Treasury releases 2023 DeFi illicit finance risk assessment
Lax cyber controls and failure to adhere to financial regulations make some DeFi services vulnerable to cybercrime
The Treasury Dept. on Thursday released its first-ever illicit finance risk assessment of decentralized finance (DeFi) services around the world.
Although there is no formal definition of DeFi, the term has come to commonly refer to virtual asset protocols and services purporting to allow automated peer-to-peer transactions that often use self-executing code known as "smart contracts" that are based on blockchain technology.
A variety of malicious actors have come to use DeFi services to transfer and launder their ill-gotten gains, including cybercriminals, ransomware attackers, thieves, scammers and state actors like North Korea. Those actors are able to exploit vulnerabilities in DeFi services because many such services fail to implement policies related to anti-money laundering and countering the financing of terrorism (AML/CFT) despite being obligated to do so.
GLOBAL TAKEDOWN OF CYBERCRIMINALS BEHIND MALWARE OPERATION
"Risk assessments play a foundational role in promoting understanding of the illicit finance risk environment and more effectively protecting the integrity of the U.S. financial system," said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson.
"Our assessment finds that illicit actors, including criminals, scammers, and North Korean cyber actors are using DeFi services in the process of laundering illicit funds. Capturing the potential benefits associated with DeFi services requires addressing these risks," Nelson added. "The private sector should use the findings of this assessment to inform their own risk mitigation strategies and to take clear steps, in line with AML/CFT regulations and sanctions obligations, to prevent illicit actors from abusing DeFi services."
CHINA ECONOMIC ESPIONAGE ‘TOP THREAT’ TO US COMMERCIAL, MILITARY SECRETS
The Treasury Dept. assessment notes that the primary vulnerability exploited by illicit actors stems from DeFi services not complying with their AML/CFT and sanctions enforcement obligations. DeFi services that engage in activities covered by the Bank Secrecy Act – meaning the service functions as a financial institution regardless of whether it’s fully decentralized – are required to comply with AML/CFT reporting requirements to federal agencies.
Additional vulnerabilities cited by the Treasury Dept. include:
- Some DeFi services being out of scope for existing AML/CFT obligations;
- Other jurisdictions having weak or non-existent AML/CFT controls for DeFi services; and
- Poor cybersecurity controls by DeFi services enable the theft of funds.
Treasury offered several recommendations for government agencies to mitigate illicit finance risks associated with DeFi services including stronger supervision of AML/CFT regulatory compliance, considering additional guidance for the private sector on DeFi services’ obligations, and addressing any regulatory gaps related to DeFi services’ AML/CFT requirements.