Cybercriminals in North Korea exploit DeFi service vulnerabilities, highlighting the need for stronger U.S. AML/CFT regulations and oversight.
A recent comprehensive evaluation of decentralized finance (DeFi) services has exposed that unlawful entities, including cybercriminals from North Korea, are taking advantage of DeFi service vulnerabilities to transfer and launder illegal funds. Moreover, the evaluation investigates the misuse of DeFi services by these malicious actors and points out potential gaps in the United States’ anti-money laundering (AML) and countering the financing of terrorism (CFT) regulations, oversight, and enforcement systems for DeFi.
DeFi services encompass virtual asset protocols and services that enable automatic peer-to-peer (P2P) transactions through self-executing code, known as smart contracts, and blockchain technology. Additionally, DeFi services have a central organization responsible for a level of centralized management and control. The absence of a widely accepted understanding among industry players about how AML/CFT responsibilities may apply to DeFi services worsens the risk. Some service providers may intentionally attempt to decentralize a virtual asset service to circumvent AML/CFT obligations.
Mitigating DeFi Vulnerabilities with U.S. AML/CFT Regulations
Despite the current U.S. AML/CFT regulatory framework and the gradual application of global AML/CFT standards relating to virtual assets offering some protection against identified vulnerabilities, significant risks persist. Also, the evaluation concludes that the most substantial illicit finance risk in the DeFi sector originates from services that do not adhere to existing AML/CFT requirements.
In the United States, the Bank Secrecy Act (BSA) and associated regulations enforce obligations on financial institutions to support U.S. government agencies in detecting and averting money laundering. A DeFi service operating as a financial institution under the BSA definition must comply with BSA obligations, including AML/CFT requirements, irrespective of whether the service is centralized or decentralized. However, numerous DeFi services subject to the BSA do not comply with AML/CFT responsibilities, creating a vulnerability that illicit actors, including North Korean cybercriminals, exploit.
Strategies to Tackle Illicit Finance Dangers in DeFi Services
To address the illicit finance threats linked to DeFi services, the evaluation recommends reinforcing U.S. AML/CFT supervision and enforcement for virtual asset activities, including DeFi services, to enhance compliance with BSA obligations. Federal regulators should also increase their engagement with industry stakeholders to clarify how relevant laws and regulations pertain to DeFi services and take further regulatory actions or issue more guidance as needed.
Furthermore, the evaluation advises improving the U.S. AML/CFT regulatory system by addressing identified gaps in the BSA that allow specific DeFi services to fall outside the definition of financial institutions. Collaborating with foreign partners to advocate for stronger implementation of international AML/CFT standards and promoting better cybersecurity practices by virtual asset firms can also help reduce vulnerabilities.
Continuous Assessment and Cooperation for Effective DeFi Regulations
The evaluation acknowledges the rapidly changing landscape of the virtual asset ecosystem, including DeFi services, and emphasizes the significance of ongoing research and collaboration with the private sector to support understanding developments in the DeFi ecosystem. Encouraging responsible innovation of compliance tools for the industry is another vital aspect, as numerous private sector organizations are already pursuing this path.
As part of the suggested actions to tackle illicit finance risks, the evaluation raises several questions related to the treatment of DeFi services that fall outside the BSA definition of financial institutions and areas requiring more regulatory clarity. The Department of the Treasury welcomes stakeholder input on these questions to develop more effective regulations for the DeFi sector.