What Questions Should I Include in My RFP for Blockchain Analytics or Blockchain Intelligence Tools?

---

Why an RFP for blockchain analytics is different in 2025

Blockchains, assets, and regulations are evolving at lightning speed, often faster than your typical procurement cycle. Vendor capabilities can really shift--like gaining new L1/L2 coverage or cross-chain tracing--only to sometimes pull back (think product deprecations) all within just a quarter. So, your RFP should definitely assess the range of chains and tokens, the quality and transparency of attribution, and how well the vendor can adapt to changing sanctions and Travel Rule updates across different jurisdictions.

Example Vendor Shifts to Consider for Your RFP:

• TRM Labs is stepping up their game with expanded investigation and screening coverage through 2025. By April 2025, they were already reporting on 36 blockchains for forensics and ownership-risk coverage across 89 chains. Fast forward to July 2025, and they announced they’re on top of 100 blockchains for risk screening and tracing enhanced across 42 of them. Check out more about it here.
• Chainalysis has been busy too! They added new networks like X Layer back in June 2025 and Kaia in August 2025. Plus, they’re really pushing the envelope with automatic token support for new ERC standards and cross-chain tracing capabilities across over 300 bridges and DEXs. Get the details here.
• Elliptic is all about coverage, now supporting 50+ blockchains and accounting for 97% of cryptoassets by trading volume. They also provide multi-network screening for popular stablecoins, which is pretty impressive! Learn more here.
• A quick heads-up about CipherTrace, owned by Mastercard--back in March 2024, they informed clients that they were pulling the plug on some key products like Armada, Inspector, and Sentry. It's a solid reminder to always look into your vendor's continuity and exit strategies. More info is available here.
• Regulatory baselines are shifting:
  • The EU has rolled out its updated Travel Rule (Regulation (EU) 2023/1113), and this has been in effect since December 30, 2024. The EBA’s final guidelines outline how CASPs need to spot and tackle any missing data. You can check it out here: (eur-lex.europa.eu).
  • In June 2025, FATF streamlined Recommendation 16 to boost payment transparency--make sure to bring this up in any Travel Rule discussions. More details can be found at (fatf-gafi.org).
  • OFAC kicked off its Sanctions List Service (SLS) back in May 2024 and rolled out an advanced SDN data format in 2025. It’s a good idea to ask your vendors to support these data models natively. Check the announcement here: (home.treasury.gov).
  • The UK will be retiring OFSI’s consolidated list and moving to a single UK Sanctions List on January 28, 2026. Vendors should already be on top of this transition. Find more info here: (gov.uk).

The rest of this post has a handy RFP blueprint that you can easily copy, paste, and customize to fit your needs.

---

1) Coverage and attribution: do they actually see what you need?

When you're checking out our support, don't just settle for the vague info like “we support 30+ chains.” Make sure to dive deeper and ask about specifics, like which chains we cover, the token standards we work with, and the entities we support.

• Chain and Token Coverage
  • Let’s break down all the supported chains and networks (L1/L2/app chains), including the latest additions from 2025. We’ll also note when they became Generally Available, and which products offer “enhanced tracing” as opposed to just basic screening.
  • Make sure to confirm that auto-token support is available for ERC-20, ERC-721, and ERC-1155 tokens, along with similar standards on the integrated chains. Vendors like Chainalysis highlight their ability to automatically onboard new tokens for deployments on supported EVM chains. (chainalysis.com)
  • Don’t forget to specify which DeFi protocols, bridges, and DEXs are decoded right out of the box (for instance, the claims of “300+ bridges/DEXs supported”) and how quickly they’re able to decode new contracts or AMMs after they launch. (chainalysis.com)
• Address/Entity Attribution Quality
  • Let's talk about the real-world counterparts or services that you can attribute. For instance, Chainalysis has this impressive number--over 134,000 unique counterparties! They have a solid quality assurance process in place for their labels, which includes human review, OSINT corroboration, and confidence scores. You can get more info on this here.
  • It’s also important to share those precision and recall metrics for attribution, along with how often you re-check everything. And when it comes to fixing any mislabels, let’s make sure to explain how that’s done and how the corrections are shared.
  • Last but not least, every label should come with a solid provenance. That means you should provide time-stamped evidence, links to on-chain proofs, and any investigative notes. Plus, make sure all this info can be easily exported with your case!
• Cross-chain entity resolution
  • Let's take a look at how we can identify a single entity across different chains. Think about stablecoin treasury wallets spread across Ethereum, Tron, and Solana, along with the bridges and MEV relayers connecting them. It's like tracking a single person's journey through various neighborhoods!
  • We can dive into some cool examples of multi-hop tracing that show how assets move across bridges and DEXs. With this setup, we can automatically interpret swaps and wraps, making the whole process smoother and easier to understand.
• Privacy-focused assets
  • Let’s break down what we know about Monero and the shielded version of Zcash in terms of state capabilities and limits. We need a clear and honest discussion about what can and can’t be traced. It’s important to point out when the only risk you face is from exposure, like when you’re moving coins in and out of exchanges or using instant exchangers. Make sure to mention any reliance on off-chain evidence too. Public reports show that using these sophisticated privacy coins makes tracing them much trickier, often requiring evidence that isn’t on the chain. (arstechnica.com)
• Coverage Volatility and Roadmap
  • It’s a good idea to ask for 18-24 month roadmaps that include commitments similar to SLAs for launching new chains. For instance, look at how quickly coverage can grow with projects like OKX X Layer, Kaia, and Plasma integrations set for 2025. You should also request quarterly release notes and policies on deprecation. For example, Bitquery is transparent about deprecating low-adoption chains--so it’s smart to understand how your vendor handles this. (chainalysis.com)

Practical example:

If you're working with Ethereum, Base, Solana, and Tron, it's a good idea to ask the vendor to show you that they can handle same-day decoding for new ERC-20s on Base, SPL tokens on Solana, and TRC-20s on Tron. Also, make sure they can automatically propagate labels across the bridges you’re using for your treasury operations.

---

2) Data freshness, completeness, and engineering rigor

It's important to have clear freshness targets that you can audit, along with a transparent view of how data gets ingested, decoded, and reconciled.

• Freshness and Latency
  • Set some clear goals for ingestion latency by chain--think <60 seconds post-finality for EVM and under 2 minutes for Solana slots. It’s also important to figure out how we’re dealing with reorgs and backfilling.
  • Aim for an hourly update (or even better) for price and metadata. This way, risk scoring will show a more accurate picture of true USD values, especially when it comes to those tricky illiquid assets. TRM noted that they’ve managed to cut down the “time to add” new asset prices to just hours. (trmlabs.com)
• Completeness and Decoding
  • Make sure we've got complete archival coverage from the very beginning; this means checking for traces, internal calls, and decoding for ERC-20/721/1155, Solana program logs, and Cosmos IBC events.
  • Find out how the vendor puts ABI decoders to the test and how they handle upgrades when new versions of protocols drop (like with Uniswap v4 hooks).
• Cross-checks and external references
  • When using self-serve analytics, make sure you can access those raw, normalized datasets (like delivery to Snowflake, BigQuery, or S3) and that they play nice with public datasets for validation. For example, Google’s BigQuery public crypto datasets can serve as solid baselines. (cloud.google.com)
• Audit trails and reproducibility
  • You need to have an unchangeable record of everything: start with the raw node data, then move through the parsed and normalized tables, and keep track of attribution all the way to the final output artifacts. Make sure to include versioning, so you can easily back up your findings if they ever need to hold up in court or during audits.

Practical Example

Let's try a “fix-forward” test: provide 50 unknown contracts (including some proxies) and challenge vendors to decode events. They should identify proxies and implementations, and also highlight any transfers, minting/burning actions, and approvals--all within 24 hours.

---

3) Risk and compliance: sanctions, Travel Rule, typologies

Your RFP should really focus on how tools put fast-moving sanctions and Travel Rule requirements into action.

• Sanctions data sources and update cadence
  • Make sure you're all set for real-time or hourly updates with OFAC’s SLS feeds and that you can handle the advanced SDN list format. This includes names in their original scripts and more detailed identifiers. Plus, your matchers should be fine-tuned for these specific fields. (home.treasury.gov)
  • Double-check that you have EU and UK coverage in the bag. Don’t forget, the UK is moving to a single UK Sanctions List by January 28, 2026, so we need to see proof that you’re ready for this change and can handle back-compat identifiers. (gov.uk)
• Travel Rule (global)
  • If you're in the EU, make sure you're on top of Regulation (EU) 2023/1113 and the EBA’s final guidelines that kick in on Dec 30, 2024. This is all about how to deal with missing or incomplete originator/beneficiary data. Don’t forget to have template responses ready for those self-hosted wallet interactions. Check it out here: eur-lex.europa.eu.
  • It’s also a good idea to dig into protocol interoperability when it comes to securely exchanging PII. Think about TRISA/TRP interop, Envoy v1.0, and IVMS101 support--plus, find out if there's a self-hosted option that lets you keep PII on your own infrastructure. For more info, visit trisa.io.
  • Make sure you’re implementing solid end-to-end PII protection. This means encrypting data both at rest and in transit, minimizing the data you collect, setting default retention periods, and ensuring that data stays within specific jurisdictions.
• Typologies and alerting
  • Get in touch with the vendor and ask for their library of risk typologies--like ransomware cashouts, romance scams, sanctioned mixer exposure, and those pesky terrorist financing wallets listed by OFAC. It'll be interesting to see how these are reflected on-chain in relation to alerts.
  • Make sure to insist on having indirect and multi-path exposure detection along with clear path summaries. TRM does a great job of highlighting expanded indirect exposure across tons of chains. Check it out here: (trmlabs.com).

Practical Example

Let’s say you have three “mystery wallets” that have some known OFAC exposure. Here’s what we’re looking for from the vendor:

1. Detect Exposure Quickly: They need to identify any direct or indirect exposure within 300 milliseconds using an API.
2. Show Sanction Details: We want them to display the exact sanction reference along with the list version.
3. Export an Auditable Path: Lastly, they should be able to provide an auditable exposure path.

---

4) Investigations workflow and evidentiary standards

Beyond just dots on a graph, you really need solid workflows, effective governance, and exports that can hold up under careful examination.

• Case Management
  • We’ve got some cool tools for graph tracing across different chains that automatically interpret swaps, bridges, and mixers. You can also bulk enrich and group entities, plus create as many custom entities as you need (just wait for the 2025 updates from TRM, where they’ll be going all-in on unlimited/custom entity capabilities). Check it out here: (trmlabs.com)
  • For those sensitive operations, we’ve got offline modes, full audit logs, role-based access, and notes on cases that can’t be altered.
• Court-ready exports
  • Easily export graphs, chain-of-custody logs, labeled path evidence, and data dictionaries in machine-friendly formats like CSV, JSON, or Parquet, as well as user-friendly PDFs. If your security team needs it, we also support structured intelligence formats like STIX 2.1!
• Operational support
  • We offer investigative services, round-the-clock incident response, and access to expert witnesses whenever you need them. Plus, we provide training and certification paths to keep you and your team sharp.
• Independent validation and track record
  • Request examples of situations where their intelligence played a role in seizures or recoveries, and check if they were mentioned in legal decisions (like how Chainalysis has over 1,500 institutional clients and impressive seizure stats; make sure to back it up with references). (chainalysis.com)

---

5) Deployment, security, and data governance

You’ll be working with some pretty sensitive investigations and customer PII, so it's important to set the bar high.

• Deployment Models
  • You've got different options like SaaS regions, dedicated VPCs, on-premises, and government clouds. Keep in mind that some vendors will talk about their on-prem and FedRAMP-authorized setups, so don’t hesitate to ask about the specific authorization boundary and impact level. (chainalysis.com)
• Security attestations
  • We've got SOC 2 Type II, ISO 27001/27701 covered, plus we regularly do penetration testing. On top of that, we ensure solid key management with KMS/HSM, support for SSO/SAML/OIDC, SCIM provisioning, and we use field-level encryption to keep PII safe.
• Data residency and retention
  • You’ve got controls for data residency that vary by jurisdiction; plus, you can configure how long to keep PII versus non-PII. There’s also an audit for admin access, and if you want, you can manage your own keys!
• Business continuity
  • For disaster recovery, keep an eye on RTO/RPO; make sure to run daily checks on your datasets; consider vendor escrow for those crucial decoders and parsers; and always have continuity clauses ready in case a product line gets sunsetted (check out what CipherTrace is doing with their 2024 changes). (fortune.com)

---

6) Integration and developer experience

Smart insights don’t mean much if your teams can’t actually use them.

• APIs and Data Access
  • We’re talking REST, GraphQL, and gRPC here--not to mention some cool streaming options like webhooks and Kafka. Plus, SDKs and sandbox environments are super handy. Just keep an eye on those rate limits and burst policies, along with your SLAs--like aiming for under 300ms P99 for screening.
  • When it comes to cloud data sharing, think Snowflake, BigQuery, and S3. Make sure you’re also looking at table schemas for self-serve analytics. It’s important that these match up with what you get from the API. Some providers are all about GraphQL and cloud shares; be sure to clarify how long they’ll support these features and what their deprecation windows look like. Check it out here: docs.bitquery.io
• Event decoding and enrichment
  • Managing ABI, detecting proxies and upgrades, creating NFT metadata pipelines, mapping stable tokens, and resolving token identities across different venues.
• Change management
  • Keep a consistent schedule for release notes; have versioned endpoints; outline backward compatibility timelines; provide advance notice for any breaking changes (like how Bitquery shares deprecation announcements with dates--let’s aim for that standard too). (community.bitquery.io)

Practical Example

Reach out to your vendors and request them to set up a five-day sandbox with production-rate limits. Once that’s done, have your engineering team import 10 million on-chain events into your lakehouse. Finally, run some benchmarks to see how long it takes to query on your BI stack.

---

7) Pricing, SLAs, and total cost

Uncover all the levers and keep an eye out for volume traps.

• Pricing Dimensions
  • You've got a few options here: seat-based, case-based, or maybe you want to go with API-call or data-volume-based pricing. Don't forget to check out overage rates, per-chain add-on fees, and the differences between “enhanced tracing” and “screening only” tiers. Also, keep in mind the rates for professional services and any training or certification costs you might need to consider.
• SLAs
  • We're aiming for an uptime of 99.9% or better. For incidents, our goal is to respond to P1 issues within 15 minutes. We also have turnaround times for false-positive reviews, data freshness SLAs specific to each chain, and guidelines for rolling back releases.
• Exit terms
  • Guarantees for data export (including schemas and dictionaries), a license to keep case artifacts, and help with migration.

---

8) Evidence-based scoring scenarios (include in your RFP)

Score vendors based on tasks that reflect how your operations actually run.

• Scenario A: Sanctions Screening at Scale
  • Imagine running 10,000 wallet screens in just 60 seconds! You’ll need to include inline justification text and the list-source version IDs (OFAC SLS, UKSL). Check out more details here.
• Scenario B: Cross-chain tracing
  • Track the movement of funds from ETH to Base, then through a bridge to Tron, and finally to an exchange. This should include automatic path reconstruction and identifying entities across at least two bridges and one DEX.
• Scenario C: Incident Response
  • The vendor jumps into a simulated exploit war-room within 30 minutes, bringing along an IOC package (including IOA, addresses, contracts) and an exportable graph that lays out hop-by-hop notes.
• Scenario D: Travel Rule operations
  • Show how TRISA/TRP works together for a cross-border transfer that includes IVMS101 fields, ensuring that any PII stays safely within your VPC and complete audit logs are maintained. (trisa.io)

---

9) Emerging best practices to require in 2025 RFPs

Sure! Just sprinkle these into your must-have list.

• We're on top of OFAC’s advanced SDN format and the latest EU/UK list changes, plus we've got fuzzier matching for non-Latin scripts. Oh, and change logs are linked right to the sanctions notices. Check it out here: (home.treasury.gov).
• For the Travel Rule, we’ve got interoperable messaging (TRISA/TRP) and some cool open-source Envoy options, all while making sure your personally identifiable information (PII) stays self-hosted when we can. More details at: (trisa.io).
• Our cross-chain “universal tracing” makes it super easy to understand the whole process by breaking down mixers, bridges, and swaps into clear, human-friendly steps, while keeping the raw-path evidence intact. Find out more at: (chainalysis.com).
• We offer transparent attribution provenance, confidence scores, and the option to contest or flag labels. Plus, we’ve got vendor SLAs for any necessary reviews.
• Data-sharing just got better! You can send your data to your lakehouse for self-service analytics, and we’ve aligned our normalized schemas with public datasets for easy validation. Learn more here: (cloud.google.com).
• Onboarding new L2s/app chains is a breeze with automatic token support. Recent additions include X Layer, Kaia, and Plasma--just check in for timelines. More info can be found at: (chainalysis.com).
• To make sure your investigations and compliance processes stay smooth even if chains or products go away, we’ve got a solid deprecation policy and data escrow in place. Check out the details here: (community.bitquery.io).

---

10) Copy‑paste RFP question bank

Feel free to use or tweak these questions however you'd like!

• Coverage and Attribution
  • Here's a handy table that shows the chains we support (L1/L2/app), along with their GA dates, product coverage (screening vs. enhanced tracing), and whether or not we support automatic token detection:

    Chain	GA Date	Product Coverage	Automatic Token Support
    Ethereum	2022-01-10	Enhanced Tracing	Yes
    Binance Smart Chain	2022-03-15	Screening	No
    Polygon	2022-06-20	Enhanced Tracing	Yes
    Avalanche	2023-01-05	Screening	Yes

  • When it comes to entity attribution, we've put a lot of effort into quantifying our approach. We track a healthy number of services and entities, and our confidence scoring methodology helps us make sure we're on point. We even have precision and recall metrics that third parties have validated, so you know you can trust our accuracy.
  • As for detecting and labeling bridges, mixers, and DEXs, we’ve got a solid process in place. We work quickly to decode new protocols right after their contracts are deployed, ensuring that we stay ahead of the game and keep everything updated in real-time.
• Data Engineering and Quality
  • Let's dive into the detail of our ingestion architecture, covering everything from nodes and indexers to the freshness SLAs for each chain, as well as how we manage reorgs and track data lineage and versioning.
  • Be sure to include some sample schemas, and set up a one-week cloud data share on platforms like Snowflake, BigQuery, or S3 for our team to check out and validate.
• Compliance and Sanctions
  • We've got the whole document ingestion thing down for the OFAC SLS and the UKSL/EU lists. This includes handling advanced formats and even non-Latin scripts. Plus, we’ll keep you in the loop about how often we update the lists and provide the hash/verifier for each version. Check it out here: (home.treasury.gov)
  • Let’s chat about our Travel Rule capabilities. We’ve got some awesome features like TRISA/TRP interoperability, support for IVMS101, and even options for self-hosted PII exchange. For more details, take a look here: (trisa.io)
• Investigations Workflow
  • Illustrate the cross-chain path reconstruction with easy-to-understand steps and the raw evidence available. Don't forget to include export samples in formats like CSV, JSON, Parquet, and PDF, along with audit logs.
  • Provide a list of certifications and training, as well as the incident response Service Level Agreements (SLAs).
• Security and Deployment
  • Here’s what you need to know about our options: SaaS regions, on-premise/FedRAMP choices, SOC 2/ISO certifications, along with our KMS/HSM usage, SSO/SAML/OIDC capabilities, and SCIM support.
  • We also offer data residency options, default settings for PII retention, and the ability for customers to manage their own keys.
• Commercials and Resilience
  • Share pricing details based on modules, number of users, API usage, data sharing, and any professional services. Don’t forget to mention your overage rates and what support you offer for deprecation or migration.
  • Outline your product deprecation policy and continuity plan. Make sure to include info about data escrow in case a product gets retired, and it’s always good to reference any past deprecations as well.

---

11) Real-world example (what a good response looks like)

Imagine this scenario

You’re managing a U.S. fintech that’s juggling a bunch of exciting operations. You've got stablecoin treasury activities happening on Ethereum and Base, consumer payouts rolling out on Tron, and some cool NFT loyalty programs running on Solana. Here’s the breakdown:

• Stablecoin Treasury Ops: Handling your assets with a focus on Ethereum and Base? That's a smart move, as they both offer robust platforms for managing stability and liquidity.
• Consumer Payouts on Tron: Streamlining those payouts on Tron means you're tapping into a fast and cost-effective blockchain. It’s all about giving customers their money without the long wait times or high fees.
• NFT Loyalty on Solana: Launching loyalty programs through NFTs on Solana? That’s a brilliant way to engage customers and build a community around your brand. Solana's speed and low transaction costs make it perfect for real-time interactions.

Each of these elements brings unique advantages to the table, making your fintech operations not only modern but also super efficient.

• A solid vendor response should:
  • Mention Ethereum, Base, Tron, and Solana with improved tracing; show they can automatically support new ERC-20s and SPLs within just a few hours; and demonstrate cross-bridge tracing along with entity attribution for Circle/Tether treasuries.
  • Prove they refresh prices every hour for long-tail tokens, ensuring that USD exposures are spot-on for AML thresholds. (trmlabs.com)
  • Include OFAC SLS/advanced SDN support (with non-Latin identifiers included) and be prepared for the UK single-list change coming in January 2026, with list-version IDs shown in alerts. (home.treasury.gov)
  • Show TRISA/TRP interoperability for cross-border payouts while keeping PII safe in your VPC through a self-hosted Envoy instance. (trisa.io)
  • Export a court-ready case package complete with provenance and audit logs.
• A weak response will:
  • Throw around terms like “30+ chains” without making it clear what’s meant by screening versus tracing; have unclear source labels; lack a public deprecation policy; and won’t include any dates related to sanctions or Travel Rule interoperability.

---

12) A note on “market intel” platforms in your stack

You can also send out an RFP for non-AML intelligence platforms (like labeled wallets, portfolio tracking, and growth intelligence). When you do, make sure to ask about:

• Keep an eye on inventory labeling and how often updates roll out; also look at the ENS/domain label connections and wallet clustering across different chains. Lately, a few platforms have started tagging domains in their apps and have broadened their reach to cover Bitcoin, Scroll, and various L2s/protocols. Make sure to check their changelogs to back up these claims. (academy.nansen.ai)
• Don't forget about the API availability, export rights, and terms of service if you're planning to use those labels for commercial purposes.

---

Bottom line

Your RFP should really push vendors to demonstrate three key things: (1) solid, up-to-date coverage along with top-notch attribution, (2) their operational readiness for sanctions and any changes related to the Travel Rule in different jurisdictions, and (3) the ability to scale integration while ensuring data lineage can be verified. Check out the question bank and scoring scenarios above to transform those buzzwords into concrete commitments--this way, you can lower your risk during the selection process by focusing on actual evidence instead of just claims.

If you're looking for a ready-to-use, customizable checklist that fits your specific chain/protocol blend and compliance needs, 7Block Labs has got you covered. They can tweak this blueprint for your setup and even run a proof-of-value bakeoff in less than two weeks.