U.S. Treasury Department Publishes First Illicit Finance Risk Assessment

The US Department of the Treasury has released the world’s first-ever illicit finance risk assessment on decentralized finance (DeFi). The report highlights the risks associated with what are commonly called DeFi services. It broadly refers to virtual asset protocols and services that purport to allow some form of automated peer-to-peer transactions, often through self-executing code known as “smart contracts” based on blockchain technology.

Non-Compliance with AML/CFT

The assessment outlines the risk of exploitation by illicit actors, including criminals, scammers, and North Korean cyber actors, who are using DeFi services to transfer and launder their illicit proceeds. The report notes that non-compliance by DeFi services with anti-money laundering and countering the financing of terrorism (AML/CFT) and sanctions obligations are the primary vulnerabilities that illicit actors exploit. It also highlights the potential for some DeFi services to be out of scope for existing AML/CFT obligations, weak or non-existent AML/CFT controls for DeFi services in other jurisdictions, and poor cybersecurity controls by DeFi services, which enable the theft of funds.

The assessment also includes recommendations for U.S. government actions to mitigate the illicit finance risks associated with DeFi services. These include strengthening US AML/CFT regulatory supervision, considering additional guidance for the private sector on DeFi services’ AML/CFT obligations, and assessing enhancements to address any AML/CFT regulatory gaps related to DeFi services.



Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson stated that “Capturing the potential benefits associated with DeFi services requires addressing these risks. The private sector should use the findings of this assessment to inform their own risk mitigation strategies and to take clear steps, in line with AML/CFT regulations and sanctions obligations, to prevent illicit actors from abusing DeFi services.”

The study also called for input from the private sector to inform next steps. The DeFi risk assessment builds upon Treasury’s other recent national risk assessments and furthers the work outlined in Executive Order 14067 on “Ensuring Responsible Development of Digital Assets.”