DeFi services and illicit finance

7 takeaways from a new assessment

Tom Lazard, Claire Carlton, Alex Rubin
| 6/7/2023
DeFi services and illicit finance

A new Treasury assessment highlights the risks and vulnerabilities associated with DeFi services.

On April 6, 2023, the U.S. Department of the Treasury (Treasury) published a new risk assessment, “Illicit Finance Risk Assessment of Decentralized Finance,” which outlines risks associated with decentralized finance (DeFi). DeFi services use blockchain technology to facilitate financial services without the need for intermediaries, resulting in innovative means for individuals to transact with one another.

The assessment analyzes the risks and vulnerabilities associated with DeFi services and addresses how illicit actors are attempting to exploit the regulatory gaps, governance structures, and noncompliance of these services through means of money laundering, fraud, theft, and more. Following are key takeaways from the assessment.

Keep informed
Sign up to receive the latest insights on strengthening your financial crime program.

No new or updated legal obligations

Treasury’s assessment does not propose new standards or regulatory frameworks; instead, it provides commentary on the risks associated with DeFi services. It does not presume what regulation will or should be. Instead, it serves as a commentary on the existing risks associated with DeFi services.

The determination of whether a particular entity offering DeFi services is subject to the purview of the Bank Secrecy Act (BSA), the Securities Exchange Act, and the Commodity Exchange Act is dependent on the specific facts and circumstances applicable to the particular entity and service. However, the assessment does not explicitly comment on what facts and circumstances specific to DeFi services and entities fall under existing BSA, securities, and commodities obligations. While the assessment does not outline new or updated legal obligations, it does encourage lawmakers and regulators to close gaps and vulnerabilities in existing regulatory frameworks.

A small percentage of overall virtual asset activity

The assessment states that transactional activity via DeFi is a small share of total virtual asset activity. The most prominent of DeFi services are decentralized exchanges (DEXs) that facilitate the trading of virtual assets. While thousands of DeFi protocols and entities are available, user activity is concentrated among a small group of these players (Uniswap, Curve, MakerDAO, and Lido).

According to the assessment, the 24-hour volume of total virtual asset activity in early January 2023 was $29.7 billion, with DEXs accounting for only 3% (~$891 million) of the volume. As of June 5, 2023, the top three DEXs on the Ethereum network (Uniswap, Curve, and Dodo) dominate their market, with nearly $1.36 billion in 24-hour trading volume, while the next 30 DEXs account for about $43 million. To put this into perspective, centralized exchanges (CEXs), including OKX, Coinbase, and Bybit, accounted for a 24-hour trading volume of $58.2 billion. In aggregate, the 24-hour trading volume on CEXs ($58.2 billion) dwarfs that of DEXs ($2.58 billion) nearly 23 times over. While illicit finance risks are present in DeFi markets, it is worthwhile to consider the breadth of overall virtual asset activity and the prevalence and concentration of such risks in DeFi markets compared to the virtual asset market.

No regulatory definition

The term “decentralized finance” encompasses virtual asset services that facilitate peer-to-peer transactions without the reliance on intermediaries and often through the means of automated code execution. The assessment notes that the degree of centralization does not automatically exclude DeFi from BSA requirements, as the requirements are based on the services that are provided.

Virtual asset enthusiasts often claim that there is a lack of clarity surrounding the definition of a DeFi protocol and its requirements to follow the BSA. The lack of a precise definition for “decentralized finance” affects the ability of regulators to close gaps in existing regulatory frameworks and the ability of market participants to understand and follow regulatory requirements specific to their operations.

DeFi governance perhaps more centralized than assumed

A common theme throughout the assessment is that DeFi services often are presented as operating without centralized governance structures. The assessment stresses that decentralized autonomous organizations (DAOs) are frequently used to govern and manage DeFi protocols in a decentralized and transparent manner. However, in practice, governance of DeFi services through DAOs might be more centralized than some might assume.

DAOs operate through self-executing code (smart contracts) and represent ownership and voting rights through tradable governance tokens, which can concentrate power in the hands of a limited number of members. This arrangement can lead to skewed voting based on limited representation, compromising the decentralization of the organization. The assessment raises concerns about the potential centralization of DeFi governance, despite claims to the contrary.

Variable risk based on VASP

The assessment focuses on the illicit finance risks presented by the decentralization of traditional financial entities and activities – particularly certain virtual asset service providers (VASPs) with weak anti-money laundering (AML) and combating the financing of terrorism (CFT) programs. It states that “the most significant illicit financing risk associated with virtual assets stemmed from VASPs operating abroad with substantially deficient AML/CFT programs, particularly in jurisdictions where AML/CFT standards for virtual assets are nonexistent or not effectively implemented.”

The assessment further highlights that criminals use DeFi services to layer funds and then exchange them for fiat currency using centralized VASPs. However, weak AML and CFT programs make it difficult for VASPs to trace funds and determine their source. Because DeFi participants need centralized VASPs to enter the financial system, VASPs operating in jurisdictions with weak AML and CFT regulations represent a significant vulnerability for illicit finance in this area.

A focus on activities instead of decentralization

The assessment notes that the nature of the activities undertaken by an entity is a prominent factor in determining the applicability of obligations set forth by regulatory agencies. It also explains that the Commodities Futures Trading Commission, the Securities and Exchange Commission, and the Financial Crimes Enforcement Network have clarified that obligations for financial services organizations that offer covered services are not affected by the degree of decentralization or automation. Despite existing frameworks, Treasury recognizes that vulnerabilities exist regarding DeFi services, and it urges the federal government to strengthen existing supervisory and enforcement functions to foster compliance with BSA and other regulatory requirements.

Mitigating the risks of DeFi services

DeFi services have and will continue to affect the financial services industry by removing the need for intermediaries. While these services offer the opportunity for financial innovation, safe and sound growth relies on regulators’ and lawmakers’ abilities to address key gaps and vulnerabilities in existing regulatory frameworks.

Treasury’s assessment highlights the risks associated with DeFi services and how illicit actors are exploiting these services. While the assessment does not lay out new or updated regulatory obligations, it does encourage the federal government to enhance its supervisors’ current knowledge and enforcement mechanisms to close gaps in existing regulatory frameworks and promote adherence to regulatory obligations. Though the future of DeFi services remains uncertain, the extent of their impact on the financial services industry hinges on proper regulatory oversight and market participation.