Blockchain Wallet RFP Template: Questions for Treasury and Supply Chain Teams

A practical, vendor‑agnostic RFP template for evaluating enterprise wallet solutions across treasury and supply chain workflows, updated for 2025 regulatory, accounting, and technical changes. Use these questions to compare providers on security, compliance, ERP integration, and post‑Dencun L2 economics.

Why this template now (and what changed in 2024–2025)

Ethereum’s Dencun upgrade (Mar 13, 2024) introduced EIP‑4844 “blobs,” cutting data costs for rollups and making L2 fees orders of magnitude cheaper—changing the cost calculus for on‑chain settlement, micropayments, and high‑volume reconciliations. Budget and policy questions should assume private/L2 routing by default. (thehemera.com)
FASB ASU 2023‑08 requires fair‑value accounting for in‑scope crypto assets for fiscal years beginning after Dec 15, 2024; your RFP must ask for period‑end valuation, lot‑level disclosure support, and audit trails at fair value. (dart.deloitte.com)
EU MiCA stablecoin provisions for ARTs/EMTs applied starting Jun 30, 2024; EBA “travel rule” guidelines apply from Dec 30, 2024. Ask issuers/custodians about their authorization status, redemption SLAs, and data handling under MiCA/TFR. (eba.europa.eu)
IRS finalized 1099‑DA broker reporting: gross proceeds for transactions on/after Jan 1, 2025; basis for some transactions on/after Jan 1, 2026. Treasury teams should require exports mapping to these instructions. (irs.gov)
Pharma/logistics visibility tightened: FDA’s DSCSA package‑level interoperable tracing moved from “stabilization” to phased enforcement milestones through 2025; wallets used for EPCIS 2.0 event signing and data exchange must withstand audits. (fda.gov)
Trade documentation is digitizing: DCSA carriers committed to 100% electronic bill of lading (eBL) by 2030 and completed the first standards‑based interoperable eBL transaction in May 2025—your RFP should ask about eBL signing and registry integrations. (dcsa.org)

How to use this RFP

Start with the cross‑functional baseline questions for any enterprise wallet.
Add the treasury and/or supply‑chain sections relevant to your use cases.
Weight responses using the scoring rubric at the end to reflect your risk appetite and go‑live timeline.

Section A — Cross‑functional baseline (security, architecture, governance)

Key management and wallet architecture
Ask vendors to provide architectural runbooks and independent attestations for each item.

Which signing model(s) do you support in production: MPC threshold signing (t‑of‑n), on‑chain multisig, contract‑based smart accounts (EIP‑4337), or co‑custody? Specify algorithms (secp256k1 ECDSA, Ed25519/EdDSA) and threshold parameters configurable per policy. Reference the NIST threshold cryptography roadmap and explain how your design aligns with its distribution‑of‑trust and single‑point‑of‑failure objectives. (csrc.nist.gov)
For MPC: where do key shares reside (HSM, enclave, mobile secure element, cloud KMS)? Are shares ever reconstructed? Describe anti‑exfiltration and quorum‑attestation controls.
For HSM‑based custody: list current CMVP certificate numbers, security level(s), and whether modules are FIPS 140‑3 validated. Provide links to Security Policies and the validation status page. (csrc.nist.gov)
Smart‑account support: do you support ERC‑4337 entry point versions, paymasters, and session keys? Which modular standards (e.g., ERC‑7579; ERC‑7484 module registries) are supported to reduce vendor lock‑in? (eips.ethereum.org)
Isolation and blast radius: how are hot, warm, and cold paths segmented? Do you support per‑entity vaults with spend ceilings, velocity limits, and deny‑lists?
Recovery: provide detailed runbooks for (a) device loss, (b) share corruption, (c) insider collusion below threshold, (d) ransomware/compromise, and (e) cloud region failure. Include RTO/RPO and last full failover test date/results.

Policy engine and transaction controls

Can policies be expressed as code (DSL) with human‑readable diff and approvals? Do you support conditional policies by asset, chain, time window, geography, and counterparty risk score?
Transaction simulation before broadcast (fork‑aware, state‑diff, revert reasons) and automatic blocklist checks (OFAC SDN and other lists) with archivable evidence hashes. (ofac.treasury.gov)
Private transaction routing options (Flashbots Protect, bloXroute private tx) and configurable fallback to public mempool after N blocks; provide settings for useMempool/timeout and supported builders. (docs.flashbots.net)
Support for L2 cost optimization (post‑EIP‑4844 blobs): batching, gas sponsorship via paymasters, and parameterization for blob fee spikes. Show historical fee data and routing logic. (thehemera.com)

Compliance and auditability

Travel Rule: demonstrate interoperability with IVMS101 schema and open protocols (e.g., TRISA/TRP), including mTLS, cert pinning, and directory lookups. Provide evidence of successful interop tests. (github.com)
EU TFR compliance: how do you enforce EBA guidelines (Dec 30, 2024 applicability) for information accompanying crypto‑asset transfers? Map your data fields to the guideline items. (eba.europa.eu)
Sanctions program: provide your screening strategy, list sources (SDN, consolidated lists), update frequency, match thresholds, and escalation procedures aligned to OFAC’s virtual currency guidance. (ofac.treasury.gov)
High‑risk flow controls: can you detect/flag interactions with mixers and apply FinCEN NPRM expectations for CVC mixing reporting if finalized? Detail evidence capture. (fincen.gov)
Logs and evidence: immutable, tamper‑evident audit logs with cryptographic timestamps; retention by jurisdiction; SOC 2 Type II and ISO/IEC 27001:2022 reports.

Section B — Treasury RFP questions (payments, liquidity, reporting)

Stablecoin coverage, issuance, and redemptions

Which fiat‑backed stablecoins do you support natively (USDC, EURC, PYUSD, etc.) across which networks (Ethereum mainnet/L2s, Solana, etc.)? For EU clients, identify whether the issuer is authorized under MiCA as an EMI (e.g., Circle SAS) and your redemption pathways under issuer terms. Provide region‑specific SLAs for mint/redeem. (cnbc.com)
How do you handle fungibility when the same token is issued by EU and non‑EU entities (e.g., EMTs under MiCA) and ensure EU redemption rights—process, disclosures, and counterparty selection? (reuters.com)
Do you enforce maximum per‑transfer counterparty risk thresholds and deny‑list rules at policy level for non‑authorized stablecoins in the EU?

Payments operations (on/off‑ramp, ERP, and bank connectivity)

ERP integration: Do you offer native connectors or APIs for SAP, Oracle, and Netsuite? For SAP, do you integrate with the Digital Currency Hub via SAP Multi‑Bank Connectivity and support statement imports and partner address books? List supported stablecoins/networks and statement formats. (sap.com)
On/off‑ramp partners and bank rails: settlement cutoffs, pre‑funding requirements, and reconciliation file formats (ISO 20022 CAMT, CSV, JSON).
Cross‑border: default to private‑tx or L2 routing; provide expected end‑to‑end latency and effective cost per payment at typical sizes ($100, $10k, $1m) with assumptions.

Accounting and tax reporting

ASU 2023‑08: prove support for period‑end fair‑value measurement, gain/loss recognition in net income, and required disclosures (name, units, cost basis, fair value, restrictions) at asset‑level. Provide export schemas and SOX controls. (dart.deloitte.com)
1099‑DA readiness (US): provide 2025 gross‑proceeds exports and 2026 basis fields mapping to IRS boxes, with client‑side reconciliation support and audit trails. Include transition relief considerations and TIN matching workflows. (irs.gov)
Close automation: show period‑end snapshots, multi‑entity consolidation, FX rates, and lot‑level PnL methods (FIFO/specific ID).

Liquidity and risk

Cash management: multi‑chain balance views, sweep rules, and automated movement between mainnet/L2 to optimize gas fees post‑Dencun. (thehemera.com)
Counterparty and address risk: analytics integrations and pre‑trade risk scores; policy‑driven blocks for sanctioned or high‑risk clusters (with evidence storage). (ofac.treasury.gov)
Private‑tx default for market‑moving treasury ops (e.g., large redemptions, rebalancing): supported relays/builders, fallbacks, and monitoring. (docs.flashbots.net)

Section C — Supply chain RFP questions (track‑and‑trace, e‑documents, IoT)

Event capture, signing, and interoperability

EPCIS 2.0: do you ingest/emit EPCIS 2.0 JSON/JSON‑LD with REST capture/query and GS1 Digital Link URIs? Provide schemas, version support, and signature/attestation options for event integrity. (gs1.org)
DSCSA (U.S. pharma): show how your wallet and event service support package‑level tracing, verification of identifiers, exception handling, and FDA inquiries/audits under the 2025 enforcement phases. Include your approach to master‑data mismatches and saleable returns. (fda.gov)
Chain selection: when do you anchor supply‑chain proofs on public L2s vs. permissioned ledgers? Provide cost/performance after EIP‑4844 and fallback if blob prices spike. (thehemera.com)

Trade documents and payments coupling

eBL: which eBL providers/registries are integrated? Demonstrate signing flows aligned with DCSA standards and how you handle title transfer, endorsement, and interoperability without vendor lock‑in (May 2025 milestone). (dcsa.org)
Milestone‑based payouts: support for escrowed release (smart‑contract or policy‑enforced) keyed to EPCIS or eBL state changes; simulation and exception reviews before funds move.

Device and operator wallets

Warehouse/IoT: device‑bound credentials, M2M spending limits, and credential rotation. Human approval via FIDO2/WebAuthn; offline signing modes for intermittent connectivity.
Field ops: per‑shipment, per‑consignment wallets with automatic address assignment and reconciliation back to WMS/TMS/ERP.

Section D — Privacy, data protection, and residency

PII minimization: confirm that PII for Travel Rule is exchanged off‑chain using encrypted channels (e.g., TRISA/TRP), never stored on public ledgers, and retained per jurisdictional schedules. (trisa.dev)
Data residency: deployment options (single‑tenant VPC, on‑prem, EU region) and how you segregate logs/keys by geography.
Evidence packaging: provide cryptographic receipts (hash chains, timestamps) for every compliance decision.

Section E — Resilience, assurance, and SLAs

Availability and performance SLAs by region; L2 relayer/bundler redundancy and RPC diversity.
Third‑party assurance: SOC 2 Type II, ISO/IEC 27001:2022, pen‑test reports, bug bounty scope.
Cryptographic agility: roadmap for algorithm upgrades (e.g., new 4337 EntryPoint, module registries such as ERC‑7484). (eips.ethereum.org)
Disaster testing: last game‑day exercise for key‑loss and region failover; evidence of results and corrective actions.

Example “copy‑paste” RFP questions (shortlist)

Describe your threshold‑signing (MPC) architecture, quorum configurations, and how it maps to NIST’s threshold‑cryptography principles for distributing trust. Include diagrams and formal threat models. (csrc.nist.gov)
Provide your FIPS 140‑3 validation certificate numbers and Security Policies for cryptographic modules in production. If not validated, specify compensating controls and roadmap dates. (csrc.nist.gov)
Show how your policy engine enforces private‑transaction routing (Flashbots Protect or equivalent) with fallback after N blocks; include settings and monitoring dashboards. (docs.flashbots.net)
EU travel rule: supply your data model mapped to EBA guidelines effective Dec 30, 2024, and evidence of conformance tests. (eba.europa.eu)
Accounting: export samples that satisfy ASU 2023‑08 fair‑value disclosures by asset (name, units, cost basis, fair value, restrictions) and tie‑out to GL. (dart.deloitte.com)
Tax: provide 1099‑DA mapping for 2025 and 2026 phases and your approach to basis for covered vs non‑covered securities. (irs.gov)
Supply chain: demonstrate EPCIS 2.0 event signatures, eBL endorsement flows aligned with DCSA standards, and exception worklists before milestone‑based payouts. (gs1.org)

Scoring rubric (tune to your priorities)

Security and key management (25%): threshold signing rigor, FIPS status, recovery runbooks.
Compliance and auditability (20%): Travel Rule/EBA mapping, OFAC workflow, evidence packaging; DSCSA/eBL where relevant. (eba.europa.eu)
Payments, liquidity, and ERP integration (20%): stablecoin issuer coverage (MiCA), SAP/Oracle connectors, on/off‑ramp SLAs. (cnbc.com)
Cost/performance (15%): L2 routing, private‑tx options, and post‑EIP‑4844 gas optimization. (thehemera.com)
Accounting and tax (10%): ASU 2023‑08 and 1099‑DA readiness. (dart.deloitte.com)
Vendor assurance and roadmap (10%): SOC 2/ISO, pen tests, AA roadmap (4337/7579). (eips.ethereum.org)

Worked examples: what “good” looks like

Treasury: US subsidiary settling EUR supplier invoice in USDC on L2

Pre‑trade checks: supplier VASP handshake via TRISA; IVMS101 payload exchanged; counterparty risk screened; policy approves. (trisa.dev)
Route and fees: simulate on Base/OP Mainnet; choose private‑tx path with builder set; estimated total cost <$0.05 after EIP‑4844; commit with fallback to mempool after 25 blocks. (thehemera.com)
Accounting: lot selection, FX rate, real‑time fair value; export ASU 2023‑08‑compliant disclosures. (dart.deloitte.com)
Tax: include proceeds/basis fields for 1099‑DA exports if brokered; otherwise internal records for support. (irs.gov)

Pharma supply chain: package‑level trace and milestone payment

EPCIS 2.0 event stream (commission, pack, ship, receive) signed and anchored periodically; exceptions flagged; DSCSA queries supported. (gs1.org)
eBL: title transfer and endorsement captured through DCSA‑aligned eBL; smart‑contract escrow releases 30% on “loaded on vessel” and remainder on “out‑turn” after event verification. (dcsa.org)

Emerging best practices we’re seeing in 2025

Default‑private routing for sensitive flows (treasury moves, large trade payments), with builder diversity and mempool fallback policies. (docs.flashbots.net)
Smart‑account adoption with modular standards (ERC‑7579 + ERC‑7484 registries) to avoid wallet vendor lock‑in and to express granular approvals/session keys. (eips.ethereum.org)
MiCA‑aware stablecoin operations: prefer issuers with EU EMI authorization for EU flows; segregate policies for non‑authorized tokens and document redemption SLAs. (cnbc.com)
L2‑first cost policies post‑EIP‑4844: batch small payouts, sponsor gas via paymasters, and monitor blob fee spikes. (thehemera.com)
Travel Rule interop via open implementations (TRISA/TRP) to lower bilateral integration friction and keep PII off‑chain. (trisa.dev)
Supply‑chain digitization: eBL integration planning now (ahead of 2030 mandate) and EPCIS 2.0 event signatures to make payments conditional on verifiable logistics state. (dcsa.org)

Final checklist for your RFP package

Architecture diagrams with MPC/multisig/smart‑account details, threat model, and dependency inventory.
Evidence pack: FIPS 140‑3 validation info; SOC 2/ISO certificates; pen‑test summary. (csrc.nist.gov)
Compliance mappings: EBA travel‑rule checklist; OFAC program memo; FinCEN CVC‑mixing stance; MiCA issuer statuses by token. (eba.europa.eu)
ERP runbooks: SAP Digital Currency Hub integration plan; reconciliation and close checklist. (sap.com)
Accounting/tax samples: ASU 2023‑08 disclosures and 1099‑DA mappings. (dart.deloitte.com)
Supply‑chain annex: EPCIS 2.0 schemas and signatures, eBL provider integrations, DSCSA audit flow. (gs1.org)

What 7Block Labs can help you do next

Co‑draft the RFP with weighting aligned to your risk and go‑live horizon.
Run bake‑offs: scripted scenarios (e.g., private‑tx settlement + eBL endorsement) across shortlisted vendors.
Design control libraries that align ASU 2023‑08, 1099‑DA, EBA travel‑rule, and DSCSA into one evidence pack for auditors. (dart.deloitte.com)

If you use the sections above as your backbone, you’ll separate marketing claims from operational reality—and choose a wallet platform that’s safe, compliant, and inexpensive to run at scale in 2025.