AML RISKS RELATED TO DECENTRALIZED FINANCE: WHAT NEEDS TO BE DONE?

Decentralized Finance (DeFi) – virtual asset protocols and services that allow some form of automated peer-to-peer transactions – is a growing financial tool globally, although it still constitutes only a relatively small portion of total activity in the virtual asset markets. A key concern regarding DeFi is, of course, that cybercriminals, ransomware attackers, scammers, and other bad actors are using its services to launder their illicit proceeds.?

In early April, the U.S. Treasury Department issued a 40-page DeFi Illicit Finance Risk Assessment, touted as the first such risk assessment conducted on DeFi in the world. Treasury found that the primary vulnerability that illicit actors exploit stems from non-compliance by DeFi services with?AML/CFT and sanctions obligations: “DeFi services at present often do not implement AML/CFT controls or other processes to identify customers, allowing layering of proceeds to take place instantaneously and pseudonymously.” Other vulnerabilities identified by the Treasury Department include the potential for some DeFi services to be out of scope for existing?AML/CFT obligations, weak or non-existent?AML/CFT controls for DeFi services in other jurisdictions, and poor cybersecurity controls by DeFi services, which enable the theft of funds.

????????????The Assessment presents typologies to explain how DeFi is used to launder money derived from various criminal activities. For each of these criminal activities, the Assessment provides statistics and case studies on activities such as “code exploits,” “flash loan attacks,” “rug pulls,” “pig butchering,” and “darknet markets.” The Assessment explains how?one virtual asset can be converted into another to obfuscate the transaction trail or obtain assets that are more liquid or more difficult to trace. The Assessment also cites?“decentralized mixers”?as a means to “obfuscate the source, destination, or amount involved in a transaction” and notes that illicit actors can store criminal proceeds in liquidity pools to generate additional funds. According to the Assessment, after using DeFi services, criminals often use centralized virtual asset service providers with weak AML/CFT controls to convert funds from virtual assets to fiat. While the report insists that financial activity carried out over DeFi can be covered by the AML/CFT regime regardless of the degree of decentralization, it acknowledges that the lack of a?central financial entity can pose challenges to the application of existing AML/CFT frameworks.

The Assessment is a clear signal that the Treasury Department intends to increase its focus on the DeFi sector and expects DeFi market actors to integrate AML/CFT compliance into their services. “Clearly, we can't do this alone,” said Brian Nelson, Treasury’s undersecretary for terrorism and financial intelligence, after the Assessment was issued. “We call on the private sector to use the findings of the risk assessment to inform your own risk-mitigation strategies.”

The bottom line is that the Treasury Department has made clear that a DeFi service that functions as a financial institution as defined by the BSA must comply with the BSA’s AML/CFT requirements, regardless of whether or not the service claims that it’s decentralized. (The degree to which a purported DeFi service is really decentralized is a matter of facts and circumstances.) The Assessment provides an extensive set of definitions for various DeFi activities, and?DeFi market actors should understand how their activities fit within these definitions, analyze the AML/CFT implications of their activity, and craft strategies to mitigate their BSA compliance risk. Among other things, proactive AML/CFT solutions might leverage the unique characteristics of blockchain technology, such as digital identity technology, to support identity verification and other facets of KYC and AML.?