7Block Labs
Contact Us
Blockchain Technology

ByAUJay

What Questions Should I Include in My RFP for Blockchain Analytics or Blockchain Intelligence Tools?

Summary: This guide gives decision-makers a concrete, current checklist of RFP questions for selecting blockchain analytics and intelligence vendors, with precise criteria, emerging regulatory requirements, and examples drawn from recent product and policy changes. Use it to cut through marketing claims and evaluate coverage, accuracy, compliance, integration, security, and total cost of ownership.

Why an RFP for blockchain analytics is different in 2025

Blockchains, assets, and regulations now change faster than most procurement cycles. Vendor capabilities can expand (e.g., new L1/L2 coverage, cross-chain tracing) or retract (e.g., product deprecations) within a single quarter. Your RFP must test for breadth across chains and tokens, the quality and auditability of attribution, and the vendor’s ability to keep pace with sanctions and Travel Rule changes across jurisdictions.

  • Example vendor shifts to factor into your RFP:

    • TRM Labs expanded investigation and screening coverage through 2025, reporting 36 blockchains in April 2025 for Forensics plus ownership-risk coverage across 89 chains; by July 2025 they stated 100 blockchains for risk screening and 42 with enhanced tracing. (trmlabs.com)
    • Chainalysis added new networks (e.g., X Layer in June 2025; Kaia in August 2025) and emphasizes automatic token support across new ERC standards and cross-chain tracing across 300+ bridges/DEXs. (chainalysis.com)
    • Elliptic reports coverage of 50+ blockchains and 97% of cryptoassets by trading volume, including multi-network screening for major stablecoins. (elliptic.co)
    • Mastercard-owned CipherTrace notified clients in March 2024 it was shutting down key products (Armada, Inspector, Sentry)—an instructive reminder to vet vendor continuity and exit plans. (fortune.com)

  • Regulatory baselines are moving:

    • The EU’s revised Travel Rule (Regulation (EU) 2023/1113) has applied since December 30, 2024; the EBA’s final guidelines specify how CASPs should detect and handle missing data. (eur-lex.europa.eu)
    • FATF streamlined Recommendation 16 in June 2025 to increase payment transparency—include this in Travel Rule questions. (fatf-gafi.org)
    • OFAC launched the Sanctions List Service (SLS) in May 2024 and introduced an advanced SDN data format in 2025; ask vendors to support these data models natively. (home.treasury.gov)
    • The UK will retire OFSI’s consolidated list and move to a single UK Sanctions List on January 28, 2026—vendors should already be ready. (gov.uk)

The rest of this post is an RFP blueprint you can copy-paste and tailor.

1) Coverage and attribution: do they actually see what you need?

Ask for specifics by chain, token standard, and entity coverage—not just “we support 30+ chains.”

  • Chain and token coverage

    • List all supported chains/networks (L1/L2/app chains), including recent additions in 2025, with dates when coverage became Generally Available and which products have “enhanced tracing” vs. basic screening.
    • Confirm auto-token support for ERC-20/721/1155 and equivalent standards on integrated chains (e.g., vendors like Chainalysis advertise automatic token onboarding for new deployments on supported EVM chains). (chainalysis.com)
    • Specify DeFi protocols, bridges, and DEXs decoded out-of-the-box (e.g., “300+ bridges/DEXs supported” claims) and how quickly new contracts/AMMs are decoded after launch. (chainalysis.com)

  • Address/entity attribution quality

    • Provide the number of real-world counterparties/services attributed (e.g., Chainalysis cites 134k+ unique counterparties) and the QA process for labels (human review, OSINT corroboration, confidence scores). (chainalysis.com)
    • Share precision/recall metrics for attribution and the cadence for re-validation; explain how mislabels are corrected and propagated.
    • Show provenance for every label (time-stamped evidence, links to on-chain proofs, investigative notes) exportable with your case.

  • Cross-chain entity resolution

    • Demonstrate how a single entity is resolved across chains (e.g., stablecoin treasury wallets across Ethereum, Tron, Solana; bridges; MEV relayers).
    • Provide examples of multi-hop tracing across bridges and DEXs, with automatic interpretation of swaps and wraps.

  • Privacy-focused assets

    • State capabilities and limits for Monero and shielded Zcash. Require a frank write-up of what is and isn’t traceable, and when only exposure-based risk (e.g., exchange ingress/egress, instant exchangers) is possible; cite any reliance on off-chain evidence. (Public reporting underscores that sophisticated privacy-coin usage complicates tracing and often requires non-chain evidence.) (arstechnica.com)

  • Coverage volatility and roadmap

    • Request 18–24 month roadmaps, with SLA-like commitments for bringing new chains live (e.g., OKX X Layer, Kaia, Plasma integrations in 2025 show how fast coverage can expand). Ask for minimum quarterly release notes and deprecation policies (Bitquery publicly deprecates low-adoption chains—know how your vendor handles this). (chainalysis.com)

Practical example: If you operate on Ethereum, Base, Solana, and Tron, require the vendor to demonstrate same-day decoding for new ERC-20s on Base, SPL tokens on Solana, and TRC-20s on Tron, plus automatic label propagation across bridges you use for treasury operations.

2) Data freshness, completeness, and engineering rigor

You’ll want auditable freshness targets and transparency into how data is ingested, decoded, and reconciled.

  • Freshness and latency

    • Define per-chain ingestion latency targets (e.g., <60s post-finality for EVM, <2 minutes for Solana slots), plus how reorgs are handled and backfilled.
    • Require hourly or better refresh for price and metadata so risk scoring reflects true USD equivalents, especially for illiquid assets (TRM highlighted reduced “time to add” new asset prices to hours). (trmlabs.com)

  • Completeness and decoding

    • Confirm full archival coverage since genesis; include traces, internal calls, decode coverage for ERC-20/721/1155, Solana program logs, Cosmos IBC events.
    • Ask how the vendor tests ABI decoders and upgrades them when protocols release new versions (e.g., Uniswap v4 hooks).

  • Cross-checks and external references

    • If you rely on self-serve analytics, confirm availability of raw, normalized datasets (e.g., delivery to Snowflake, BigQuery, S3) and compatibility with public datasets for validation (Google’s BigQuery public crypto datasets are useful baselines). (cloud.google.com)

  • Audit trails and reproducibility

    • Require immutable lineage: from raw node data → parsed → normalized tables → attribution → output artifacts, with versioning so your findings are reproducible in court or audits.

Practical example: Include a “fix-forward” test—provide 50 unknown contracts (some proxies) and ask vendors to decode events, identify proxies/implementations, and surface transfers, mint/burn, and approvals within 24 hours.

3) Risk and compliance: sanctions, Travel Rule, typologies

Your RFP should test how tools operationalize fast-moving sanctions and Travel Rule requirements.

  • Sanctions data sources and update cadence

    • Confirm real-time or hourly ingestion of OFAC’s SLS feeds and support for the advanced SDN list format (names in native scripts, richer identifiers), with matchers tuned for these fields. (home.treasury.gov)
    • Validate EU and UK coverage, including the UK shift to the single UK Sanctions List by January 28, 2026; require proof of readiness and back-compat identifiers. (gov.uk)

  • Travel Rule (global)

    • In the EU, confirm compliance with Regulation (EU) 2023/1113 and the EBA’s final guidelines (effective Dec 30, 2024) for handling missing/incomplete originator/beneficiary data. Require template responses for self-hosted wallet interactions. (eur-lex.europa.eu)
    • Ask about protocol interoperability for secure PII exchange (e.g., TRISA/TRP interop; Envoy v1.0; IVMS101 support) and whether a self-hosted option exists to keep PII on your infrastructure. (trisa.io)
    • Require end-to-end PII protection: encryption at rest/in transit, data minimization, retention defaults, and per-jurisdiction residency.

  • Typologies and alerting

    • Request the vendor’s library of risk typologies (ransomware cashouts, romance scams, sanctioned mixer exposure, terrorist financing wallets disclosed by OFAC) and see how they map on-chain to alerts.
    • Demand indirect and multi-path exposure detection with transparent path summaries (TRM highlights expanded indirect exposure across dozens of chains). (trmlabs.com)

Practical example: Provide three “mystery wallets” with known OFAC exposure and require the vendor to (1) detect direct/indirect exposure within 300ms via API; (2) show the exact sanction reference and list version; (3) export an auditable exposure path.

4) Investigations workflow and evidentiary standards

Beyond dots on a graph, you need workflows, governance, and exports that stand scrutiny.

  • Case management

    • Graph tracing across chains with automatic interpretation of swaps, bridges, and mixers; bulk enrichment and entity grouping; unlimited custom entities (TRM reports unlimited/custom entity capabilities in 2025 updates). (trmlabs.com)
    • Offline modes for sensitive operations; full audit logs; role-based access and immutable case notes.

  • Court-ready exports

    • Export graphs, chain-of-custody logs, labeled path evidence, and data dictionaries in machine-readable formats (CSV/JSON/Parquet) plus human-readable PDFs; support structured intelligence formats (e.g., STIX 2.1) if your security team uses them.

  • Operational support

    • Investigative services, 24/7 incident response, and expert witness availability; training/certification paths.

  • Independent validation and track record

    • Ask for examples of cases where their intelligence contributed to seizures/recoveries and was cited in rulings (e.g., Chainalysis markets 1,500+ institutional customers and seizure figures; validate with references). (chainalysis.com)

Practical example: Provide a cross-chain exploit with funds moving via two bridges and a DEX; score vendors on time-to-first-link, number of automated steps, and quality of the narrative report.

5) Deployment, security, and data governance

You’ll be handling sensitive investigations and customer PII. Set a high bar.

  • Deployment models

    • SaaS regions, dedicated VPC, on-premises, and government clouds (e.g., vendors advertise on-prem and FedRAMP-authorized environments—ask for the exact authorization boundary and impact level). (chainalysis.com)

  • Security attestations

    • SOC 2 Type II, ISO 27001/27701, penetration testing cadence; key management (KMS/HSM), SSO/SAML/OIDC, SCIM provisioning, and field-level encryption for PII.

  • Data residency and retention

    • Per-jurisdiction residency controls; configurable retention for PII vs. non-PII; audit of admin access; customer-managed keys option.

  • Business continuity

    • Disaster recovery RTO/RPO; daily dataset checksums; vendor escrow for critical decoders/parsers; continuity clauses if a product line is sunset (learn from CipherTrace’s 2024 changes). (fortune.com)

6) Integration and developer experience

Great intelligence is useless if your teams can’t integrate it.

  • APIs and data access

    • REST/GraphQL/gRPC; streaming (webhooks, Kafka); SDKs; sandbox environments; rate limits and burst policies; SLAs (e.g., <300ms P99 for screening).
    • Cloud data shares (Snowflake, BigQuery, S3) and table schemas for self-serve analytics—plus parity with API results. Some providers emphasize GraphQL and cloud shares; clarify long-term support and deprecation windows. (docs.bitquery.io)

  • Event decoding and enrichment

    • ABI management, proxy/upgrade detection, NFT metadata pipelines, stable token mappings, and cross-venue token identity resolution.

  • Change management

    • Release notes cadence; versioned endpoints; backward compatibility windows; notification lead time for breaking changes (Bitquery publicly announces deprecations with dates—require the same). (community.bitquery.io)

Practical example: Ask vendors to provision a five-day sandbox with production-rate limits, then have engineering ingest 10M on-chain events into your lakehouse and benchmark query time on your BI stack.

7) Pricing, SLAs, and total cost

Reveal all the levers and watch for volume traps.

  • Pricing dimensions

    • Seat-based vs. case-based vs. API-call or data-volume-based; overage rates; per-chain add-on fees; “enhanced tracing” vs. “screening only” tiers; professional services rates; training/certification costs.

  • SLAs

    • Uptime (target 99.9%+), incident response (P1 within 15 minutes), false-positive review turnaround, data freshness SLAs by chain, and release rollback policies.

  • Exit terms

    • Data export guarantees (schemas + dictionaries), license to retain case artifacts, and support for migration.

8) Evidence-based scoring scenarios (include in your RFP)

Score vendors on tasks that mirror your operations.

  • Scenario A: Sanctions screening at scale

    • 10,000 wallet screens in 60 seconds; require inline justification text and list-source version IDs (OFAC SLS, UKSL). (home.treasury.gov)

  • Scenario B: Cross-chain tracing

    • Trace funds moving ETH → Base → bridge → Tron → exchange, with automatic path reconstruction and entity attribution across at least two bridges and one DEX.

  • Scenario C: Incident response

    • Vendor joins a simulated exploit war-room within 30 minutes, provides an IOC package (IOA, addresses, contracts) and an exportable graph with hop-by-hop notes.

  • Scenario D: Travel Rule operations

    • Demonstrate TRISA/TRP interoperability for a cross-border transfer including IVMS101 fields, with PII never leaving your VPC and full audit logs. (trisa.io)

9) Emerging best practices to require in 2025 RFPs

Bake these into your minimum requirements.

  • Native support for OFAC’s advanced SDN format and EU/UK list changes, with fuzzier matching in non-Latin scripts and change-logs linked to sanctions notices. (home.treasury.gov)
  • Interoperable Travel Rule messaging (TRISA/TRP), open-source Envoy options, and IVMS101 compliance; keep PII self-hosted where possible. (trisa.io)
  • Cross-chain “universal tracing” that collapses mixers, bridges, and swaps into human-readable steps while preserving raw-path evidence. (chainalysis.com)
  • Transparent attribution provenance, confidence scores, and the ability to contest/flag labels with vendor SLAs for review.
  • Cloud data-sharing to your lakehouse for self-serve analytics, plus normalized schemas aligned with public datasets for validation. (cloud.google.com)
  • Rapid onboarding of new L2s/app chains with automatic token support (e.g., recent additions like X Layer, Kaia, Plasma; confirm timelines). (chainalysis.com)
  • A deprecation policy and data escrow so your investigations and compliance don’t break if chains or products are retired. (community.bitquery.io)

10) Copy‑paste RFP question bank

Use or adapt these questions directly.

  • Coverage and attribution

    • Provide a table of supported chains (L1/L2/app) with GA dates, product coverage (screening vs. enhanced tracing), and automatic token support status.
    • Quantify your entity attribution: number of services/entities, confidence scoring methodology, and precision/recall metrics validated by third parties.
    • Explain how you detect and label bridges, mixers, and DEXs, and how quickly new protocols are decoded after contract deployment.

  • Data engineering and quality

    • Detail ingestion architecture (nodes, indexers), per-chain freshness SLAs, reorg handling, and data lineage/versioning.
    • Provide sample schemas and a one-week cloud data share (Snowflake/BigQuery/S3) for our team to validate.

  • Compliance and sanctions

    • Document ingestion of OFAC SLS and UKSL/EU lists, with parsing of advanced formats and non-Latin scripts; include update frequency and hash/verifier of list versions. (home.treasury.gov)
    • Describe Travel Rule capabilities, including TRISA/TRP interoperability, IVMS101 support, and options for self-hosted PII exchange. (trisa.io)

  • Investigations workflow

    • Show cross-chain path reconstruction with human-readable steps and raw evidence. Provide export samples (CSV/JSON/Parquet/PDF) and audit logs.
    • List certifications/training and incident response SLAs.

  • Security and deployment

    • List SaaS regions, on-prem/FedRAMP options, SOC 2/ISO certifications, KMS/HSM usage, SSO/SAML/OIDC, and SCIM support.
    • Provide data residency options, PII retention defaults, and customer-managed keys.

  • Commercials and resilience

    • Provide pricing by module, user, API volume, data share, and professional services; disclose overage rates and deprecation/migration assistance.
    • Describe your product deprecation policy and continuity plan, including data escrow, if a product is retired. Reference any historical deprecations.

11) Real-world example (what a good response looks like)

Suppose you run a U.S. fintech with stablecoin treasury ops on Ethereum and Base, consumer payouts on Tron, and NFT loyalty on Solana:

  • A strong vendor response will:

    • List Ethereum, Base, Tron, and Solana with enhanced tracing; demonstrate automatic token support for new ERC-20s and SPLs within hours; show cross-bridge tracing and entity attribution for Circle/Tether treasuries.
    • Prove hourly price refresh across long-tail tokens so USD exposures are accurate for AML thresholds. (trmlabs.com)
    • Show OFAC SLS/advanced SDN support (including non-Latin identifiers) and readiness for the UK single-list change in January 2026, with list-version IDs embedded in alerts. (home.treasury.gov)
    • Demonstrate TRISA/TRP interop for a cross-border payout, keeping PII in your VPC via a self-hosted Envoy instance. (trisa.io)
    • Export a court-ready case package with provenance and audit logs.

  • A weak response will:

    • Claim generic “30+ chains” without distinguishing screening vs. tracing; have opaque label provenance; no public deprecation policy; and no dates attached to sanctions or Travel Rule interoperability.

12) A note on “market intel” platforms in your stack

You may also RFP for non-AML intelligence platforms (e.g., labeled wallets, portfolio tracking, growth intelligence). If you include these, ask about:

  • Label inventory and update cadence; ENS/domain label linkage; cross-chain wallet clustering. Some platforms recently added domain labels across their app and expanded coverage to Bitcoin, Scroll, and more L2s/protocols—validate these claims with changelogs. (academy.nansen.ai)
  • API availability, export rights, and ToS for commercial use of labels.

Bottom line

Your RFP should force vendors to prove three things: (1) comprehensive, current coverage and high-quality attribution, (2) operational readiness for sanctions and Travel Rule changes across jurisdictions, and (3) scalable integration with verifiable data lineage. Use the question bank and scoring scenarios above to turn buzzwords into measurable commitments—and to de-risk your selection with evidence instead of claims.

If you want a pre-formatted, editable checklist tailored to your chain/protocol mix and compliance obligations, 7Block Labs can adapt this blueprint to your environment and set up a proof-of-value bakeoff in under two weeks.

Like what you're reading? Let's build together.

Get a free 30‑minute consultation with our engineering team.

Talk to usView services

Related Posts

7BlockLabs

Full-stack blockchain product studio: DeFi, dApps, audits, integrations.

7Block Labs is a trading name of JAYANTH TECHNOLOGIES LIMITED.

Registered in England and Wales (Company No. 16589283).

Registered Office address: Office 13536, 182-184 High Street North, East Ham, London, E6 2JA.

© 2025 7BlockLabs. All rights reserved.