Treasury Releases 2023 DeFi Illicit Finance Risk Assessment

The U.S. Department of the Treasury (USDT) has published a first (financial) risk assessment report in connection with Decentralized Finance (DeFi). According to the USDT, DeFi refers to „virtual asset protocols and services that purport to allow for some form of automated peer-to-peer (P2P) transactions, often through the use of self-executing code known as “smart contracts”. Some examples of DeFi services are briefly described in below noted table.
Table 1 – Different Types of DeFi Services

The report specifically outlines the key risks associated with DeFi that need to be addressed by U.S. regulators to prevent harm from the U.S. financial market and its stability. Some of these risks are briefly outlined below:
(1) Money Laundering / Ransomware / Theft: Some of the key risks identified with the application of DeFi relate to money laundering (ML), ransomware, or simply theft of funds. The Treasury has observed, for instance, that many cyber criminals use virtual asset transactions to launder illicit proceeds (e.g. from drug trafficking) by quickly exchanging one virtual asset for another, sometimes using cross-chain bridges for the exchange via different blockchains. The same holds true for ransomware money flows. Additionally, the Department notes the deployment of virtual currency mixers that (dis)aggregate transactions so as to obscure the way funds are flowing. As far as theft is concerned, most funds (virtual assets) have been stolen from VASPs and their customers. Criminals have thereby taken advantage of the vulnerabilities in the smart contracts governing DeFi services, such as the open source nature and the complexity of cross-chain functionality.
(2) Custody issues and Disintermediation: Some DeFi services claim that investors are able to „self-custody“ their virtual assets, e.g. through the use of own digital wallets, following the use of smart contracts for the purchase and sale of digital assets. However, very often, so the USDT, have third-parties access to keys of smart contracts that are used to deposit virtual assets of investors, which gives them ultimate control over such assets. Additionally, the lack of intermediation in the transfer of virtual assets is a key risk. As often there’s no financial institution involved in the transfer of virtual assets, no controlling mechanism is in place to „monitor“ such transactions and ensure ultimate deposit of the funds / virtual assets with the investor.
(3) Lack of resilience: The most significant risks arise from virtual asset service providers (VASPs) themselves, so the Department. In many cases, they fail to verify customer identity to prevent money laundering or ransomware activities. Additionally, VASPs very often have poor cyber security controls in place to ensure safeguarding of customer funds. What’s even more worrying: many times, VASPs aren’t even aware of their regulatory obligations or of the fact that they may be breaching U.S. law on a daily basis.
Therefore, to conclude, the USDT also provides some guidance to U.S. regulators as to the steps they may take to mitigate the risks noted above including:
– steps to enhance regulatory oversight over market participants;
– steps to fix current regulatory gaps;
– steps to promote resilience of virtual asset service providers (enhanced engagements, testing of cyber resilience, threat information sharing, etc.); and
– steps to promote the understanding of DeFi in the private sector (e.g. via the issuance of guidance).