report notes that the term “DeFi” has no generally accepted definition but “broadly refers to virtual asset protocols and services that purport to allow for some form of automated P2P transactions, often through the use of self-executing code known as smart contracts based on blockchain technology.” However, the Treasury Department cautions, “[t]he degree to which a purported DeFi service is in reality decentralized is a matter of facts and circumstances, and this risk assessment finds that DeFi services often have a controlling organization that provides a measure of centralized administration and governance.” And, in any event, a “DeFi service that functions as a financial institution as defined by the BSA, regardless of whether the service is centralized [or] decentralized, will be required to comply with BSA obligations, including AML/CFT obligations.” That means that if the service meets the applicable definition of a financial institution (e.g., an MSB or a broker-dealer), its decentralization “has no bearing” on whether the obligations apply.
Key risk assessment findings
The report asserts that bad actors are using DeFi services to transfer and launder their illicit proceeds, largely by capitalizing on vulnerabilities stemming from the lack of AML/CFT controls for DeFi services and lack of compliance with BSA obligations. The Treasury Department identified several vulnerabilities that bad actors capitalize on, including:
- Lack of compliance with AML/CFT obligations.
- Lack of coverage of certain DeFi services by existing AML/CFT requirements.
- Less rigorous or non-existent AML/CFT controls in foreign jurisdictions.
- Poor cybersecurity controls by DeFi services.
The risk assessment suggests that such vulnerabilities may stem in part from the fact that industry participants may not fully understand how AML/CFT obligations apply to DeFi services. However, the report also notes that in other instances, participants may expressly seek to decentralize a service in an effort to avoid AML/CFT obligations that in fact do apply to such covered services. Additionally, the Treasury Department notes the supervisory challenges inherent to DeFi services because some are “developed with opaque organization structure.”
Treasury Department recommendations and request for public comment
The report includes recommendations for US government actions to mitigate the illicit finance risks associated with DeFi services, including:
- Strengthening AML/CFT regulatory supervision.
- Assessing enhancements to the AML/CFT regulatory regime to address gaps.
- Providing additional guidance for the private sector on DeFi services’ AML/CFT obligations, as well as coordinating with industry on threat mitigation and information sharing.
- Engaging with foreign jurisdictions to implement the latest global Financial Action Task Force (FATF) standards and to close gaps in FATF implementation governing DeFi.
The Treasury Department also seeks public input on the risk assessment, and it poses several questions for comment, including what factors should be considered to determine whether DeFi services are a financial institution under the BSA, as well as recommendations for clarifying the DeFi services covered by the BSA and how AML/CFT obligations should vary based on the different types of DeFi services.