What Questions Should I Include in My RFP for Blockchain Intelligence Tools in 2025?

Short description: A practical, up-to-the-minute RFP checklist for evaluating blockchain intelligence vendors in 2025—covering data coverage, cross‑chain tracing, Travel Rule and MiCA readiness, sanctions controls, security certifications, integrations, SLAs, pricing, and proof‑of‑concept design.

---

Why an RFP for blockchain intelligence looks different in 2025

Since December 30, 2024, the EU’s Markets in Crypto‑Assets (MiCA) framework has been fully applicable (with stablecoin rules live since June 30, 2024), and the EU’s updated Transfer of Funds Regulation (TFR) “Travel Rule” has been in force, with the EBA’s Travel Rule guidelines applying from the same date—raising the bar on counterparty information, data quality, and enforcement expectations across the EEA. (finance.ec.europa.eu)

At the same time, the EU’s new Anti‑Money Laundering Authority (AMLA) was established and is ramping up in Frankfurt through 2025, increasing scrutiny of high‑risk entities and crypto‑asset service providers (CASPs). (reuters.com)

In the U.S., FinCEN’s proposed rule treating convertible virtual currency (CVC) mixing as a class of transactions of primary money laundering concern signals more demanding reporting, while OFAC enforcement, 50%‑Rule expectations, and expanding export‑control “50%” style rules at BIS mean list‑only screening is no longer sufficient—RFPs must probe how vendors handle ownership aggregation, sanctions evasion typologies, and mixer exposure. (fincen.gov)

Courts and policy are shifting too. A U.S. appeals court decision in late 2024 narrowed OFAC’s authority over immutable smart contracts (Tornado Cash), underscoring the need for tools with transparent attribution you can defend in audits, litigation, and regulator conversations. (reuters.com)

Bottom line: 2025 RFPs must go beyond “Do you cover Bitcoin and Ethereum?” to verify cross‑chain depth, data provenance, explainability, compliance‑by‑design, and enterprise‑grade security.

---

What “blockchain intelligence” includes now

When you say “blockchain intelligence,” decision‑makers typically mean some or all of:

• Transaction monitoring (KYT) and wallet screening (pre‑ and post‑transaction)
• Entity attribution, clustering, and cross‑chain tracing for investigations
• DeFi/DEX/bridge/mixer exposure analytics
• Case management with court‑ready exports and audit trails
• Travel Rule and sanctions screening augmentation
• API/streaming feeds for risk scoring into core systems (payments, fraud, SIEM)
• Optional open‑source or on‑prem analytics for data‑sovereign workloads

Below is the comprehensive RFP question set we use with founders, compliance leaders, and security teams.

---

The 2025 RFP master checklist (with the exact questions to ask)

1) Data coverage, depth, and freshness

Ask for facts, not marketing claims.

• Exactly which chains and tokens can you trace end‑to‑end in investigations versus only screen for risk? Break out:
  • Investigations coverage (full graph tracing, clustering, entity attribution)
  • Screening coverage (address/entity risk, exposure look‑back window)
  • DeFi coverage (DEXs, bridges, MEV relays, token standards)
• Freshness and latency:
  • What is your end‑to‑end detection latency from on‑chain event to alert?
  • How quickly do you index new blocks on major L1s/L2s? Provide chain‑by‑chain SLAs.
• Cross‑chain specifics:
  • How many bridges and DEXs are auto‑interpreted in investigation views?
  • Do you decode swaps/bridges/mixers into human‑readable steps?

Why it matters and what’s changed:

• Investigations platforms differ from screening engines. For example, Chainalysis lists 27+ blockchains for Reactor investigations with tracing across 325M+ swaps and 300+ bridges/DEXs, while its KYT compliance product emphasizes broad screening, with “400+ networks and 50M+ tokens” and real‑time alerting. Your RFP should require both breakdowns and testable SLAs. (chainalysis.com)
• TRM reports coverage exceeding 100 chains for screening and 45+ chains for enhanced tracing; recent updates cite 90+ (Universal Wallet Screening) and 102 total supported chains, with hourly refresh on new additions—so verify modality (screening vs. tracing) and the refresh cadence per chain. (trmlabs.com)
• Elliptic publicly cites 50+ blockchains covered and 300+ bridges supported; require a complete, dated list in your RFP and a parity matrix against your risk exposure. (elliptic.co)

Sample RFP prompts:

• Provide a dated list of supported blockchains for (a) tracing and (b) screening, with:
  • Indexing lag (P50/P95), finality assumptions, and alert latency per chain
  • DEX/bridge/mixer coverage and auto‑label taxonomies
• Provide evidence of coverage expansion in the last 12 months (release notes).

2) Attribution methodology, accuracy, and transparency

What to require:

• “Glass box” explainability: For each attribution/cluster, show source types (e.g., ground truth, on‑chain heuristics), heuristic descriptions, and confidence scores in the UI and API.
• Independent validation: Ask for peer‑reviewed or third‑party validation of clustering false‑positive/false‑negative rates, and willingness to support expert testimony.

Why it matters:

• Chainalysis details a conservative “ground truth + deterministic clustering” approach and cites external validation; TRM surfaces source‑of‑truth and confidence for each tag (“glass box attribution”) down to cluster‑level, useful post‑Tornado Cash ruling where evidentiary standards matter. (chainalysis.com)

Sample RFP prompts:

• Describe your attribution sources, clustering heuristics, and human‑in‑the‑loop QA.
• Provide precision/recall for top 10 typologies (sanctions, scams, hacks, darknet, mixers).
• Provide example audit reports and court‑ready exports for two closed cases.

3) Cross‑chain DeFi and MEV‑aware tracing

What to verify:

• Can the tool follow assets across L1/L2s, bridges, coinswaps, and DEX routers automatically?
• Does it identify address‑poisoning, multi‑hop wash routes, and layered cross‑chain swaps?
• How are sandwich/front‑run patterns presented; do you analyze mempool‑driven behaviors?

Why now:

• Investigations increasingly span many chains; Elliptic reports 33% of complex cases involve >3 chains and 20% involve >10, reinforcing the need for robust cross‑chain graphing and bridge coverage. (elliptic.co)
• Academic work in late 2025 highlights new cross‑chain sandwich attack surfaces on bridging flows—tools should track emerging signatures. (arxiv.org)

Sample RFP prompts:

• List MEV/sandwich detection capabilities and supported bridges with versioned decoders.
• Provide a redacted sample case showing cross‑chain tracing with swaps/bridges auto‑interpreted.

4) Compliance‑by‑design (Travel Rule, MiCA, sanctions)

Make the vendor show you they’re built for 2025 obligations:

• Travel Rule (EU TFR) and EBA guidelines:
  • How do you assist with originator/beneficiary data checks and Travel Rule counterparty risk?
  • Can you validate IVMS101 payloads and flag missing/invalid fields?
  • Do you interoperate with common Travel Rule networks (e.g., TRISA), and can you export/import IVMS101 JSON reliably?

Context and citations:

• EU TFR applies from Dec 30, 2024 with EBA guidelines effective the same date; IVMS101 JSON schemas and TRISA developer docs are widely used for standardized payloads. (eur-lex.europa.eu)

• MiCA readiness:

  • How do you flag non‑compliant ARTs/EMTs (stablecoins) for EEA flows?
  • Can you reflect NCA guidance (e.g., ESMA 2025 statement) in risk models?

Context:

• MiCA provisions fully apply by Dec 30, 2024 (stablecoins since June 30, 2024); ESMA’s Jan 17, 2025 statement urges enforcement against non‑compliant ARTs/EMTs. Your RFP should ask how risk engines adapt to these dates and delistings. (finance.ec.europa.eu)

• Sanctions and the 50% Rule:

  • Can the system detect aggregated ownership to 50% (direct/indirect), surface control red flags, and map sanctioned counterparties’ affiliates?
  • How does the model implement OFAC FAQs and track BIS’s new “Affiliates Rule” style expectations?

Context:

• OFAC’s 50% Rule (FAQ 401) requires aggregated ownership analysis; BIS’s 2025 interim final rule extends similar expectations to export‑control regimes—ask explicitly how the tool operationalizes ownership chains and indirect exposure. (ofac.treasury.gov)

• Mixers and high‑risk tools:

  • Can you detect exposure to sanctioned mixers and report FinCEN‑relevant triggers tied to CVC mixing typologies?

Context:

• Treasury/OFAC have sanctioned multiple mixers (e.g., Sinbad), and FinCEN’s NPRM (Oct 19, 2023) would increase reporting around mixing exposure. (home.treasury.gov)

Sample RFP prompts:

• Provide JSON Schema validation for IVMS101 with example error responses.
• Demonstrate 50% aggregated ownership detection on a synthetic cap table with nested SPVs.

5) Security, privacy, and deployment options

Non‑negotiables to ask for:

• Certifications and authorizations: SOC 2 Type II; ISO 27001; FedRAMP/StateRAMP where public‑sector or defense is in scope; third‑party pen‑tests; data residency.
• Deployment: SaaS, regional cloud residency, GovCloud, FedRAMP‑authorized environments, and on‑prem/air‑gapped options; BYOK/KMS and key rotation.
• Privacy posture: DPF participation, GDPR DPA terms, data retention/erasure schedules, audit logging, and customer data isolation.

Recent facts to anchor your questions:

• TRM achieved FedRAMP High authorization (Dec 17, 2024) via Palantir PFCS‑SS, with positioning for DoD IL4/IL5 workloads; Chainalysis Reactor advertises cloud, on‑prem, and FedRAMP‑authorized environments. Verify the active listing and boundary. (trmlabs.com)
• TRM states SOC 2 Type II and ISO‑aligned controls; Chainalysis’ privacy notice references EU‑U.S. Data Privacy Framework participation. Request attestations and data‑flow diagrams. (trmlabs.com)

Sample RFP prompts:

• Provide current SOC 2 Type II report and pen‑test executive summary under NDA.
• Detail tenant isolation, encryption (in transit/at rest), and secrets management.
• For on‑prem/GovCloud, list feature deltas vs. commercial SaaS.

6) Integrations, APIs, and data portability

Require concrete, testable technical detail:

• APIs: versioning policy; rate limits; time‑to‑first‑byte; pagination; bulk endpoints; webhook/streaming support (e.g., Kafka).
• SIEM/CTI: STIX/TAXII feeds for indicators; Splunk/Elastic integrations; case‑management integrations (ServiceNow/JIRA).
• Export formats: JSON/CSV/Parquet; graph exports; PDF “court packages”; immutable audit logs.

Anchor questions in docs and performance claims:

• Chainalysis KYT API docs (REST/JSON) and real‑time alerting; TRM Wallet Screening advertises sub‑400 ms API responses and 150+ configurable risk rules; STIX/TAXII is widely used to exchange indicators into SIEMs like Splunk. (kytdoc.kyt-dev.e.chainalysis.com)

Sample RFP prompts:

• Provide OpenAPI/Swagger specs and SDKs; share P95 API latency for wallet screening.
• Demonstrate TAXII‑based indicator sharing into Splunk and a daily S3 data extract.

7) Performance, scale, and SLAs

Drill into measurement, not adjectives:

• Alerting SLAs by chain (P50/P95); backlog behavior under reorgs and high gas spikes.
• Backfill SLAs for newly supported chains and retroactive tagging corrections.
• Case graph scale limits (nodes/edges); rate limits by tenant.

Examples and real numbers to request:

• TRM cites wallet‑screening responses in <400 ms and universal screening across 90+ chains; Chainalysis KYT emphasizes “within seconds” alerting and indirect‑exposure depth “until an identified service is hit.” Your RFP should convert those to measurable SLAs. (trmlabs.com)

8) Features for investigations and recovery

What to verify:

• Graph clarity and auto‑interpreted steps (swaps/bridges/mixers); cluster vs. address‑level toggles; UTXO change detection; entity portfolio balances; seizure guidance.
• Case management: audit logs, collaboration, and exports that prosecutors accept.

Recent platform examples:

• TRM “Investigation360” highlights audit trails, court‑ready exports, seed‑phrase analysis at scale, and AI‑generated smart‑contract descriptions with on‑chain ABIs only (no customer data). (trmlabs.com)
• Chainalysis claims $34B in frozen/recovered funds and 1,500+ organizations using Reactor. Ask for public casework and reference customers comparable to your profile. (chainalysis.com)

Sample RFP prompts:

• Provide a guided demo of a multi‑chain hack with court‑ready export artifacts.
• Show seed‑phrase analysis and cross‑match hits across supported chains.

9) Vendor stability, roadmap, and exit

Due diligence questions:

• What is your 24‑month product roadmap for coverage and DeFi decoders?
• What happens if a product is sunset? Is there a data escrow and portability clause?

Why ask:

• In March 2024, Fortune reported Mastercard’s CipherTrace began shutting down key products (Armada, Inspector, Sentry). Your contract should include portability, escrow, and step‑in rights to avoid vendor lock‑in. (fortune.com)

---

Practical examples of “show‑me” RFP requirements (copy/paste)

• Coverage proof
  • Provide a machine‑readable list (JSON/CSV) of supported chains for screening vs. tracing, including token standards and DEX/bridge decoders; include the date each chain moved to GA and indexing lag P95.
• Alert quality
  • Share a 30‑day sample of screening alerts with ground‑truth labels (redacted), including final dispositions, to compute precision/recall by typology (sanctions, scams, darknet, hacks, mixers).
• Ownership aggregation
  • Given a synthetic cap table (provided), identify entities blocked under OFAC’s 50% Rule and flag elevated‑risk affiliates per BIS’s Affiliates‑style expectations. Include an export of ownership paths. (ofac.treasury.gov)
• Travel Rule interop
  • Validate provided IVMS101 JSON fixtures; present field‑level errors; demonstrate TRISA interop and show how missing beneficiary/beneficial‑owner data is handled in the workflow. (trisa.dev)
• Latency & throughput
  • Prove P95 <500 ms wallet‑screening responses at 100 RPS on a U.S. region and show alert‑generation latency for BTC, ETH, TRON, and SOL under on‑chain peak loads. (trmlabs.com)
• Cross‑chain tracing
  • Reconstruct funds across 5+ chains with at least two bridges and one coinswap; provide auto‑interpreted steps and a final court‑ready PDF. (chainalysis.com)

---

Emerging best practices we’re seeing work

• Separate “screening breadth” from “tracing depth” in scoring. Vendors may screen hundreds of networks yet only trace rigorously on a subset; require modality‑specific SLAs and coverage matrices. (chainalysis.com)
• Demand “glass box” attribution and clustering notes in the UI/API to increase auditability—especially post‑Tornado Cash ruling. (trmlabs.com)
• Treat DeFi as first‑class: auto‑decoding of routers, pools, bridges, and coinswaps; metrics for swap and bridge coverage should be contract‑level, not just chain‑level. (chainalysis.com)
• Align with MiCA and EU Travel Rule by validating IVMS101 payloads early; ask for schema validation plus operational playbooks for incomplete data remediation. (eba.europa.eu)
• Verify sanction exposure controls beyond list‑matching—ownership aggregation to 50% and mixer typologies consistent with FinCEN/OFAC patterns. (ofac.treasury.gov)
• For public‑sector or defense, prefer vendors with FedRAMP authorization and deployment in FedRAMP‑authorized environments; lock down data residency and logging for sensitive cases. (trmlabs.com)
• Ensure indicator portability via STIX/TAXII to your SIEM so investigators and fraud teams share the same ground truth. (docs.splunk.com)

---

Design a 10‑day proof‑of‑concept (internal playbook)

Day 1–2: Environment setup and data pipes

• Connect batch and streaming ingestion; validate OpenAPI specs; run IVMS101 validators for Travel Rule payloads; configure SIEM TAXII feeds. (trisa.dev)

Day 3–5: Screening quality and latency

• Fire 50k historical wallets through screening; compute precision/recall vs. internal dispositions; measure P95 latency; verify sub‑second alerts on ETH and TRON. (trmlabs.com)

Day 6–7: Cross‑chain investigation challenge

• Provide a synthetic hack with bridge + DEX hops; require auto‑interpreted steps, UTXO change detection, entity balances, and a court‑ready export. (chainalysis.com)

Day 8: Sanctions/ownership drill

• Use a nested ownership scenario to test 50% aggregation and affiliates‑style risk surfacing; export ownership paths with confidence levels. (ofac.treasury.gov)

Day 9: Travel Rule end‑to‑end

• Exchange IVMS101 messages with a sandbox VASP; inject missing/invalid fields; confirm UI/API remediation flows and audit logs. (trisa.dev)

Day 10: Security and compliance review

• SOC 2 Type II and pen‑test reviews; data residency controls; FedRAMP boundary (if applicable); incident response runbook review. (trmlabs.com)

Success metrics:

• ≥90% precision on top‑3 typologies you care about
• P95 screening API <500 ms at target throughput
• Complete cross‑chain reconstruction with exportable evidence
• IVMS101 validation + remediation workflow passes
• Sanctions ownership aggregation accurate on all test cases

---

Red flags in 2025 RFP responses

• “Black box” risk scores without per‑attribution evidence and confidence
• No ownership aggregation for sanctions beyond simple list hits
• A single “coverage number” with no split between tracing and screening
• No STIX/TAXII, SIEM, or case‑management integrations
• No clear plan for MiCA/TFR alignment or IVMS101 data hygiene
• Weak security posture (no SOC 2 Type II; no FedRAMP path where required)
• Vague exit provisions and no data portability—especially relevant given prior product sunsets in the space. (fortune.com)

---

A quick vendor landscape note (so you can ask sharper questions)

• TRM Labs: FedRAMP High authorized; publishes frequent coverage and feature updates (e.g., universal wallet screening across 90+ chains, seed‑phrase analysis, AI contract descriptions). Clarify chain counts by modality (screening vs. tracing) and confirm SLAs. (trmlabs.com)
• Chainalysis: Reactor traces 27+ chains with deep DeFi/bridge decoders; KYT emphasizes very broad screening and rapid alerting. Ask for modality splits, audit logs, and deployment options (on‑prem/FedRAMP). (chainalysis.com)
• Elliptic: States 50+ blockchains covered and 300+ bridges; validate decoder depth and cross‑chain case studies. (elliptic.co)
• Open‑source option: GraphSense for teams that require full data sovereignty and transparent algorithms—useful for bespoke or air‑gapped workflows, often alongside a commercial tool. (graphsense.org)

---

Final take: how to shortlist fast

• Build your RFP around measurable, chain‑by‑chain SLAs, “glass box” attribution, sanctions ownership logic, MiCA/TFR alignment, and FedRAMP/ISO/SOC attestations.
• Run a 10‑day PoC that forces vendors to prove latency, precision/recall, cross‑chain decoding, and evidence exports you’d defend in court or to regulators.

If you need a pre‑formatted RFP template or PoC dataset with ground‑truth labels (bridges/DEXes/mixers/stablecoins), 7Block Labs can share one we’ve used successfully with startup exchanges and Fortune 500 fraud teams.

---

Sources (selected)

• EU MiCA and TFR effective dates, EBA Travel Rule guidelines, ESMA/EC stablecoin enforcement clarifications. (finance.ec.europa.eu)
• AMLA launch timeline and mandate. (reuters.com)
• FinCEN NPRM on CVC mixing; OFAC mixer designations and 50% Rule FAQs. (fincen.gov)
• BIS “Affiliates Rule” adopting 50% ownership expectations. (ropesgray.com)
• Vendor/product specifics: TRM coverage and FedRAMP High; Chainalysis Reactor/KYT scope and claims; Elliptic 50+ chains and bridge coverage. (trmlabs.com)
• STIX/TAXII integration for SIEM. (docs.splunk.com)
• Open‑source GraphSense. (graphsense.org)
• Tornado Cash appellate ruling context (implications for explainability in attribution). (reuters.com)

---