The US Government is attempting to mitigate the illicit finance risks associated with decentralised finance (DeFi) services through a world’s first risk assessment addressing North Korean cyber criminals; among others.
The US Department of the Treasury has considered the multitude of risks associated with DeFi services through the publication of its latest 2023 DeFi Illicit Finance Risk Assessment.
While it’s difficult to pinpoint one generally accepted definition of DeFi, the assessment recognises how the term broadly refers to virtual asset protocols and services that purport to allow some form of automated peer-to-peer transactions.
This ability is often supported by the use of self-executing code known as ‘smart contracts‘, which are based on blockchain technology. Additionally, this term is frequently used loosely by the private sector, often for services that are not functionally decentralised.
Exploiting points of weakness
Above all, the US Department of the Treasury is confirming its rising concerns around the use of DeFi services within illicit activities with the publication of its latest assessment.
More specifically, it underlines bad actors, including those from the Democratic People’s Republic of Korea (DPRK), cybercriminals, ransomware attackers, thieves and scammers who are exploiting cracks in the system as a new way to engage in money laundering.
The assessment understands how this group is becoming increasingly able to exploit current vulnerabilities due to the fact that many DeFi services are failing to implement anti-money laundering (AML) obligations.
“Risk assessments play a foundational role in promoting understanding of the illicit finance risk environment and more effectively protecting the integrity of the US financial system,” comments Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson.
“Our assessment finds that illicit actors, including criminals, scammers and North Korean cyber actors are using DeFi services in the process of laundering illicit funds. Capturing the potential benefits associated with DeFi services requires addressing these risks,” continues Nelson.
“The private sector should use the findings of this assessment to inform their own risk mitigation strategies and to take clear steps, in line with AML regulations and sanctions obligations, to prevent illicit actors from abusing DeFi services.”
The cost of non-compliance
The primary vulnerability that illicit actors exploit stems from non-compliance by DeFi services with AML and Combating the Financing of Terrorism (CFT) obligations. DeFi services engaged in covered activity under the Bank Secrecy Act have AML/CFT obligations regardless of whether the services claim that they currently are or plan to be decentralised.
In addition to this, other vulnerabilities include the potential for some DeFi services to be out of scope for existing AML/CFT obligations, weak or non-existent AML/CFT controls for DeFi services in other jurisdictions, and poor cybersecurity controls by DeFi services, which enable the theft of funds.
While risk assessments are primarily designed to identify the scope of an issue, the study also includes recommendations for US government actions to mitigate the illicit finance risks associated with DeFi services. These include:
- Strengthening US AML/CFT regulatory supervision
- Considering additional guidance for the private sector on DeFi services’ AML/CFT obligations
- Assessing enhancement to address any AML/CFT regulatory gaps related to DeFi services
The DeFi risk assessment builds upon Treasury’s other recent national risk assessments and furthers the work outlined in Executive Order 14067 on ‘ensuring responsible development of digital assets’. It also includes a request for input from the private sector to inform the next steps.