US illicit finance risk assessment of Decentralized Finance – addressing the regulatory gap

The US Department of the Treasury (Treasury) recently issued a risk assessment describing the illicit finance risks associated with Decentralized Finance (DeFi) services.  Among other things, the risk assessment describes weaknesses in the anti-money laundering and countering the financing of terrorism (AML/CFT) regime governing DeFi services and how illicit actors exploit these weaknesses. 

Failure to meet AML/CFT standards

According to the risk assessment, the most significant vulnerability in the DeFi space results from the failure of DeFi services to comply with existing AML/CFT obligations. 

These obligations are far from uniform: while the United States subjects financial institutions to AML/CFT obligations under the Bank Secrecy Act and its implementing regulations,[i] some non-US jurisdictions have not effectively implemented international AML/CFT standards. 

A regulatory gap

Perhaps unsurprisingly, the above-mentioned failure is partly caused by a regulatory gap under the US AML/CFT regime. To the extent a DeFi service allows users to self-custody and transfer their crypto assets without an intermediary financial institution, the DeFi service may not fall within the definition of “financial institution” under the Bank Secrecy Act. 

To be sure, the regulatory gap is not the only reason why DeFi services fail to comply with AML/CFT obligations. In some cases, DeFi service providers may erroneously think they are not subject to these obligations because their operations have been decentralized. In other cases, DeFi services may operate in jurisdictions that fail to implement international AML/CFT standards.

Recommended actions

In addition to providing a thorough overview of the illicit finance risks present in DeFi services, the risk assessment recommends taking several actions to address these risks, including:

  • issuing additional regulatory guidance
  • engaging with foreign partners; and 
  • engaging with innovative AML/CFT solutions providers in the DeFi space. 

While some market participants embrace the Treasury’s risk assessment for its insight and outreach for public comment, others view the publication as a part of the continuing trend of increased regulatory scrutiny of the cryptoasset market. 

Access the risk assessment in its entirety: Illicit Finance Risk Assessment of Decentralized Finance (


[i] The Bank Secrecy Act is codified at 31 U.S.C. §§ 5311-5314, 5316-5336 and 12 U.S.C. §§ 1829b, 1951-1959, while regulations implementing the Bank Secrecy Act are codified at 31 C.F.R. Chapter X.