Illicit Finance Risk Assessment of Decentralized Finance

The Illicit Finance Risk Assessment of Decentralized Finance report by the U.S. Department of the Treasury examines the risks associated with decentralized finance (DeFi) services and their potential use for illicit finance activities such as money laundering, terrorism financing, and acquisition of materials for weapons of mass destruction (WMD) programs. The report identifies key factors such as non-compliant DeFi services, disintermediation, a lack of implementation of international anti-money laundering/counter-financing of terrorism (AML/CFT) standards in foreign countries, and cybersecurity weaknesses in DeFi services that continue to pose vulnerabilities that enable criminal use of DeFi services.

The report highlights the vulnerabilities and potential exploits in open-source code, which can lead to widespread exploits if code reused in multiple DeFi services contains vulnerabilities. The public availability of many DeFi services' source code also presents the opportunity for other persons to reuse the code in smart contracts for a separate DeFi service. The document emphasizes that it is critical that the DeFi service identifies and addresses vulnerabilities and potential exploits in open-source code.

Color interior.

The report recommends several actions to address these risks, including strengthening AML/CFT supervision of virtual asset activities, assessing possible enhancements to the U.S. AML/CFT regulatory regime as applied to DeFi services, continuing research and private sector engagement to support understanding of developments in the DeFi ecosystem, continuing to engage with foreign partners, advocating for cyber resilience in virtual asset firms, testing of code, and robust threat information sharing, and promoting responsible innovation of mitigation measures.

Overall, the report concludes that DeFi poses significant illicit finance risks and calls for increased regulatory oversight and collaboration between government agencies and the private sector to address these risks. The report also poses several questions for consideration, such as what factors should be considered to determine whether DeFi services are a financial institution under the Bank Secrecy Act (BSA), how can the U.S. government encourage the adoption of measures to mitigate illicit finance risks, and how should AML/CFT obligations vary based on the different types of services offered by DeFi services.