MA8

Sources: [Press release; Report]

The United States Treasury Department has released a 42-page report examining the risks of illicit finance posed by decentralized finance (DeFi). This comprehensive risk assessment delves into the ways illicit actors exploit decentralized finance (DeFi) services for money laundering, ransomware schemes, theft, fraud, and other illegal activities. It also highlights vulnerabilities in DeFi, such as non-compliant services, lack of international AML/CFT standards, and cybersecurity issues, which enable these illicit activities. Furthermore, the report emphasizes the need for robust AML/CFT supervision, enhanced engagement with industry participants, and the exploration of potential regulatory enhancements to mitigate these risks effectively.

How should the AML/CFT regulatory regime for DeFi be assessed based on the different services they offer?

The risk assessment recommends that the AML/CFT regulatory regime for DeFi be assessed based on the different services they offer because the risk of illicit activity varies depending on the type of service offered. For example, DeFi services that offer lending or trading of virtual assets are more likely to be used for money laundering than DeFi services that offer only staking or yield farming.

The assessment also finds that many DeFi services do not comply with AML/CFT regulations, which creates a significant vulnerability that can be exploited by illicit actors. The assessment recommends that the U.S. AML/CFT regulatory framework be enhanced to close any gaps that allow DeFi services to fall outside of the scope of the BSA.

What are some key factors that contribute to the vulnerabilities of DeFi services, and how can these vulnerabilities be effectively addressed?

Money Laundering

Criminals use DeFi services to exchange virtual assets for other virtual assets that are easier to use in the virtual asset industry or less traceable.

Criminals send virtual assets through mixers to obfuscate the movement of funds.

Criminals place virtual assets in liquidity pools as a form of layering.

Criminals use DeFi services to convert one virtual asset into a different virtual asset, sometimes using different DEXs to obtain better conversion rates and diversify their laundering methods.

Criminals chain-hop, exchanging virtual assets on one blockchain for virtual assets on another, which can make it more difficult for competent authorities to trace financial transactions or for service providers to detect if incoming funds are tied to illicit activity.

Theft

Cybercriminals exploit vulnerabilities in the smart contracts governing DeFi services to steal virtual assets.

DeFi services are often particularly vulnerable to large-scale thefts due to a combination of factors, including aggregation of large amounts of funds, the lack of requirements for cybersecurity and audits in the DeFi space, concentrated administrator rights, and the availability of open-source code for DeFi services’ smart contracts.

Cross-chain bridges in particular can be attractive targets for hackers because they often feature a central storage point of funds that back the bridged assets on the receiving blockchain.

DeFi services’ treasuries and liquidity pools are also common targets.

Proliferation Finance

The DPRK has resorted to illicit activities, including cyber-enabled heists from VASPs and other financial institutions, to generate revenue for its unlawful weapons of mass destruction (WMD) and ballistic missile programs.

How does the decentralized nature of DeFi services pose challenges for regulators and law enforcement agencies in identifying and addressing illicit finance risks effectively?

The decentralized nature of DeFi services poses several challenges for regulators and law enforcement agencies in identifying and addressing illicit finance risks effectively.

DeFi services are often not subject to the same regulations as traditional financial institutions, which makes it difficult for regulators to monitor their activities and enforce AML/CFT regulations.

DeFi services are often anonymous, which makes it difficult for law enforcement to track the flow of funds and identify illicit actors.

DeFi services are often located in foreign jurisdictions, which makes it difficult for regulators and law enforcement to cooperate with each other.**

The lack of a common understanding of DeFi among regulators and law enforcement agencies further complicates efforts to address illicit finance risks.

Sources: [Press release; Report]