United States: Risk Assessment Offers Treasury's Most Extensive Comments To Date On DeFi Regulation

The Department of the Treasury's recently issued Illicit Finance Risk Assessment of Decentralized Finance is principally intended to provide insight on how illicit actors are abusing decentralized finance (DeFi) services, as well as anti-money laundering (AML) and countering the financing of terrorism (CFT) vulnerabilities unique to DeFi. However, the report also contains critical insight on how Treasury, and, presumably, the Financial Crimes Enforcement Network (FinCEN) within Treasury, view the applicability of existing US AML/CFT regulations, issued pursuant to the Bank Secrecy Act (BSA), to DeFi projects.

FinCEN has previously issued two guidance documents regarding what it calls "convertible virtual currency" or "CVC," as well as a number of administrative rulings. The 2013 guidance did not specifically discuss DeFi. The 2019 guidance briefly addresses decentralized applications ("DApps") and decentralized exchanges, but dedicates only a couple of pages to the topic.

The Risk Assessment dedicates significantly more text to the topic of when a DeFi project might be subject to FinCEN's rules, particularly as a money transmitter, a type of money services business (MSB). The Risk Assessment states that it "does not alter any existing legal obligations, issue any new regulatory interpretations, or establish any new supervisory expectations." However, it does make explicit a number of important points that are at best implied in FinCEN's 2019 guidance and introduces critical new terminology that does not appear in the prior FinCEN guidance. For example, the Risk Assessment draws a sharp distinction between the concept of "decentralization," which it states is not relevant to assessing a DeFi project's status under the BSA, and "disintermediation," which it states is relevant (albeit as a gap in existing rules that should be filled). Notably, "disintermediation" is a term that is never used in FinCEN's prior guidance.

Therefore, while the Risk Assessment is purportedly not intended to provide "new regulatory interpretations" it is a key new document in understanding how the BSA applies to DeFi projects.

FinCEN's 2019 Guidance on DeFi

To understand the intersection of the Risk Assessment and FinCEN's prior guidance, it is worth briefly revisiting that guidance. As noted above, FinCEN's 2019 guidance addresses DApps and decentralized exchanges. FinCEN's 2019 guidance describes DApps as "software programs that operate on a P2P network of computers running a blockchain platform (a type of distributed public ledger that allows the development of secondary blockchains), designed such that they are not controlled by a single person or group of persons (that is, they do not have an identifiable administrator)."

The guidance explains "when DApps perform money transmission, the definition of money transmitter will apply to the DApp, the owners/operators of the DApp, or both." However, it adds that "the developer of a DApp is not a money transmitter for the mere act of creating the application, even if the purpose of the DApp is to issue a CVC or otherwise facilitate financial activities denominated in CVC," provided the developer does not use or deploy the DApp to engage in money transmission. FinCEN rules may also apply to third parties that use the DApp to engage in money transmission.

With respect to decentralized exchanges, FinCEN explains:

Conversely, FinCEN rules do apply if, "when transactions are matched, a trading platform purchases the CVC from the seller and sells it to the buyer."

Risk Assessment

The Risk Assessment builds on the rather sparse discussion of DeFi in the 2019 guidance in a number of significant manners.

First, the Risk Assessment states that the centralized or decentralized status of a given DeFi project is not relevant to its status under the BSA. For example, it explains "a DeFi service that functions as a financial institution as defined by the BSA, regardless of whether the service is centralized or decentralized, will be required to comply with BSA obligations, including AML/CFT obligations. A DeFi service's claim that it is or plans to be 'fully decentralized' does not impact its status as a financial institution under the BSA." While such a view is arguably implied in the 2019 guidance's discussion of DApps it is not explicitly stated. Nor does either the 2019 guidance or the Risk Assessment explain who FinCEN would expect to carry out AML/CFT compliance obligations in a fully decentralized model. The creators that coded the project? Each individual participant in the project? Governance token holders or a DAO (if such a thing exists for the given project)? Each potential answer raises a host of additional questions and complications not addressed in the guidance or Risk Assessment.

Second, the Risk Assessment discusses the concept of "disintermediation," a term that never appears in FinCEN's prior guidance. According to the Risk Assessment, disintermediation refers to "virtual assets [that] can be self-custodied and transferred without the involvement of an intermediary financial institution." For example, disintermediation includes "users of unhosted wallets [that] can retain custody of and transfer their virtual assets without the involvement of a regulated financial institution." The Risk Assessment notes, "Many DeFi services claim to be disintermediated by enabling automated P2P transactions without the need for an account or custodial relationship." The Risk Assessment acknowledges that such disintermediated projects currently fall outside FinCEN rules, but suggests the rules should be updated to address that gap. Therefore, the Risk Assessment draws a sharp line between "decentralization," which is not relevant to an entity's BSA status, and "disintermediation," which is a key consideration. This distinction does not appear in FinCEN's prior guidance, at least not in any explicit manner. As noted above, the word "disintermediation" never even appears in the prior guidance.

Third, the Risk Assessment states that FinCEN takes a different approach than the Financial Action Task Force (FATF) with respect to DeFi. FATF is an international AML/CFT standards-setting body that establishes a series of recommendations for AML/CFT compliance, which, while not strictly obligatory, most jurisdictions seek to follow. As outlined in FATF's Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, software programs themselves are not subject to AML/CFT requirements under the FATF standards and, therefore, fully decentralized DeFi projects are not subject to those obligations. With that said, FATF notes that in practice most DeFi projects do have some elements of centralization and, therefore, may not in fact be fully decentralized, despite representations to that effect.

FATF's updated guidance was published in October 2021 and the United States was widely understood to be involved in that update. No US government agency or official had publicly stated that the US disagreed with FATF's approach to DeFi until the Risk Assessment. The Risk Assessment criticizes FATF's approach noting it "could lead to potential gaps for DeFi services in other jurisdictions" and contrasts it against the US approach in which, according to the Risk Assessment, the decentralized status of a project is not relevant to the applicability of the BSA.

Finally, the Risk Assessment highlights a number of ways in which projects claiming to be decentralized may in fact be largely or partially centralized. Among other examples, the Risk Assessment cites: a concentration of governance tokens or voting power, a concentration of nodes or validators, retention of an administrative key or similar back door to amend a protocol, and a centralized front-end that is necessary to access the protocol (or without which protocol access is very difficult). However, as noted above, because the Risk Assessment states that the level of decentralization of a project is not relevant under the BSA, these factors should not impact the overall analysis of whether a project falls within the BSA.

The Path Ahead

While the Risk Assessment is not intended to change regulatory interpretations, it contains the US government's most extensive comments to date on the applicability of the BSA to DeFi and, as such, will undoubtedly shape how industry understands FinCEN's rules and guidance. The Risk Assessment's introduction of new terminology and concepts that are, at best, only implied in FinCEN's prior guidance will further heighten the importance of the document.

The Risk Assessment indicates Treasury is open to receiving industry comments, including on the following questions:

• What factors should be considered to determine whether DeFi services are a financial institution under the BSA?
• How can the U.S. government encourage the adoption of measures to mitigate illicit finance risks ... including by DeFi services that fall outside of the BSA definition of financial institution?
• The assessment finds that non-compliance by covered DeFi services with AML/CFT obligations may be partially attributable to a lack of understanding of how AML/CFT regulations apply to DeFi services. Are there additional recommendations for ways to clarify and remind DeFi services that fall under the BSA definition of a financial institution of their existing AML/CFT regulatory obligations?
• How can the U.S. AML/CFT regulatory framework effectively mitigate the risks of DeFi services that currently fall outside of the BSA definition of a financial institution?
• How should AML/CFT obligations vary based on the different types of services offered by DeFi services?

Entities involved in the DeFi space may wish to carefully review the Risk Assessment and to provide comments to Treasury. Steptoe is available to assist companies in preparing and submitting comments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.