What Questions Should I Include in My RFP for Blockchain Intelligence Tools in 2025?

---

Why an RFP for blockchain intelligence looks different in 2025

Since December 30, 2024, the EU's Markets in Crypto-Assets (MiCA) framework is officially in full swing--pretty exciting stuff! Plus, the rules for stablecoins kicked in back on June 30, 2024. Alongside this, the EU’s updated Transfer of Funds Regulation (TFR), which includes the “Travel Rule,” has also been active. The EBA’s guidelines for the Travel Rule have been effective from the same date, ramping up the expectations for counterparty information, data quality, and enforcement across the EEA. You can check out more details here.

Meanwhile, the EU has kicked off its new Anti-Money Laundering Authority (AMLA), which is gearing up in Frankfurt and will be fully operational by 2025. This move is all about tightening the screws on high-risk entities and crypto-asset service providers (CASPs). You can check out more details on this over at Reuters.

In the U.S., FinCEN is shaking things up with a proposed rule that treats convertible virtual currency (CVC) mixing as a major red flag for money laundering. This means we can expect some heavier reporting requirements coming our way. On top of that, OFAC’s enforcement actions, the 50% Rule expectations, and the expansion of export-control “50%” style rules at BIS are making it crystal clear that just screening a list isn’t going to cut it anymore. When it comes to RFPs, it's crucial to dive deeper into how vendors manage ownership aggregation, tackle sanctions evasion tactics, and deal with mixer exposure. You can read more about it here.

Courts and policies are changing as well. In late 2024, a U.S. appeals court made a ruling that limited OFAC's power over immutable smart contracts, like Tornado Cash. This really highlights the importance of having tools with clear attribution that you can back up in audits, litigation, and discussions with regulators. You can read more about it here.

Bottom line: When it comes to 2025 RFPs, it's not just about asking “Do you cover Bitcoin and Ethereum?” You need to dig deeper. Make sure to explore their cross-chain capabilities, data provenance, explainability, compliance-by-design, and enterprise-grade security.

---

What “blockchain intelligence” includes now

When folks talk about “blockchain intelligence,” they usually refer to one or more of the following:

• Monitoring transactions (KYT) and screening wallets (both before and after transactions)
• Assigning entities, clustering, and tracing across chains for investigations
• Analyzing exposure to DeFi, DEX, bridges, and mixers
• Managing cases with exports ready for court and keeping detailed audit trails
• Enhancing Travel Rule and sanctions screening
• Integrating API/streaming feeds for risk scoring into main systems like payments, fraud detection, and SIEM
• Offering optional open-source or on-premises analytics for data-sovereign workloads

Here’s the complete set of RFP questions we usually go over with founders, compliance leaders, and security teams.

---

The 2025 RFP master checklist (with the exact questions to ask)

1) Data coverage, depth, and freshness

Ask for Facts, Not Marketing Claims

When you're digging into a product or service, it’s super important to look beyond the shiny marketing claims. Here’s why you should always ask for the facts instead:

Why Facts Matter

• Transparency: Companies often use fancy language that sounds great, but facts give you a clearer picture of what you’re getting.
• Trustworthiness: Verified information builds trust. If a company can back up their claims with hard data, it's a good sign.
• Informed Decisions: Having the facts helps you make choices that really suit your needs, rather than falling for flashy adjectives.

Tips for Getting the Facts

1. Do Your Research: Before you buy, check out reviews and testimonials from real users. Websites like Consumer Reports can be super helpful.
2. Ask Questions: Don’t shy away from reaching out to the company. Ask them for specific data or studies that support their claims.
3. Look for Lab Tests: If it’s a health or beauty product, see if they have third-party lab test results. These are usually more reliable than just marketing hype.
4. Check for Certifications: Look for seals or certifications from recognized organizations. They often mean the product has met certain standards.

What to Watch Out For

• Vague Language: If you see terms like “best,” “leading,” or “top-rated” without any backing, take it with a grain of salt.
• Unrealistic Promises: Be wary of claims that seem too good to be true. If it sounds miraculous, it probably needs more scrutiny.
• Exaggerated Comparisons: Watch out for comparisons that don’t stack up. Companies might pit their product against a poorly rated competitor to make themselves look better.

Conclusion

Always dig deeper than the surface of marketing claims. By asking for concrete facts, you can make more informed choices and avoid getting pulled into flashy advertising. Remember, knowledge is power!

• Let’s break down the chains and tokens you can trace from start to finish during investigations versus those you can only screen for potential risks. Here’s the deal:
  • Investigations coverage: This includes full graph tracing, clustering, and entity attribution.
  • Screening coverage: Here, we look at address/entity risk and the exposure look-back window.
  • DeFi coverage: This covers DEXs, bridges, MEV relays, and token standards.
• Freshness and latency:
  • What’s your detection latency like, from an on-chain event to when an alert goes off?
  • How fast do you index new blocks on the big players in L1s and L2s? Please share the chain-by-chain SLAs.
• Cross-chain specifics:
  • How many bridges and DEXs can you automatically interpret in your investigation views?
  • Can you break down swaps, bridges, and mixers into steps that are easy to understand?

Why It Matters and What’s Changed:

• Investigations platforms and screening engines are not the same thing. Take Chainalysis, for instance; their Reactor investigations span over 27 blockchains and can trace more than 325 million swaps, plus over 300 bridges and DEXs. On the flip side, their KYT compliance tool focuses on broad screening, covering “400+ networks and 50 million+ tokens” along with real-time alerts. When drafting your RFP, make sure to ask for both detailed breakdowns and testable SLAs. (chainalysis.com)
• TRM reports that it covers more than 100 chains for screening and over 45 for enhanced tracing. Their latest updates mention 90+ chains for Universal Wallet Screening and a grand total of 102 supported chains, with hourly updates on what's new. So, it’s crucial to clarify whether you're looking at screening or tracing and how often they refresh data for each chain. (trmlabs.com)
• Elliptic claims to cover 50+ blockchains and supports over 300 bridges. Make sure your RFP includes a complete and dated list of their coverage, as well as a parity matrix to match against your own risk exposure. (elliptic.co)

Sample RFP Prompts:

• Please share a dated list of supported blockchains for (a) tracing and (b) screening, which should include:
  • Indexing lag (P50/P95), finality assumptions, and alert latency for each chain
  • Coverage for DEX, bridges, mixers, along with any relevant auto-label taxonomies
• We’d love to see proof of any coverage expansion over the past year (release notes included).

2) Attribution methodology, accuracy, and transparency

What you should ask for:

• “Glass box” explainability: For every attribution or cluster, make sure to display the source types (think ground truth, on-chain heuristics), provide clear heuristic descriptions, and include confidence scores right in the UI and API.
• Independent validation: Request peer-reviewed or third-party validation for those false-positive and false-negative rates in clustering. Plus, see if they’re on board with providing expert testimony if needed.

Why it matters:

• Chainalysis talks about a careful method called “ground truth + deterministic clustering” and backs it up with some outside validation. Meanwhile, TRM digs into the source of truth and how confident they are with each tag, which they refer to as “glass box attribution.” This level of detail is especially helpful after the Tornado Cash ruling, where having solid evidence really counts. (chainalysis.com)

Sample RFP prompts:

• Can you walk us through your attribution sources, clustering heuristics, and how you incorporate human-in-the-loop QA?
• Share the precision/recall stats for the top 10 typologies, including sanctions, scams, hacks, darknet, and mixers.
• Please include example audit reports and court-ready exports for two closed cases.

3) Cross‑chain DeFi and MEV‑aware tracing

What to Check Out:

• Is the tool capable of automatically tracking assets across L1 and L2 networks, bridges, coin swaps, and DEX routers?
• Can it recognize address-poisoning, multi-hop wash routes, and complex cross-chain swaps?
• How does it display sandwich or front-run patterns? Do you look into behaviors influenced by the mempool?

Why Now:

• More and more investigations are crossing over multiple chains. According to Elliptic, a whopping 33% of complicated cases involve more than 3 chains, while 20% even dig deeper into over 10 chains. This just goes to show how important it is to have solid cross-chain graphing and bridge coverage. (elliptic.co)
• Some academic research in late 2025 has pointed out new cross-chain sandwich attack surfaces that crop up during bridging flows. It’s definitely time for tools to start tracking these emerging signatures. (arxiv.org)

Sample RFP Prompts

• Share details on your MEV/sandwich detection features and which bridges you support, along with the versioned decoders you use.
• Include a redacted sample case that demonstrates cross-chain tracing, specifically showing how swaps and bridges are auto-interpreted.

4) Compliance‑by‑design (Travel Rule, MiCA, sanctions)

Make the Vendor Show You They're Ready for 2025 Obligations:

When you're evaluating potential vendors, it's crucial to ensure they're not just living in the moment but are also gearing up for future demands. Here’s how to make sure they’re on top of things:

1. Ask About Their Roadmap: Inquire about their strategic plans for 2025 and beyond. What innovations are they working on? How do they plan to adapt to changes in the industry?
2. Check Compliance Standards: Make sure they’re aware of and compliant with upcoming regulations. Are they keeping up with trends like data privacy, sustainability, and other relevant policies?
3. Evaluate Their Technology: Look at their tech stack. Is it modern and adaptable? A strong vendor should be using tools and systems that can evolve with the changing landscape.
4. Request Case Studies: Ask for examples of how they’ve previously adapted to market changes. Hearing real-life stories can provide insight into their capabilities.
5. Inquire About Their Team: A great vendor is backed by a knowledgeable and forward-thinking team. Get to know the people who will be working with you--do they seem engaged and informed?
6. Discuss Scalability: Make sure they can grow with your needs. A vendor that can scale their services will be a valuable partner as your company evolves.
7. Look for Future Partnerships: Are they open to collaborations? A vendor that actively seeks partnerships is likely to stay ahead of trends and bring innovative solutions.

By asking these questions and doing your homework, you’ll be much better positioned to find a vendor that’s not just a good fit for today but also ready for the challenges and opportunities ahead in 2025!

• Travel Rule (EU TFR) and EBA guidelines:
  • How do you help with checking originator and beneficiary data, along with managing Travel Rule counterparty risk?
  • Can you verify IVMS101 payloads and highlight any missing or invalid fields?
  • Do you work smoothly with popular Travel Rule networks (like TRISA), and can you reliably export and import IVMS101 JSON?

Context and Citations

So, the EU TFR is set to kick in on December 30, 2024, and the EBA guidelines will roll out on the same day. You'll find that the IVMS101 JSON schemas and TRISA developer docs are super popular for crafting those standardized payloads. For more details, check out the official source: eur-lex.europa.eu.

• MiCA readiness:
  • What's the process for flagging non-compliant ARTs/EMTs (like stablecoins) for EEA flows?
  • Is it possible to incorporate NCA guidance (like the ESMA 2025 statement) into our risk models?

Context:

• The MiCA rules will be in full swing by December 30, 2024, with stablecoins hitting the scene on June 30, 2024. Keep an eye out for ESMA’s statement on January 17, 2025, which will push for action against any non-compliant ARTs or EMTs. When putting together your RFP, make sure to ask how the risk engines are planning to adjust to these important dates and any potential delistings. (finance.ec.europa.eu)
• Sanctions and the 50% Rule:
  • Is the system able to spot when ownership hits 50% (whether direct or indirect), raise any control warnings, and identify affiliates of sanctioned counterparties?
  • What’s the approach the model takes to incorporate OFAC FAQs and keep up with the new expectations set by BIS's “Affiliates Rule”?

Context:

• OFAC’s 50% Rule (FAQ 401) calls for a deep dive into ownership analysis; on the other hand, BIS’s 2025 interim final rule is bringing similar guidelines into the export-control space--make sure to ask specifically about how the tool breaks down ownership chains and indirect exposure. (ofac.treasury.gov)
• Mixers and High-Risk Tools:
  • Are you able to spot any exposure to sanctioned mixers and flag any FinCEN-related triggers linked to CVC mixing patterns?

Context:

• The Treasury and OFAC have put sanctions on several mixers, like Sinbad, and FinCEN's Notice of Proposed Rulemaking (NPRM) from October 19, 2023, aims to ramp up reporting requirements about mixing exposure. (home.treasury.gov)

Sample RFP Prompts:

• Please provide a JSON Schema validation for IVMS101, and include some example error responses.
• Show us how you can demonstrate 50% aggregated ownership detection using a synthetic cap table that includes nested SPVs.

5) Security, privacy, and deployment options

Must-Have Requests:

• Certifications and Authorizations: Look for SOC 2 Type II, ISO 27001, and FedRAMP/StateRAMP if you’re dealing with public-sector or defense stuff. Don’t forget about those third-party pen tests and make sure they have data residency covered.
• Deployment Options: Check if they offer SaaS, regional cloud residency, GovCloud, and environments that are FedRAMP-authorized. You’ll also want to know if they have on-prem or air-gapped options, along with features like BYOK/KMS and key rotation.
• Privacy Practices: It's essential to confirm they participate in DPF, adhere to GDPR DPA terms, and have clear data retention and erasure schedules. Additionally, make sure there’s robust audit logging in place and that customer data is kept separate.

Recent facts to anchor your questions:

• TRM scored a big win by getting FedRAMP High authorization on December 17, 2024, thanks to Palantir PFCS‑SS. They’re also prepping for those DoD IL4 and IL5 workloads. On the other hand, Chainalysis Reactor is promoting their cloud, on-prem, and FedRAMP-authorized environments. Make sure to double-check the active listing and boundary. (trmlabs.com)
• TRM mentions they have SOC 2 Type II and ISO-aligned controls in place. Meanwhile, Chainalysis has a privacy notice that talks about their participation in the EU-U.S. Data Privacy Framework. Don’t forget to ask for those attestations and data-flow diagrams! (trmlabs.com)

Sample RFP prompts:

• Please share your current SOC 2 Type II report and a pen-test executive summary, but we'll need to keep that under NDA.
• Can you break down your approach to tenant isolation, as well as how you handle encryption both in transit and at rest? Also, what’s your strategy for secrets management?
• If we’re looking at on-prem/GovCloud, could you outline the differences in features compared to your commercial SaaS offerings?

6) Integrations, APIs, and data portability

Requirement for Concrete and Testable Technical Detail

When we talk about technical requirements, it's crucial that they are not just vague ideas but rather clear, concrete details that can be tested and validated. Here’s what that means in practice:

What We Need

• Specificity: Requirements should be explicit about what needs to be achieved. This helps everyone understand the goal without ambiguity. For instance, instead of saying "the system should be fast," specify "the system should process requests in under 200 milliseconds."
• Measurable Criteria: There should be clear metrics to gauge success. This could involve performance benchmarks, error rates, or user satisfaction ratings. For example, “The application should handle 1,000 concurrent users without performance degradation” sets a clear standard to meet.
• Testability: Each requirement must be something that can be verified through testing. Ensure that there are defined methods for testing whether the requirement has been met. Use statements like “can be tested using automated scripts to ensure compliance.”

Examples

• Instead of saying "the software should be user-friendly," a better requirement would be:
  • "At least 80% of users should complete a key task on the first try without requiring assistance."
• For performance, rather than vague terms like "should be efficient":
  • "The system should utilize no more than 500 MB of RAM during peak loads."

Why It Matters

Having these concrete and testable details isn't just about being thorough; it lays a foundation for successful project execution. When requirements are well-defined:

• Build Quality: It improves the overall quality of the product as everyone knows what's expected.
• Reduces Miscommunication: Clear requirements help minimize misunderstandings among team members and stakeholders.
• Efficient Testing: Testers can create focused test cases based on precise requirements, making it easier to identify any issues before launch.

In the end, having detailed, clear, and testable technical requirements isn't just a box to tick--it's a vital part of delivering a successful product that meets user needs.

• APIs: We’ve got a solid versioning policy in place, and we keep an eye on rate limits to make sure everything runs smoothly. Time-to-first-byte is optimized, and we support pagination for easy data navigation. Plus, we've got bulk endpoints and webhook/streaming support, like Kafka, to keep things flowing.
• SIEM/CTI: Our system integrates seamlessly with STIX/TAXII feeds for indicators and has great compatibility with Splunk and Elastic. You can also count on solid case-management integrations with tools like ServiceNow and JIRA.
• Export formats: We offer a variety of export options including JSON, CSV, and Parquet. You can also get graph exports and even PDF "court packages," along with immutable audit logs to keep everything neat and traceable.

Anchor Questions in Docs and Performance Claims

• Check out the Chainalysis KYT API docs (REST/JSON) for some solid insights on real-time alerting. On the other hand, TRM Wallet Screening boasts API response times under 400 milliseconds and over 150 customizable risk rules. Plus, STIX/TAXII is a go-to for sharing indicators with SIEMs like Splunk. You can find more info here.

Sample RFP prompts:

• Please include your OpenAPI/Swagger specifications and SDKs, and let us know the P95 API latency for wallet screening.
• Show us how you can share indicators using TAXII into Splunk and provide a daily data extract to S3.

7) Performance, scale, and SLAs

Focus on Metrics, Not Descriptors

When you're trying to understand something, it's way more effective to dig into the numbers rather than just relying on fluffy adjectives. Here’s why measurement matters:

1. Clarity: Numbers give you clear info. Instead of saying something is "good" or "bad," you can use metrics to show exactly how it performs.
2. Objectivity: Measurements provide facts that can’t be easily argued. This cuts through personal opinions and biases.
3. Comparability: With concrete data, you can compare different options side by side. This makes it easier to see which one really stands out.
4. Track Progress: When you measure things, you can keep tabs on how you’re doing over time. It’s all about showing growth or identifying areas that need work.
5. Informed Decisions: Ultimately, having solid data helps you make better choices. Instead of guessing, you’re relying on evidence.

So, next time you’re assessing something, remember to prioritize those hard numbers. They tell a clearer story than any descriptive word ever could!

• Keeping an eye on SLAs for alerts by chain (P50/P95) and how the backlog reacts during reorganizations and those pesky high gas spikes.
• Setting up backfill SLAs for the new chains we support and making sure we fix any tagging issues from the past.
• Checking out case graph scale limits (nodes/edges) and applying rate limits based on each tenant.

Examples and real numbers to ask for:

• TRM mentions that wallet-screening responses are under 400 ms and that they provide universal screening across over 90 chains. On the flip side, Chainalysis KYT highlights that alerts come in “within seconds” and offer indirect-exposure depth “until an identified service is hit.” Make sure your RFP translates those into clear, measurable SLAs. (trmlabs.com)

8) Features for investigations and recovery

What to check out:

• Make sure the graph is clear and the auto-interpretation steps (like swaps, bridges, and mixers) are easy to follow. Also, look into toggles for clustering versus address-level details, UTXO change detection, entity portfolio balances, and any guidance on seizures.
• For case management, keep an eye on the audit logs, collaboration features, and export options that are acceptable to prosecutors.

Recent Platform Examples:

• TRM “Investigation360”: This tool offers some cool features like audit trails, court-ready exports, seed-phrase analysis at scale, and AI-generated smart contract descriptions using on-chain ABIs--plus, it doesn’t touch any customer data. Check it out here.
• Chainalysis: They’ve got a whopping $34 billion in frozen or recovered funds and over 1,500 organizations are already using Reactor. You might want to ask for some public casework and see if they can share references that match your profile. More info can be found here.

Sample RFP prompts:

• Give us a walkthrough of a multi‑chain hack along with court-ready export artifacts.
• Demonstrate seed‑phrase analysis and highlight cross‑match hits across all supported chains.

9) Vendor stability, roadmap, and exit

Due Diligence Questions:

• Can you share your 24-month product roadmap for coverage and DeFi decoders?
• What’s the plan if a product gets phased out? Is there a data escrow and portability clause in place?

Why Ask:

• Back in March 2024, Fortune highlighted that Mastercard’s CipherTrace started winding down some of its major products like Armada, Inspector, and Sentry. To steer clear of vendor lock-in, make sure your contract has portability, escrow, and step-in rights. (fortune.com)

---

• Coverage proof
  • Please provide a machine-readable list (JSON/CSV) of the supported chains for both screening and tracing. This should include details on token standards and DEX/bridge decoders. Make sure to add the date when each chain went to GA and the P95 indexing lag.
• Alert quality
  • Share a 30-day sample of screening alerts with ground-truth labels (just redacted, of course). This should include the final dispositions so we can compute precision and recall based on typologies like sanctions, scams, darknet, hacks, and mixers.
• Ownership aggregation
  • Using the synthetic cap table provided, identify the entities that are blocked under OFAC’s 50% Rule. Also, flag any elevated-risk affiliates according to BIS’s Affiliates-style expectations. Don't forget to include an export of ownership paths. (ofac.treasury.gov)
• Travel Rule interop
  • Validate the IVMS101 JSON fixtures you sent over. Please present any field-level errors, demonstrate TRISA interop, and show how the workflow handles missing beneficiary and beneficial-owner data. (trisa.dev)
• Latency & throughput
  • Show that P95 wallet-screening responses are under 500 ms at 100 RPS in a U.S. region. Also, we need to see the alert-generation latency for BTC, ETH, TRON, and SOL during on-chain peak loads. (trmlabs.com)
• Cross-chain tracing
  • Reconstruct the flow of funds across 5 or more chains using at least two bridges and one coinswap. Please provide auto-interpreted steps along with a final court-ready PDF. (chainalysis.com)

---

Emerging best practices we’re seeing work

• Let’s make sure to separate “screening breadth” from “tracing depth” when we’re scoring vendors. They might be able to screen tons of networks, but only dig deep into a few. It’s important to have modality-specific SLAs and coverage matrices in place. (chainalysis.com)
• We need to push for “glass box” attribution and clustering notes right in the UI/API. This will really help with auditability, especially after the Tornado Cash ruling. (trmlabs.com)
• Treat DeFi like it’s the real deal! We should aim for auto-decoding of routers, pools, bridges, and coinswaps. Also, make sure that metrics for swaps and bridges are at the contract level, not just the chain level. (chainalysis.com)
• To align with MiCA and the EU Travel Rule, let’s validate IVMS101 payloads early on. We should ask for schema validation and operational playbooks to handle any incomplete data. (eba.europa.eu)
• When it comes to sanction exposure controls, let’s go beyond just list-matching. We should look at ownership aggregation to 50% and mixer typologies that align with FinCEN/OFAC patterns. (ofac.treasury.gov)
• For any public-sector or defense contracts, go for vendors that have FedRAMP authorization and are operating in FedRAMP-authorized environments. It’s crucial to secure data residency and logging for sensitive cases. (trmlabs.com)
• Let’s ensure indicator portability using STIX/TAXII to connect with your SIEM. This way, investigators and fraud teams can work off the same foundation of truth. (docs.splunk.com)

---

Design a 10‑day proof‑of‑concept (internal playbook)

Day 1-2: Setting Up the Environment and Data Pipes

• Get batch and streaming ingestion going; check out OpenAPI specs to make sure everything’s on point; run the IVMS101 validators for those Travel Rule payloads; and set up the SIEM TAXII feeds. (trisa.dev)

Day 3-5: Screening Quality and Latency

• Run 50k historical wallets through the screening process. Check the precision and recall against our internal dispositions. Measure the P95 latency, and ensure we’re getting sub-second alerts for ETH and TRON. (trmlabs.com)

Day 6-7: Cross-Chain Investigation Challenge

• Create a synthetic hack using bridge and DEX hops. Make sure to include auto-interpreted steps, UTXO change detection, entity balances, and a court-ready export. You can check out more tools at chainalysis.com.

Day 8: Sanctions/Ownership Drill

• Dive into a nested ownership scenario to check out that 50% aggregation and affiliates-style risk surfacing. Don't forget to export those ownership paths along with the confidence levels. (ofac.treasury.gov)

Day 9: Travel Rule End-to-End

• Connect with a sandbox VASP and exchange those IVMS101 messages. Don’t forget to throw in some missing or invalid fields to see how it handles it all. Double-check the UI/API remediation flows and the audit logs. Check it all out here: (trisa.dev)

Day 10: Security and Compliance Review

• Time to dive into the SOC 2 Type II and pen-test reviews, check out the data residency controls, and take a look at the FedRAMP boundary if it’s relevant. Also, don’t forget to go through the incident response runbook! For more info, visit (trmlabs.com).

Success Metrics:

• Achieve at least 90% precision on the top three typologies that matter to you.
• Keep the P95 screening API response time under 500 ms while hitting the target throughput.
• Ensure complete cross-chain reconstruction with evidence that's easy to export.
• Pass the IVMS101 validation and remediation workflow.
• Make sure sanctions ownership aggregation is spot-on for all test cases.

---

Red flags in 2025 RFP responses

• You’ve got these “black box” risk scores that lack any real attribution evidence or confidence.
• There’s no way to aggregate ownership for sanctions--it's just a matter of hitting a simple list.
• You’re stuck with a single “coverage number” that doesn’t differentiate between tracing and screening.
• Forget about STIX/TAXII, SIEM, or any case-management integrations; they just aren’t there.
• There’s no clear strategy for aligning with MiCA/TFR or keeping IVMS101 data clean.
• The security posture is pretty weak--no SOC 2 Type II and no clear path to FedRAMP compliance where it’s needed.
• Exit provisions are vague, and there’s no data portability. This is especially concerning given the history of product shutdowns in this field. (fortune.com)

---

A quick vendor landscape note (so you can ask sharper questions)

• TRM Labs: They've got FedRAMP High authorization under their belt and keep the updates rolling in! Recently, they've added some cool features like universal wallet screening across 90+ chains, seed‑phrase analysis, and even AI contract descriptions. It’d be great to clarify how many chains they cover by modality--like screening vs. tracing--and see what their SLAs look like. (trmlabs.com)
• Chainalysis: Their Reactor tool is already tracing over 27 chains and has some pretty robust DeFi/bridge decoders. Their KYT service offers extensive screening and quick alerts. It’s a good idea to ask about modality splits, audit logs, and what deployment options they provide (on-prem or FedRAMP). (chainalysis.com)
• Elliptic: They’re claiming coverage for 50+ blockchains and 300+ bridges! It’d be worth validating the depth of their decoders and checking out any cross‑chain case studies they have. (elliptic.co)
• Open-source option: If your team values complete data sovereignty and wants transparent algorithms, GraphSense could be the way to go. It’s particularly handy for custom or air-gapped workflows, and many teams use it alongside a commercial tool. (graphsense.org)

---

Final take: how to shortlist fast

• Design your RFP focusing on measurable, chain-by-chain SLAs, “glass box” attribution, sanctions ownership logic, MiCA/TFR alignment, and FedRAMP/ISO/SOC attestations.
• Conduct a 10-day PoC that challenges vendors to demonstrate latency, precision/recall, cross-chain decoding, and evidence exports that you’d be ready to stand by in court or when talking to regulators.

If you're on the lookout for a ready-made RFP template or a PoC dataset with ground-truth labels (like bridges, DEXes, mixers, and stablecoins), 7Block Labs has got you covered. We can share a template that's worked really well for both startup exchanges and Fortune 500 fraud teams.

---

Sources (selected)

• Key dates for EU MiCA and TFR are coming up, along with the EBA's guidelines for the Travel Rule. Plus, you'll want to check out ESMA and EC's take on stablecoin enforcement. (finance.ec.europa.eu)
• The AMLA is officially launching, and it's got a timeline and some clear objectives. Get the scoop here! (reuters.com)
• FinCEN's got a new NPRM on CVC mixing, plus updates on OFAC mixer designations and those 50% Rule FAQs you’ve been curious about. (fincen.gov)
• The BIS is rolling out the “Affiliates Rule,” which focuses on 50% ownership expectations--worth a look! (ropesgray.com)
• Here’s what’s happening with specific vendors and products: TRM is covering FedRAMP High, while Chainalysis is diving into Reactor/KYT scope and claims. Don’t miss Elliptic’s coverage of 50+ chains and bridges too! (trmlabs.com)
• If you're into SIEM, check out the STIX/TAXII integration that could change the game for you. (docs.splunk.com)
• And for those who love open-source, GraphSense is worth exploring! (graphsense.org)
• Lastly, don’t miss the context behind the Tornado Cash appellate ruling--it's got some serious implications for how we think about explainability in attribution. (reuters.com)

---