On April 6, 2023, Treasury issued its risk assessment for decentralized financial (“DeFi”) services as required by Executive Order 14067. While not guidance, the Risk Assessment can provide some insight into Treasury’s views and potential enforcement policies regarding DeFi services. This client alert breaks down the key takeaways from Treasury’s Risk Assessment for DeFi-based stakeholders, including developers of DeFi protocols and financial institutions that interact with DeFi protocols.

First, it is important to understand what risk assessments are supposed to be—and what they are not—and how that applies to this Risk Assessment. As a general rule, national-level risk assessments are policy documents in which the government has assessed the risk posed by a certain industry to the U.S. financial system overall. While they are not guidance and do not carry the force and effect of law, they can provide insight into the views of regulators and law enforcement on specific issues. Treasury’s Risk Assessment provides several useful takeaways on policymakers’ views of DeFi services to which we should all pay attention, not least of which is that Treasury doesn’t believe you when you say the service is decentralized.

When Regulating DeFi Services, Treasury is Focusing on Control vs. Flow of Funds

The Bank Secrecy Act (“BSA”) defines a money services business as a person that accepts currency, funds, or value denominated in currency or funds (i.e., cryptocurrency) and transmits the currency, funds, or value to a third party or location—put succinctly, a person who is in the business of providing transmission services and in the “flow of funds.” Typically, an analysis of whether a person is a money transmitter focuses on the flow of funds and persons who take custody of the funds to effect a transfer from one party to another. Persons that inject themselves into the flow of funds between two parties are most likely operating as money transmitters unless they fall within an exception. Additionally, the BSA has a catch-all provision that can apply to “any other person engaged in the transfer of funds.” To date, FinCEN’s enforcement actions have targeted persons in the “flow of funds” and have not relied on this catch-all provision.

Treasury’s Risk Assessment repeatedly focuses on a person’s ability to control the DeFi service that is facilitating the transaction between two people as a determining factor on the person’s status as a money transmitter. In particular, Treasury’s Risk Assessment discusses the impact that governance tokens, DAOs, and the retention of administrative keys have on retaining “control” of a DeFi protocol. However, in a BSA analysis, the ability to control a DeFi protocol does not necessarily include accepting and transferring value. By focusing on “control,” Treasury provides enforcement examples from the SEC and CFTC on the potential impact control could have in securities and commodities regulation. Additionally, this focus on control demonstrates the possibility that FinCEN may rely on the catch-all provision for regulating DeFi services going forward. To do so, FinCEN will have to limit the extent that its exemption for persons that only provide delivery, communication, or network access services used by money transmitters will apply to DeFi developers.

In Treasury’s View, Control Includes the Ability to Control

In addition to its focus on control, Treasury’s Risk Assessment references the “ability to control” as a potential risk for DeFi services and alludes to the ability to control as having potential regulatory consequences. In particular, the Assessment states that an owner or operator retains an administrative key “which may enable the holder to alter or disable a DeFi service’s smart contract.” Taken in line with previous statements by Treasury officials, if a DeFi service provides money transmission services and a person has the ability to control the DeFi service, then that person is responsible for the DeFi service’s BSA obligations, if any. Treasury’s focus on the ability to control appears to be a novel concept for regulation under the BSA. In particular, FinCEN has repeatedly stated that a person becomes a money transmitter based on the activity in which it engages, not the activity in which it could engage. In fact, in previous FinCEN rulings, the Bureau stated that a money services business that implements written policies and procedures to stop engaging in covered activity immediately ceases to be a financial institution. Based on these previous rulings, if a person has the ability to control a DeFi service, but does not exercise that ability or implements written policies restricting it from exercising that ability, it should be treated the same as similarly situated fiat-based institutions and would not be a financial institution.

Treasury Wants Compliance Controls Imbedded in the DeFi Service

According to the Risk Assessment, Treasury wants developers to imbed compliance controls into the code of DeFi smart contracts. Though this would be a daunting task, Treasury does appear open to innovation in this implementation of anti-money laundering controls, including the use of digital identity to allow privacy to exist on the blockchain, automated transaction regulators to prevent overly frequent transactions, or using off-chain data to screen participants within the service.

Implementing such compliance controls could then reduce the risk that a particular service would be sued for illicit activity. This could increase the use of such service by financial institutions that are obligated to comply with the BSA and reduce regulatory scrutiny. However, because Treasury alludes to control and the ability to control as potential hooks for imposing responsibility onto developers for BSA obligations, developers must balance imbedding such controls with the lack of ongoing maintenance to prevent being deemed in control of the services. While this likely would limit the effectiveness of such controls, it is an unfortunate byproduct of focusing on a control analysis vs. a flow of funds analysis for regulating cryptocurrency and DeFi services. Glaringly, this byproduct prevents mitigation of the very risks Treasury is attempting to address.