Search
Choose a style
Dark
Light
Time to read: 9 min

When ‘on-chain’ becomes ‘en-guarde’

Image:Shutterstock

Why US regulators are making blockchain analytics a must for banks

The financial services landscape is shifting fast. Banks are no longer bystanders when it comes to virtual assets (cryptocurrencies, stablecoins, etc.): more customers want exposure, more counterparties operate in crypto, and more products are being built around digital assets.

But with that expansion comes risk. As crypto adoption increases concerns about money laundering, sanctions evasion, fraud, terrorist financing, and other illicit finance threats rise alongside. Regulators are under pressure to ensure the financial system remains resilient, transparent, and safe, even as innovation accelerates.

Against that backdrop, state and federal banking regulators in the US have been gradually updating expectations, rules, and formal guidance for how banks engage with virtual-asset activities. Some earlier guardrails required banks to seek approval for certain crypto-activities; others largely warned of risk.

New guidance from the New York State Department of Financial Services (DFS), published on September 17, is part of that broader evolution.

What is is, what it says

Adrienne Harris, DFS Superintendent

DFS Superintendent Adrienne Harris issued Notice on Use of Blockchain Analytics for New York Banking Organizations, extending earlier blockchain analytics guidance to all New York–regulated banking organisations which are conducting or considering virtual currency-related activity (VCRA).

“As traditional banking institutions expand into virtual currency activities, their compliance functions must adapt, onboarding new tools and technologies to mitigate new and different risks,” said Harris.

“As a leader in the regulation of virtual currency, DFS will continue to set clear and transparent expectations for institutions, to protect consumers and safeguard market integrity, while also ensuring New York-regulated banking organizations can remain resilient and competitive.”  

The guidance builds on two earlier documents:

  1. The Analytics Guidance of April 28, 2022, which applied to Virtual Currency Entities (VC Entities) licensed under NY rules.
  2. The VCRA Guidance, which requires covered institutions to obtain prior approval before engaging in new or significantly different virtual currency–related activity.

Now, DFS expects banking institutions regulated by the State, whether they already engage in virtual currency activity or are considering doing so, to consider incorporating blockchain analytics tools as part of their compliance / risk management programmes. These tools are seen as additional risk-mitigation controls.

    The regulator provides a non-exhaustive set of use cases for these analytics tools, including:

    1. Screening customers’ wallets (especially those who have disclosed or displayed crypto activity) to assess risk.
    2. Verifying the source of incoming funds coming from VASPs.
    3. Monitoring exposure to illicit activity via third parties (for example, counterparties of customers).
    4. Checking that actual customer activity matches expectations (e.g. dollar thresholds, transaction patterns).
    5. Using intelligence gathered via such monitoring to inform updates to risk assessments, risk appetite, and decisions about whether to offer certain virtual currency products.

    Within the guidance, the DFS emphasises that these control measures should be tailored to each institution’s business model, operations, and risk appetite; regular reassessment is expected.

    However, the guidance does not create entirely new legal obligations. Rather, it’s bringing into view a set of expectations to align with existing laws/regulations and to ensure banks’ risk frameworks evolve with evolving risks

    Why has the guidance been issued now?

    In the last decade, banks have seen an increasing adoption and exposure to virtual-currency activities, with more customers transacting in crypto, more virtual asset service providers interacting with them, and in some cases direct involvement in custody and product offerings. That inevitably expands their risk exposure, not only operationally but also reputationally, legally and from a compliance perspective.

    Crypto markets have also grown more sophisticated, and so have the obfuscation techniques used by illicit actors. Mixers, privacy-focused tokens, cross-chain transfers and the interplay between self-hosted and hosted wallets make auditing and tracing far more complex. Added to this, sanctions regimes have tightened, and both law enforcement and regulators globally are scrutinising virtual assets more closely for their role in money laundering, terrorist financing and other predicate offences.

    Regulatory expectations have kept pace with these developments, however. In New York and the broader US, regulators have repeatedly signalled compliance programmes must integrate new technologies if they are to remain effective. The DFS’s April 2022 Analytics Guidance was an early example, and subsequent policy changes have reinforced the principle: even when procedural requirements have been eased in some areas, the demand for strong, technology-enabled risk mitigation has remained non-negotiable.

    One of the biggest challenges for banks is the gap in visibility between traditional monitoring tools and the realities of on-chain activity. Standard KYC and transaction monitoring systems designed for fiat payments do not offer the same level of insight into crypto transactions. Blockchain analytics fills that gap, enabling institutions to verify the origin of funds, uncover layers of obfuscation, and identify indirect exposures that would otherwise go unnoticed.

    Public and political pressure also play a role with high-profile scandals in the crypto space, ranging from exchange collapses to illicit finance cases, intensifying calls for banks to avoid becoming weak links in the financial crime chain. The reputational risks of being associated with crypto-related failures are significant, and regulators are responding to public concern with tougher oversight.

    Finally, there is an international dimension. The Financial Action Task Force (FATF) and other multilateral bodies have long championed risk-based approaches to anti-money laundering and counter-terrorist financing, explicitly incorporating virtual asset service providers and requiring the tracing of crypto flows under frameworks such as the Travel Rule. By leaning on blockchain analytics, regulators in New York are aligning domestic banks with these international standards, ensuring consistency with the global fight against illicit finance.

    Is the US an island?

    New York’s guidance is not entirely out on its own. There are parallel rules, proposals, and regulatory frameworks elsewhere that share similar aims, though not always identical in scope or enforcement.

    GeographyWhat Exists (or Is Emerging)How It Compares / Gaps
    European UnionThe EU has passed a new AML package (including directive and regulation reforms), plus MiCA (Markets in Crypto-Assets Regulation) (Reg. (EU) 2023/1114) which among many things:
    1. Brings crypto-asset service providers (CASPs) under AML/CFT regulatory oversight.
    2. Requires enhanced due diligence, especially for transactions involving self-hosted wallets.
    3. Prohibits anonymous or anonymizing features / anonymous accounts.
    4. Firms must collect originator / beneficiary data in crypto-asset transfers.
    5. Guidelines note risk factors, customer, products, delivery channels, geography etc. Some of these guidelines specifically mention or implicitly require blockchain analytics as a tool to manage those risks.
    Compared to New York, EU rules are more harmonised across countries, applying not just to banks but all CASPs.

    But enforcement timing, technical implementation (e.g. how to do traceable “self-hosted wallet” checks) may vary. Also, banks in some EU member states may have differing existing capabilities.
    United KingdomThe UK FCA is in the process of expanding its regulatory perimeter for cryptoasset activities. It has published a discussion paper (DP25/1) concerning how to regulate crypto-asset activities such as trading platforms, intermediaries, staking, DeFi etc. The UK government is also moving to legislate to bring cryptoassets more clearly under financial regulation. There is also guidance / threat assessments (from OFSI etc.) which explicitly mention the utility of blockchain analytics tools for tracing exposure, sanctions breaches, and risk-based monitoring. The UK effort is more forward-looking; some measures are still consultation or draft. There may be less immediate prescriptive guidance for banks to adopt analytics (vs. CASPs) but the trend is analogous: risk-based controls, customer due diligence, tracing, etc.
    CanadaThe Office of the Superintendent of Financial Institutions (OSFI) has published guidance on the capital and liquidity treatment of crypto-asset exposures by banks. This includes expectations around risk management, disclosure, and prudential capital tied to crypto-asset risk. But OSFI’s guidance is more about how much capital / liquidity banks need given crypto exposure, rather than prescribing specific operational tools like blockchain analytics in as much detail.
    International / Regional BodiesFATF has long explicitly addressed virtual assets, virtual asset service providers, travel rule, etc. The BIS and FSI have also issued insights and research papers about supervising cryptoassets for AML purposes. These frequently note that blockchain analytics are an important tool in meeting international AML/CFT standards. Implementation across jurisdictions is uneven. Some jurisdictions have limited technical capacity, legal clarity, or enforcement resources. Also, privacy / data protection laws may limit how detailed tracing can be, especially for self-hosted wallets.

    Could this amount to implicit ‘mandatory’ expectation

    Although DFS says its guidance does not impose a brand-new law, the combination of factors makes it very much akin to mandating certain practices in practice.

    Because the DFS exerts close supervision over banks in New York, it is highly likely that future examinations will look for clear evidence that institutions engaging in, or even contemplating, crypto-related activity have incorporated blockchain analytics in line with the guidance. In practice, this means the guidance carries more weight than a simple recommendation.

    Past precedent shows that such statements of expectation often become de facto requirements; banks that fail to adopt the tools regulators highlight risk closer scrutiny during audits, the possibility of adverse examination findings, and ultimately potential penalties.

    As regulatory frameworks mature, this expectation is only likely to solidify. Other US regulators, whether at the federal level or in different states, are beginning to set out their own approaches to virtual currency oversight. As they do, industry norms will inevitably shift, and blockchain analytics will become less of an optional enhancement and more of a baseline cost of doing business for any institution exposed to crypto markets.

    The pressure will not come solely from supervisors either. Investors, counterparties, insurers and auditing firms are also likely to demand comparable standards of risk management, further reinforcing blockchain analytics as a core component of compliance for banks seeking to maintain credibility and competitiveness in this space.

    Subscribe to our newsletter