The U.S. Treasury Department has released its first DeFi risk report, revealing what key information?
The U.S. Department of the Treasury has released the 2023 DeFi Illicit Finance Risk Assessment, which is the world's first illicit finance risk assessment focused on decentralized finance (DeFi).Original Title: 《Treasury Releases 2023 DeFi Illicit Finance Risk Assessment》
Source: U.S. Department of the Treasury
Compiled by: Wu Says Blockchain
The U.S. Department of the Treasury has released the 2023 DeFi Illicit Finance Risk Assessment, which is the world's first illicit finance risk assessment focused on decentralized finance (DeFi). This assessment addresses the risks associated with what is commonly referred to as DeFi services. Although there is currently no universally accepted definition of DeFi, the term generally refers to protocols and services related to virtual assets that aim to enable some form of automated peer-to-peer transactions, often using self-executing code known as "smart contracts" based on blockchain technology. This term is often loosely used by the private sector for services that are not fully decentralized.
Actors such as North Korea, cybercriminals, ransomware attackers, thieves, and fraudsters are using DeFi services to transfer and launder their illicit proceeds. They are able to exploit vulnerabilities, including the fact that many DeFi services fail to fulfill anti-money laundering and counter-terrorism financing (AML/CFT) obligations.
Brian Nelson, Deputy Secretary of the Treasury for Terrorism and Financial Intelligence, stated, "Our assessment found that illicit actors, including criminals, fraudsters, and North Korean cyber participants, are using DeFi services in the money laundering process. Addressing these risks is essential to realizing the potential benefits associated with DeFi services. The private sector should leverage the findings of this assessment to develop their own risk mitigation strategies and take clear actions in accordance with AML/CFT regulations and sanctions obligations to prevent illicit actors from abusing DeFi services."
The main vulnerabilities exploited by illicit actors stem from DeFi services' non-compliance with AML/CFT and sanctions obligations. Under the Bank Secrecy Act, DeFi services engaged in relevant activities are required to assume anti-money laundering/counter-terrorism financing obligations, regardless of whether these services claim to be currently decentralized or plan to decentralize. Other vulnerabilities include certain DeFi services potentially exceeding the scope of existing AML/CFT obligations, weak or non-existent AML/CFT controls for DeFi services in other jurisdictions, and inadequate cybersecurity controls for DeFi services.
While the primary purpose of the risk assessment is to identify the scope of the issues, the study also includes recommendations for the U.S. government to take action to mitigate illicit financial risks associated with DeFi services. These recommendations include:
● Strengthening U.S. anti-money laundering/counter-terrorism financing regulation
● Considering providing additional guidance to the private sector regarding DeFi services' AML/CFT obligations
● Assessing enhanced measures to address any AML/CFT regulatory gaps related to DeFi services
Although many services claim to be "fully decentralized," there is actually a wide range of activities between fully "centralized" and fully "decentralized" services. In practice, many DeFi services still feature governance structures (e.g., management functions, fixing code issues, or altering the functionality of smart contracts to some extent). In some cases, the owners or operators of DeFi services may retain a management key, which could allow the holder to change or disable the smart contracts of the DeFi service. In other cases, governance is claimed to be managed by a DAO, which can be described as a governance system designed to operate partially according to a set of encoded and transparent rules or smart contracts. In many cases, even if the governance structure claims to be decentralized, a small number of individuals can exercise a high degree of control.
Regulators have filed lawsuits against DeFi services operating in the U.S. that are not registered with appropriate regulatory agencies and have not implemented necessary AML/CFT programs for their services.
In some cases, the lack of a clear organizational structure may make it difficult to identify any individuals, groups, or entities operating DeFi services, whether because such individuals do not exist or due to decentralized, poor, or deliberately confusing organization. This poses significant challenges for regulating DeFi services that fail to fulfill AML/CFT obligations and for enforcement when appropriate.
Many DeFi services claim to allow the public to view their code, which can enhance transparency and user confidence in the services and enable viewers to identify opportunities for code improvements. However, this also provides opportunities for cybercriminals to review the code and identify potential vulnerabilities for theft or other abuses. If smart contracts are not carefully written or lack mechanisms for rapid shutdown or modification, this vulnerability may become more complex.
The U.S. AML/CFT regulatory framework is a fundamental mitigation measure aimed at addressing illicit financial risks associated with DeFi services operating in the U.S. Additionally, work in international forums (especially the FATF) can play an important role in setting standards and promoting the implementation of these standards to address illicit financial risks related to DeFi services.
DeFi services often have a central party involved or controlling them, such as creating and launching virtual assets, developing service functionalities and user interfaces for accounts holding "keys," or charging fees. In this case, DeFi services may fall under the FATF's definition of VASP, thus having AML/CFT obligations.
Some entities are developing AML/CFT and sanctions compliance solutions for DeFi services or other tools that can be used to mitigate illicit financial risks associated with DeFi. This technological innovation may enhance the accessibility, transparency, and security of the U.S. financial system, but most tools are still in the early stages, making it difficult to draw definitive conclusions about their commitments. The Treasury is working to enhance the overall effectiveness of the AML/CFT regulatory framework and sanctions compliance programs in the virtual asset space and will collaborate with the private sector to support responsible innovation in the DeFi space. The U.S. government should work with developers, including through tech sprints and potential R&D funding, to promote innovations aimed at mitigating illicit financial risks associated with DeFi services. Policymakers and regulators should also seek and evaluate necessary changes in regulation or guidance to support these developments.
This report acknowledges that illicit activities are a subset of the overall activities in the DeFi space, which currently remains a small part of the entire virtual asset ecosystem. Furthermore, money laundering, (illicit weapons) proliferation financing, and terrorism financing most commonly occur using fiat currency or other traditional assets rather than virtual assets.
