Yesterday, the Treasury Department released an Illicit Finance Risk Assessment of Decentralized Finance (DeFi). Looking past the report’s, frankly half-hearted, fear mongering and skepticism that disintermediated financial tools deserve different regulatory treatment than financial intermediaries, the report makes important acknowledgements that DeFi’s illicit finance risk is relatively small and that DeFi technology is unique. The report’s sparks of recognition that, on some level, DeFi is different from traditional finance—in enabling peer-to-peer financial transactions and potentially mitigating illicit finance risk through technology—ought to be noted by other U.S. policymakers who actively apply ill-fitting legacy rules to new tools and exaggerate those tools’ risks.

While the report states that criminals and rogue states exploit DeFi to launder money and carry out cyberattacks endangering national security, it tends to bury the lede with respect to the scope of the problem. Still, Treasury ultimately acknowledges that, all told, crime is a “subset” of overall DeFi activity, which itself is a “minor portion” of crypto activity, and that the crime Treasury is concerned with is mainly a problem of traditional finance:

[M]oney laundering, proliferation financing, and terrorist financing most commonly occur using fiat currency or other traditional assets as opposed to virtual assets.

Perhaps for this reason, the report insists that its limited identification of examples of illicit activity over DeFi should not be taken to indicate, well, that there are limited instances of illicit activity over DeFi:

Given how recently the DeFi market has developed and expanded, there were relatively few case examples that this assessment could include. The number of case studies does not, however, reflect the level of risk identified in this assessment.

Of course, it may be that a non-exhaustive list of examples doesn’t reflect the full extent of a problem. But persuasively making that argument generally requires providing additional evidence that speaks to the scale of the problem, beyond mere conclusory statements regarding a vague “level of risk.” However, in the rare instances where the report does address scale, it largely undermines the idea that DeFi is anything other than a relatively minor contributor to overall illicit finance risk, including for money laundering, proliferation financing, and terrorist financing, as well as drug trafficking, where the report notes, “[T]he size and scope of drug proceeds generated on the darknet and laundered via virtual assets remain low in comparison to cash-based retail street sales.”

Similar to the tension between the report’s disquiet over DeFi’s “level of risk” with respect to illicit finance and its recognition of the limited scope of the problem, there’s also a tension in the report’s approach to whether disintermediated financial tools can properly be regulated under an Anti-Money Laundering/​Countering the Financing of Terrorism (AML/CFT) framework designed to address financial intermediaries. On the one hand, the report insists that financial activity carried out over DeFi can be covered by the AML/CFT regime regardless of the degree of decentralization:

AML/CFT obligations in the United States are based on the activities in which a person engages.…While the degree to which a person is centralized could impact the service it provides, persons engaging in the activities of financial institutions as defined by the [Bank Secrecy Act (BSA)], regardless of whether they are centralized or decentralized, will have these obligations.

Yet, on the other hand, the report acknowledges that the lack of a financial entity can pose challenges to the application of existing AML/CFT frameworks:

Globally, under the standards set by the Financial Action Task Force (FATF), the global standard setting body for AML/CFT, DeFi services that lack an entity with sufficient control or influence over the service may not be explicitly subject to AML/CFT obligations, which could lead to potential gaps for DeFi services in other jurisdictions.

The report also provides reason to think that the possible mismatch between existing frameworks and the reality of DeFi is not just an international problem, stating:

In cases in which a DeFi service falls outside of the scope of the BSA, this can result in gaps in efforts by the DeFi service to identify and disrupt illegal activity and identify and report suspicious activity to law enforcement and other competent authorities.

The report’s very recommendation that the U.S. AML/CFT regime as applied to DeFi should be enhanced “by closing any identified gaps in the BSA to the extent that they allow certain DeFi services to fall outside the scope of the BSA’s definition of financial institutions” reveals that the current application of existing provisions to DeFi is not cut-and-dried.

It’s a positive step that the report recognizes that DeFi can lack an intermediary entity and that existing laws may not be well-suited to address this type of technology. The question then is how the gaps end up getting filled. The report offers little insight into what such a solution might look like. But other proposals, like Senator Warren’s Digital Asset Anti-Money Laundering Act, which would subject self-hosted crypto wallets (i.e., the digital equivalent of cash in your own pocket) to certain AML/CFT requirements, would be an undue invasion of what limited financial privacy Americans have left. Given the gravity of proposals that would regulate individual digital wallets as if they were financial institutions, the report’s relative silence on the nature of its proposed gap filling is not reassuring.

A possible bright spot in the report is the recognition that the DeFi ecosystem is innovating new tools—including blockchain forensics and zero-knowledge proofs—that can help to mitigate the risk of illicit finance over DeFi protocols while also preserving some degree of user privacy. Contrary to the stance of other U.S. regulators, Treasury’s report recognizes that “[p]olicymakers and regulators should also seek and assess necessary changes in regulation or guidance to support these developments.” As with the rest of the report, however, countervailing passages suggest that extending the existing AML/CFT status quo has become a priority unto itself, separate and apart from a cost-benefit assessment of its practical implications for mitigating illicit finance harms.

Like the President’s Council of Economic Advisers (CEA) report before it, the Treasury Department’s DeFi risk assessment contains internal inconsistencies—both between rhetoric and substance, as well as between certain substantive claims. Yet unlike the CEA’s report, at least Treasury’s had the wisdom to avoid assessing the value proposition of a class of financial instrument and technology, noting that its assessment “does not evaluate the relative merits of decentralization compared to centralization.” The glass-half-full take on these recurring tensions is that there may just be something to DeFi and crypto that confounds easy efforts to force the square peg of disintermediated technology into the round hole of intermediary regulation.