Earlier this month, the U.S. Department of the Treasury (Treasury) released its Illicit Finance Risk Assessment of Decentralized Finance (Assessment). This Assessment, part of a broad regulatory scrutiny of entities that operate in the Decentralized Finance (DeFi) space (see the explanation below), focuses on the illicit finance risks associated with virtual assets.
While the assessment discusses how bad actors are taking advantage of weak points in anti-money laundering (AML) and other regulatory regimes across the world, we want to highlight the assessment’s findings that DeFi companies are often failing in meeting their obligations to address sanctions and money laundering risks. As we’ve highlighted over the past year, financial institutions of all kinds, from traditional banks and broker dealers to newer crypto and web3 companies are facing increased regulatory scrutiny (for example, see Wilson Sonsini’s past alerts on Coinbase, TornadoCash, and Kraken). This Assessment serves as a reminder, especially for DeFi financial institutions, that regulators will continue enforcement against AML infractions.
The first-of-its-kind risk assessment alleges that DeFi service providers often fail to institute robust AML compliance programs. This, according to the Assessment, can make DeFi services vulnerable to exploitation by illicit actors. To curb the use of DeFi services for criminal activity, Treasury’s Assessment recommends that the U.S. government strengthen AML regulatory supervision, consider potential enhancements to the existing regulatory regime, and better engage with the private sector to stay up to date on the latest developments in the DeFi ecosystem.
De-What?
While there is no universally accepted definition of DeFi services, the term is generally used to describe virtual currency protocols and services that offer some form of automated peer-to-peer exchange transactions. Such transactions are often executed using “smart contracts” or computer code. DeFi companies can operate, at least to some extent, “without the support of a central company, group, or person,” though Treasury clarifies that “the degree to which a purported Defi service is in reality decentralized is a matter of facts and circumstances.” Examples include cryptocurrency exchanges and decentralized liquidity platforms, where lenders and borrowers are incentivized to rely on a particular service.
Decentralization May Not Mean No Regulatory Scrutiny
Treasury’s Assessment clarifies that just because a virtual currency business claims to be decentralized does not necessarily mean the business wouldn’t be considered a “financial institution” under the Bank Secrecy Act, the legislative underpinning for AML regulations. Likewise, the declaration that a service is decentralized cannot be used to abdicate responsibility for compliance with sanctions programs administered by the Office of Foreign Assets Control (OFAC).
The Assessment notes that when entities whose operations are subject to regulation (e.g., money transmitters) fail to register with regulators or fall short of their AML obligations, bad actors are more likely to take advantage of their services to either profit from their criminal activity or circumvent law enforcement.
We’ve Said It Before and We’ll Say It Again: Increasing Trend of Regulatory Enforcement
The Assessment is part of a larger trend: regulators are increasingly concerned about the illicit use of crypto assets and will aggressively scrutinize crypto asset businesses. Even businesses with some degree of decentralization are not exempt from this scrutiny.
We have already discussed, for example, how crypto asset exchange Coinbase and its $50 million settlement with the New York Department of Financial Services after it failed to track, monitor, and report suspicious activity that may have, and in some cases did, result in illicit activity. Further, decentralized crypto asset mixer TornadoCash was penalized by OFAC in August 2022 because, according to OFAC, TornadoCash’s weak AML program allowed users to launder over $7 billion. On the same day, a top employee at BitMEX was found guilty of violating AML regulations issued pursuant to the Bank Secrecy Act, demonstrating that individuals, and not just crypto asset companies themselves, can be held liable for such violations. Crypto asset exchanges Kraken and Bittrex both settled with federal regulators in 2022 because of alleged sanctions and AML violations.
The Treasury’s Assessment separately notes that the Commodity Futures Trading Commission has even brought an action against a decentralized autonomous organization (DAO) for failing to comply with KYC/AML requirements. The U.S. District Court for the Northern District of California held that the DAO could be “sued as an unincorporated association under applicable law,” demonstrating how decentralization does not make crypto services “enforcement-proof.” Regulators are unlikely to take their eyes off DeFi crypto asset businesses anytime soon, making proper compliance programs more important than ever.
My Company Works in DeFi: What Should I Do?
First and foremost, companies operating in the DeFi space should perform an analysis to determine if they should register with any federal (and/or state) regulatory bodies (e.g., FinCEN). Just as in the TV series “The Office,” when the character Michael Scott found that declaring bankruptcy required a bit more legwork than making that statement in a public place (even loudly), DeFi companies (and their employees) should not assume that simply telling partners and customers they are decentralized will shield them from their regulatory responsibilities.
Additionally, maintaining an effective AML and sanctions compliance program is crucial to avoiding missteps that could expose DeFi companies to significant penalties. DeFi companies that don’t have such compliance programs in place should consider whether they are required to have one, what it should include, and how should it be resourced.
Lastly, Treasury’s Assessment includes an acknowledgment that the government is behind in understanding DeFi, and Treasury recommends additional engagement with industry to get up to speed. This engagement may come through public comment and research opportunities. DeFi businesses should pay close attention to these opportunities to ensure they are helping shape the government’s understanding of this evolving and innovative space.
If you have any questions about the Assessment, or how we can help your DeFi company, please reach out to any member of Wilson Sonsini’s national security and/or fintech and financial services practices.