Managing Financial Crime Risk in the “Wild West”- Volume III

Treasury Releases 2023 DeFi Illicit Finance Risk Assessment

By Alma Angotti, Gregory Schwarz

On April 6, 2023, the U.S. Department of the Treasury released its Illicit Finance Risk Assessment of Decentralized Finance1 report (Treasury’s Report or Report). Treasury’s Report provides additional information and re-emphasizes existing guidance around Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) regulatory obligations related to Decentralized Finance (DeFi) and Treasury’s view of this rapidly evolving ecosystem. This tracks with Guidehouse’s previous Insights from October 2021 and September 2022, indicating DeFi services would likely undergo more intense regulatory scrutiny. Treasury’s Report touches on many important topics; however, its overarching theme is that those DeFi services that try and avoid AML/CFT obligations, claiming to be fully decentralized, will likely find themselves in regulatory crosshairs.


DeFi Services will have Difficulty Escaping BSA Obligations

Treasury’s Report outlines numerous AML/CFT risks facing the DeFi ecosystem, ranging from theft to ransomware to proliferation financing. While it notes that traditional financial institutions remain the preferred channels for illicit finance, Treasury acknowledges the growing role that cryptocurrencies and DeFi play. Underlying each of these threats is an overarching theme: AML/CFT programs are instrumental in mitigating these risks.

Importantly, Treasury sees most, if not all, DeFi services as qualified “financial institutions” under the Bank Secrecy Act (BSA), whether as money services businesses, futures commission merchants, broker-dealers, or other covered financial institutions. The Report contests industry claims of regulatory uncertainty, noting years of guidance and enforcement actions from the Commodity Futures Trading Commission (CFTC), Securities and Exchange Commission (SEC), and Financial Crimes Enforcement Network (FinCEN) regarding DeFi and allegedly noncompliant services. Specifically, Treasury’s Report notes: “[T]he automation of certain functions through smart contracts or computer code does not affect the obligations of financial institutions offering covered services.” The Report also notes the requirement of all U.S. persons, regardless of if they are financial institutions, to comply with Office of Foreign Assets Control (OFAC) sanctions. The Report specifically cites several classes of DeFi services, including decentralized exchanges, lending protocols, mixers, and cross-chain bridges as likely having AML/CFT obligations under the BSA.


Who is Responsible?

This leads to the question: If DeFi services are responsible for implementing AML/CFT programs under the BSA, which actors are responsible for ensuring the program exists and operates effectively? Perhaps more importantly, who could be subject to regulatory enforcement actions if a program is not in place?

As Guidehouse previously contended in its September 2022 piece, Managing Financial Crime Risk in the “Wild West”, three parties that could face AML/CFT responsibilities include: (1) developers; (2) material governance token holders; and (3) material liquidity pool “stakers.” This position is largely supported by Treasury, with particular attention being paid to developers and governance token holders (who, due to the nature of many DeFi services, often have significant overlap). Guidehouse also notes that this obligation will apply to those DeFi services that operate in whole or in part within the U.S., whether or not any of those three parties are U.S. citizens or foreign nationals2.

DeFi Services are not Truly Decentralized
A key aspect of placing the regulatory onus on developers and governance token holders lies in the degree of true decentralization present in any particular DeFi service. While this degree of decentralization is always a matter of facts and circumstances, Treasury notes that, for a variety of reasons, many (if not all) DeFi services are less decentralized than claimed.

Decentralized Autonomous Organizations Maintain a Degree of Centralization
Treasury cites governance structure as a key factor in determining the degree of decentralization, stating that while a DeFi service may claim to be decentralized and controlled by an organization such as a Decentralized Autonomous Organization (DAO), “In practice, however, many DeFi services continue to feature governance structures (e.g., management functions, fixing problems with the code, or altering the functionality of the smart contracts to some degree).” This clearly indicates that a core team of managers/developers could be responsible for implementing an AML/CFT program.  In addition, the Report notes that even if a DAO has control of a DeFi protocol, there are often elements of centralization. This centralization can stem from various sources, such as large concentrations of governance tokens being held by a few individuals and from DAOs that appoint leaders to help make decisions. 

Case Study 1: “The DAO”
Treasury cites the example of a group called “The DAO,” which chose a leadership team, called “Curators,” who reviewed governance proposals prior to voting by governance token holders. The SEC determined that because of this and other factors, The DAO was an issuer of securities and therefore would have AML/CFT obligations. 

Case Study 2: “Ooki DAO”
The Report also notes that DeFi services often start as centralized, with the goal of becoming more decentralized over time. Treasury argues that even if a centralized financial institution becomes decentralized, its AML/CFT obligations do not change. Treasury cites the case of Ooki DAO, which formed a DAO to insulate it from accountability for compliance with U.S. law. CFTC enforcement action against Ooki DAO’s developers and governance token holders, indicates that the U.S. government does not view DAOs as insulated from AML/CFT obligations.


Is True Decentralization Possible?

Treasury indicates that a DeFi service could fall outside of the BSA definition of a financial institution if the service meets several requirements, such as the DeFi service not acting as an intermediary and its users maintaining custody of their own assets. This standard, referred to as “disintermediation,” is a matter of facts and circumstances, and the report does not offer any specific guidance on what steps can be taken to achieve disintermediation. Given Treasury’s apparent skepticism and lack of clarity, DeFi services that attempt to thread the needle and avoid AML/CFT requirements may face significant regulatory scrutiny. Indeed, it could be argued that true disintermediation is not possible, as the process of attempting to achieve it indicates a level of control by some entity.

Further, in the Report’s section on recommended actions, Treasury recommends, “enhancing the U.S. AML/CFT regime as applied to DeFi services by closing any identified gaps in the BSA to the extent that they allow certain DeFi services to fall outside the scope of the BSA’s definition of financial institutions.” Therefore, even if a DeFi service achieves disintermediation as presently defined, it is possible that those loopholes will be closed, therefore making the effort pointless.

Finally, as a practical matter, DeFi services should strive for sound risk management to prevent abuse by criminals and terrorists, whether or not there is a regulatory obligation to do so. While traditional financial rails remain the primary route for illicit finance, failure by DeFi services to institute reasonable controls will and do attract bad actors. DeFi services should recognize that regulators, both within the U.S. and globally, are unlikely to permit unfettered, potentially criminal, financial activity, and that it is a criminal offense to facilitate laundering the proceeds of a crime, regardless of compliance program regulatory requirements. If DeFi services become synonymous with criminal activity, whether rightly or wrongly, the ecosystem could be regulated out of existence. Therefore, it is in the best interests of all DeFi services to immediately start ensuring compliance with AML/CFT laws and regulations.


How Guidehouse Can Help 

As evidenced by the numerous reports published and instances of enforcement against DeFi services by various U.S. regulators, cryptocurrencies and DeFi remain very much a priority for regulators. Given this continued scrutiny and possibility of enforcement actions, DeFi services should strongly consider proactively building AML/CFT programs.

Guidehouse has worked with numerous clients in the digital assets field to build, implement, and strengthen AML/CFT compliance programs. Combining its deep expertise in traditional financial institution compliance with a nuanced understanding of the rapidly changing digital assets ecosystem, Guidehouse is uniquely positioned to help entities operating in the space with any compliance concerns, including:

  • AML/CFT and OFAC program development
  • AML/CFT and OFAC program implementation
  • AML/CFT and OFAC program management outsourcing
  • AML/CFT and OFAC advisory
  • Know-your-customer and enhanced due diligence
  • Blockchain analytics, risk analysis, and tracing
  • Strategic planning
  • Risk management
  • Vendor sourcing and governance
  • Executive training

Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.


Co-author: Nick Bohmann


Alma Angotti, Partner

Gregory Schwarz, Associate Director

Let Us Help Guide You

Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.

Stay ahead of the curve with news, insights and updates from Guidehouse about issues relevant to your organization and its work.