How illicit actors are abusing DeFi services. According to the assessment, cybercriminals, ransomware attackers, thieves, scammers, and countries such as Democratic People’s Republic of Korea (DPRK) are using DeFi services to transfer and launder illicit proceeds.

Vulnerabilities unique to DeFi services. These vulnerabilities include noncompliance of many DeFi services with anti-money laundering and countering the financing of terrorism (AML/CFT) obligations.

DeFi had a total value locked (TVL) of $39.77 billion as of December 19, 2022, according to DefiLlama, the largest aggregator for DeFi. TVL represents the aggregate amount of assets currently deposited in DeFi protocols.

DeFi includes the following categories of services:

Money laundering. According to the assessment, ransomware actors, thieves, fraudsters and scammers, and drug traffickers use DeFi services to transfer and launder illicit proceeds. Examples cited in the assessment include:

Proliferation finance. According to the assessment, in response to sanctions from the US and United Nations, the DPRK committed illicit activities designed to generate revenue for its unlawful weapons of mass destruction (WMD) and ballistic missile programs. An example cited in the assessment is:

Strengthening US AML/CFT regulatory supervision to increase compliance by virtual asset firms with Bank Secrecy Act (BSA) obligations (see Practice Notes, Bank Secrecy Act: Compliance Issues and US Anti-Money Laundering and Trade Sanctions Rules for Financial Institutions).

Assess possible enhancements to the US AML/CFT DeFi regulatory regime, including closing identified gaps in the BSA that allow certain DeFi services to fall outside the scope of the BSA’s definition of financial institutions.

Continue research and private sector engagement to support understanding of developments in DeFi.

Continue collaborating with foreign partners bilaterally and multilaterally to close gaps in implementation of the international standards with regards to virtual assets and virtual asset service providers (VASPs). For example, the assessment notes that the US will press the Financial Action Task Force (FATF) for immediate implementation of FATF standards and advocate for FATF members to continue to monitor developments in DeFi (see Legal Update, FATF Targeted Update on Implementation of Standards on Virtual Assets and Virtual Asset Service Providers: June 2022).

Advocate for real time analytics, monitoring, and rigorous testing of code to more efficiently identify vulnerabilities and respond to indicators of suspicious activity, and share information with virtual asset firms and the public about potential threats and mitigation measures that firms can take to improve defenses.

Promote responsible innovation of mitigation measures.

Most money laundering, terrorist financing, and proliferation financing as measured by volume and value of transactions occurs in fiat currency.

DeFi is just one element of the virtual asset ecosystem.

What factors should be considered to determine whether a DeFi service is a financial institution under the BSA?

How can the US government encourage the adoption of measures to mitigate illicit finance risks?

The assessment finds that non-compliance by covered DeFi services with AML/CFT obligations may be partially attributable to a lack of understanding of how AML/CFT regulations apply to DeFi services. Are there additional recommendations for ways to clarify and remind DeFi services that fall under the BSA financial institution definition of their existing AML/CFT regulatory obligations?

How can the US AML/CFT regulatory framework effectively mitigate the risks of DeFi services that currently fall outside of the BSA financial institution definition?

How should AML/CFT obligations vary based on the different types of services offered by DeFi platforms?