Summary: This post gives decision‑makers a ready-to-use RFP template for blockchain wallets plus a rigorous question bank for blockchain analytics/intelligence tools. It reflects 2025–2026 regulatory, accounting, and product changes so your procurement is aligned with today’s risks, features, and obligations.

Blockchain Wallet RFP Template and RFP Questions for Blockchain Analytics and Blockchain Intelligence Tools

Leaders still issuing 2022‑style RFPs for wallets and analytics are missing critical changes: the EU’s Travel Rule enforcement and sanctions‑screening guidelines, new U.S. accounting and custody realities, Ethereum’s Pectra upgrade (EIP‑7702), and major product leaps from top analytics vendors. Below is a practical, detail‑rich template tuned for 2026 procurement, plus the exact questions we ask on client RFPs at 7Block Labs. (eba.europa.eu)

Why your RFP needs an update in 2026

EU Travel Rule is live, and the EBA’s granular guidance on information requirements has applied since December 30, 2024; complementary EBA guidelines for restrictive‑measures screening by PSPs/CASPs apply from December 30, 2025. Require vendors to prove readiness for both. (eba.europa.eu)
In the U.S., fair‑value accounting (FASB ASU 2023‑08) is effective for calendar‑year entities beginning January 1, 2025, changing treasury controls, valuation, disclosures, and audit trails your wallet must support. SAB 121’s rollback also widened banks’ path to custody. Your RFP should ask for fair‑value data exports and auditor‑friendly logs. (dart.deloitte.com)
Ethereum’s Pectra mainnet (May 7, 2025) and EIP‑7702 make policy‑enforced, smart‑account‑like controls standard even for EOAs—shifting what “wallet governance” should enforce natively. (blog.ethereum.org)
Sanctions context shifted: Tornado Cash was delisted from the SDN list in March 2025 after the Fifth Circuit ruling; your analytics provider must reflect such status changes quickly in risk scoring and audit evidence. (reuters.com)
Analytics capabilities have jumped: TRM extended coverage to 100 chains with “glass box” PKH clustering and universal wallet screening; Elliptic topped 50+ blockchains; Chainalysis added real‑time fraud/hack prevention via Alterya and Hexagate and rebuilt Reactor. Procure to these new baselines. (trmlabs.com)

Wallet RFP template (copy/paste)

Use this as the skeleton; keep the YAML and checklist structure so vendors must answer in a comparable, machine‑parsable way.

rfp:
  title: "Institutional Digital Asset Wallet & Governance Platform"
  issuer:
    company: "YourCo"
    jurisdictions: ["US", "EU", "SG"]
    assets_in_scope: ["BTC", "ETH", "USDC", "SOL", "TON", "ARB", "OP"]
  requirements:
    security_architecture:
      key_management:
        models_supported: ["MPC", "Multi-sig", "HSM-backed MPC", "Cold vault"]
        enclaves_hsm: ["Intel SGX", "AWS Nitro Enclaves", "FIPS 140-3 HSM"]
        certifications: ["SOC 2 Type 2", "SOC 1 Type 2", "ISO 27001/27017/27018", "CCSS Level 3"]
        recovery:
          disaster_recovery_rto: "≤ 4 hours"
          rpo: "≤ 15 minutes"
          recovery_without_vendor: true
      governance_policy_engine:
        rules:
          - value_limits: {per_tx: "$250k", daily: "$5m"}
          - velocity_controls: {per_asset: true}
          - destination_controls: {allowlists: true, blocklists: true, tags: ["mixers", "sanctioned"]}
          - role_based_approvals: {quorum: "M of N", geo_diversity: true}
        enforcement_layer: ["on-chain (smart account)", "off-chain (custody engine)"]
        api_first: true
    compliance_integrations:
      travel_rule:
        providers_supported: ["TRISA", "21 Analytics", "Notabene", "Sygna"]
        pii_encryption: ["mTLS", "DID-based key exchange"]
        unhosted_wallet_proof: ["AOPP", "message signing", "micro-transaction"]
      analytics_screening:
        pre_tx: true
        indirect_risk_detection: true
        universal_wallet_screen: true
    chain_asset_support:
      chains_minimum: 30
      auto_token_support_evm: true
      staking:
        networks: ["ETH", "SOL", "ATOM", "TIA"]
        custody_of_withdrawal_credentials: true
    operational_controls:
      audit_logs:
        immutability: true
        export_formats: ["CSV", "JSON", "Syslog", "SIEM"]
        retention_years: 7
      sso_saml_oidc: true
      scim_user_provisioning: true
    accounting_reporting:
      fasb_fv_exports: ["positions", "lots", "fair_value", "PnL"]
      period_close_cutoff_minutes: 30
  vendor_response:
    implementation_timeline_days: 45
    references:
      similar_clients: 3
      regulated_entities: true
    sla:
      uptime: "99.95%"
      support_response:
        p1: "15 min"
        p2: "1 hour"
      data_freshness_minutes: 5

Checklist for attachments vendors must provide:

Security certifications (SOC 2 Type 2, ISO 27001/17/18, CCSS L3), penetration‑test summary, and architecture diagrams showing MPC/HSM/TEE boundaries.
Evidence of Travel Rule integrations and PII‑encryption workflow; unhosted wallet ownership verification methods and automation rates.
Pre‑transaction screening flow with your chosen analytics provider(s), including indirect exposure rules and “fail‑closed” behaviors.
Proof of accounting‑grade exports suitable for FASB ASU 2023‑08 disclosures and audit workpapers.
Policy‑engine rule examples matching your risk thresholds; how rules are stored, signed, and attested; change‑management logs. (fireblocks.com)

What “good” looks like today:

Fireblocks demonstrates CCSS Level 3, ISO 27001/17/18, SOC 2 Type 2, SGX‑backed MPC‑CMP, and governance policies with integrated compliance screening. Ask for proof and for enclave attestation details. (fireblocks.com)
BitGo provides qualified custody, SOC 1/2 reports, up to $250M insurance, multi‑sig/MPC options, and NYDFS/OCC credentials—relevant if you require bank‑level controls or ETF‑style segregation. (bitgo.com)
If you trade on centralized venues, consider an off‑exchange settlement model (e.g., ClearLoop) to eliminate exchange credit risk while keeping collateral in custody. Require vendor API support and policy rules for it. (financefeeds.com)

Blockchain analytics/intelligence RFP question bank

Ask these pointed questions. The goal is to test depth, transparency, coverage, and operational fit—not just a demo graph.

Coverage and data freshness

Exactly how many chains are supported for:
- Tracing/forensics vs. wallet screening vs. transaction monitoring?
- What is the SLA for block ingestion and token auto‑support on new EVM deployments?
Provide a dated list of chains with “enhanced” tracing vs. “basic” screening and the refresh cadence for each. Expect 40+ enhanced tracing and near‑real‑time screening on 90–100+ chains today. (trmlabs.com)

Attribution quality and “glass box” clustering

Which clustering heuristics do you expose in‑product (e.g., PKH clustering across chains, peeling chain, change‑address heuristics)? Are heuristics visible to investigators?
Provide false‑positive/false‑negative examples and confidence scoring. TRM now surfaces PKH clustering and glass‑box attributions; demand similar transparency from others. (chainanalysisinvestigation.com)

Indirect risk and cross‑chain pathing

Do you propagate risk beyond first‑degree interactions, across bridges and hop chains? What path‑agnostic algorithms are used?
Show how indirect exposure is computed on Solana/Optimism/Polygon and whether thresholds are configurable. (trmlabs.com)

Sanctions and regulatory volatility

How quickly do you reflect list changes (e.g., Tornado Cash delisting) in screening, and how do you retain historical status for casework? Provide timestamps and audit trails. (reuters.com)

DeFi/NFT/DEX/MEV coverage

Which DEX routers, mixers, privacy pools, bridges, and NFT marketplaces have named entities? How are Uniswap “unlabeled” pools handled?
Provide MEV/bot labeling and wash‑trading detection methods.

TON, Hyperliquid, ZK, and L2 ecosystems

Do you support TON, Hyperliquid L1/L2, zkSync, Linea, Mantle, World Chain, Gnosis, XRPL EVM? Provide dates support was added and any coverage gaps. (trmlabs.com)

Case management and automation

Can we run universal wallet screening across all chains with one call? Can alerts and rules be pushed via API to our wallet policy engine? (trmlabs.com)

Prevention, not just investigation

What preventative signals are available (phishing/malware/scam domains, protocol exploit early warnings, transaction simulation gates)? Chainalysis integrated Alterya and Hexagate for proactive fraud/hack prevention—ask competitors for equivalents. (chainalysis.com)

Model governance and exportability

Export graph evidence (JSON/CSV), versioned attributions, and clustering rationale for court or regulator review. Provide data‑lineage documentation and retention schedules.

Training and TTV

What investigator training exists (e.g., TRM Academy modules for TON/Solana/TRON)? Time‑to‑value expectations should be weeks, not months. (trmlabs.com)

EU restrictive‑measures and Travel Rule alignment

How does the platform support EU restrictive‑measures screening policies for CASPs and the EBA Travel Rule guidance (missing/incomplete information workflows, self‑hosted address checks)? Show templates and audit logs. (eba.europa.eu)

Pricing and TCO

Volume tiers for screening/monitoring, overage pricing, case‑storage fees, and penalties for additional chains. Require an all‑in TCO worksheet.

Travel Rule procurement notes (CASP/US MSB ready)

Implementation scope: ensure your wallet can orchestrate PII‑safe messaging with counterparties and unhosted wallet proofs (AOPP or signed‑message). 21 Analytics provides AOPP and automation; TRISA offers a peer‑to‑peer, CA‑backed Global Directory with mTLS certificates. (21analytics.co)
Interoperability and rules: Notabene exposes a rules engine to auto‑approve/deny most transfers and a counterparty VASP directory; ask vendors to demonstrate handling of “incomplete data” and jurisdictional nuances in a pre‑funds flow. Fireblocks and Notabene have documented integration patterns. (devx.notabene.id)
EU specifics: Align your RFP with the EBA Travel Rule Guidelines’ December 30, 2024 application date and the restrictive‑measures guidelines applying from December 30, 2025; require evidence that your vendor screens for circumvention patterns per the EBA. (eba.europa.eu)

Example reference architecture (wallet + analytics + Travel Rule)

Custody/governance: Fireblocks MPC with SGX enclave storage of key shares; policy rules signed by a quorum of admins; API‑driven approvals. (developers.fireblocks.com)
Screening and forensics: TRM for universal wallet screening across 90–100 chains, PKH clustering, and indirect risk on Solana/Optimism/Polygon; Chainalysis Hexagate signals to block malicious contract interactions pre‑transaction. (trmlabs.com)
Travel Rule: TRISA GDS certificate + 21 Analytics (AOPP) for unhosted wallet proofs; Notabene rules approve 98% automatically and escalate exceptions with PII encryption keys provisioned via DID. (trisa.dev)
Off‑exchange settlement: Copper ClearLoop to trade on connected venues while collateral stays in custody, reducing exchange credit risk. (financefeeds.com)

Emerging best practices to bake into requirements

Account‑layer policy with EIP‑7702: For smart accounts and EOAs, enforce spending limits, paymasters, and recovery logic at the account layer. Require vendors to show how wallet policy interacts with EIP‑7702 authorizations and rollback/revocation procedures. (blog.ethereum.org)
Indirect risk by default: De‑risk addresses two to five hops away, across chains and bridges, not just first degree. Require explainable pathing. (trmlabs.com)
Real‑time prevention: Incorporate fraud and exploit signals before signing—analytics should provide early warnings and simulation‑based blocks. (chainalysis.com)
EU restrictive‑measures operations: Document screening datasets, performance reviews, and circumvention controls as per EBA guidelines. (eba.europa.eu)
FASB fair‑value close: Require fair‑value exports by asset/lot with intraday snapshots and audit logs for period close within 30 minutes. (dart.deloitte.com)

In‑depth RFP questions (copy/paste)

Security and governance

Describe MPC/HSM/TEE boundaries. Provide FIPS‑140‑3 modules, SGX/Nitro attestation evidence, and key‑share geo‑distribution.
Show how policy rules are stored, signed, and executed (e.g., within enclaves), with change‑control logs and tamper‑evidence. (developers.fireblocks.com)

Compliance and Travel Rule

Which Travel Rule protocols and directories are natively supported (TRISA GDS, TRP, IVMS101)? Provide message‑level encryption details and how PII keys are rotated.
Unhosted wallet proof: % automated via AOPP/signed message; median turnaround; fallbacks. (trisa.dev)

Analytics integration

Name your preferred analytics providers. How do you enforce “fail‑closed” behavior on high‑risk hits, and how do you handle delisted/relisted designations historically? (reuters.com)

Coverage and freshness

Provide chain coverage tables for enhanced tracing vs. screening, with addition dates for TON, Hyperliquid, World Chain, zkSync, Linea, Mantle, Gnosis, XRPL EVM. (trmlabs.com)

Attribution transparency

Do investigators see which clustering heuristic (PKH, peeling, change) drove an attribution and its confidence? Provide screenshots and export samples. (trmlabs.com)

Prevention

List the proactive signals (phishing, scams, protocol vulnerabilities) and how they block transactions via policy engine or signer workflows. (chainalysis.com)

Accounting and audit

Deliver fair‑value CSV/JSON and reconciliation reports suitable for ASU 2023‑08 footnote disclosures (name, units, cost basis, fair value, restricted balances). (dart.deloitte.com)

Short vendor scoring rubric (customize)

Security and governance (30%): Certifications, enclave/HSM attestations, recovery plans, policy engine robustness.
Coverage and analytics quality (25%): Chain breadth/depth, indirect risk, glass‑box clustering, prevention signals. (trmlabs.com)
Compliance/Travel Rule readiness (20%): EU Travel Rule workflows, restrictive‑measures screening operations, unhosted proofs. (eba.europa.eu)
Accounting and reporting (15%): Fair‑value exports, audit logs, close support. (dart.deloitte.com)
Implementation/SLA (10%): TTV, universal screening API, P1 response, data freshness. (trmlabs.com)

Practical examples you can reuse

TON onboarding: If your app relies on Telegram distribution, require TON tracing and wallet screening in your analytics and test indirect exposure through bridges into your policy engine; TRM added TON and later expanded to 100‑chain screening. (chainanalysisinvestigation.com)
Hyperliquid/World Chain pilot: For perps or identity‑gated L2 pilots, require proof of analytics coverage and auto‑token support. Chainalysis and TRM both announced support; capture dates in your acceptance criteria. (chainalysis.com)
Exchange credit‑risk reduction: If you actively trade, include an off‑exchange settlement requirement (e.g., ClearLoop) and make policy rules block direct exchange withdrawals unless the venue is connected via the settlement network. (financefeeds.com)
Sanctions volatility drills: Run a table‑top exercise simulating a designation change with immediate screening updates and historical retention—Tornado Cash delisting is the real‑world case study to emulate. (reuters.com)

Common pitfalls we still see

“Screen at withdrawal only.” That’s too late. Require pre‑transaction screening on both send and receive, with universal wallet screening and indirect risk across chains. (trmlabs.com)
“We cover X chains” without tiers. Demand explicit tiers for tracing vs. screening, with SLAs and addition timelines. (trmlabs.com)
Ignoring EU restrictive‑measures guidance. It’s now specific about screening systems, data sets, and circumvention risks—ask for implementation evidence. (eba.europa.eu)

Next steps

Copy the YAML template and checklist into your RFP portal.
Require vendors to attach certification letters, chain coverage matrices with dates, and sample audit exports for ASU 2023‑08.
Shortlist two wallet vendors and two analytics vendors; run a 30‑day pilot with scripted scenarios (TON inflows, bridge‑mediated risk, off‑exchange settlement, Travel Rule unhosted proof).

If you want a neutral review session, 7Block Labs can score vendor responses against this template and set up a 3‑week pilot script focused on your chains and workflows.