NYDFS orders banks to adopt blockchain analysis: what changes now

The New York Department of Financial Services (NYDFS) has issued a guidance letter, signed by Superintendent Adrienne A. Harris, urging financial institutions to integrate blockchain analytics tools into compliance programs to strengthen anti-money laundering prevention, sanctions compliance, and combat abuses related to digital assets. The directive is addressed to “Covered Institutions,” meaning New York state-chartered banks and branches or agencies of foreign banks authorized to operate in the State.

According to data collected from industry reports and field experiences of compliance teams, the adoption of on-chain analytics improves the quality of reports and investigative capability in AML/CFT investigations. Industry analysts also note that, in tests and pilot projects conducted over the past 18 months, the integration between on-chain tools and KYC systems has led to measurable improvements in investigation times and the explainability of alerts.

The directive also fits into the international framework outlined by the Financial Action Task Force, which with the October 2021 update reiterated the need for a risk-based approach for VASP and industry operators.

What the NYDFS Requires from Banks

In the letter, the NYDFS urges financial institutions to assess and, when appropriate, adopt blockchain analytics solutions to support KYC procedures, transaction monitoring, and counterparty risk assessment, with particular attention to Virtual Asset Service Providers (VASP). In the presence of new offerings or substantial modifications to virtual currency activities, prior approval is required, in line with the guidelines already provided on VCRA and compliance analyses.

The message is clear: controls must be proportionate to the business model and the risk appetite of each institution. In this context, banks must document the assessment carried out, update their risk framework, and periodically review the exposure related to digital assets.

Risks, sanctions, and on-chain analysis

The growing adoption of digital assets expands the risk surface to which banks are exposed. On-chain solutions allow for monitoring flows, transactional patterns, and connections with sanctioned addresses, offering traceability that traditional methods do not ensure. The latest data estimates that in 2024 addresses linked to illicit activities received approximately $40.9 billion in cryptocurrencies, an indicator of the size of the on-chain risk detected by analysts. According to the NYDFS, the use of analytics tools reduces classification errors, accelerates investigations, and strengthens the governance of reporting, limiting the “blind spots” in terms of AML/CFT and sanctions control.

Integration of blockchain analysis in AML/CFT programs

For an effective implementation, it is essential to define clear objectives, adopt rigorous data quality criteria, and structure solid processes. That said, a concise operational path may include the following phases:

Recommended Operational Process

1. Definition of use cases: implementation of extended KYC, transaction monitoring, sanctions screening, and due diligence on VASPs.
2. Tool selection: choosing tools that cover the relevant chains and offer quality datasets, explainability, and adequate audit trail.
3. Integration into controls: definition of alerting rules, calibrated thresholds, escalation workflows, and structured reporting.
4. Staff training: updates on on-chain reading techniques, recognizing warning signals, and the limitations of indicators.
5. Periodic reassessment: review of models, independent validation, and effectiveness testing of controls.

Use case and first-level controls

• Portfolio Screening: monitoring wallets to detect abnormal behaviors, suspicious frequencies, or connections with sanctioned addresses.
• Verification of the origin of funds: analysis of flows between wallets, exchanges, and VASPs to distinguish between “clean” and high-risk funds.
• Monitoring crypto activity: continuous assessment of exposure to potential money laundering activities, sanctions evasion, and use of high-risk mixers.
• Third-party evaluation: verification of VASP and external providers through reliability scoring and continuous monitoring.
• Comparison between expected and actual activity: integration of on-chain insights into risk assessments and stress test scenarios.

Integration into Compliance Programs

Controls must be customized according to the line of business, operations, and risk profile of the institution. The NYDFS requires continuous realignment that considers any changes in products, clientele, or market counterparts. It should be noted that the measures described are indicative examples and do not represent an exhaustive list of possible checks.

Additionally, the Department confirms that any initiative related to virtual currency activities will require prior authorization, with technical communications channeled through the Relationship Managers of the supervised institutions.

Quick Guide to Implementation

• Define policies and performance metrics for analytics tools, evaluating accuracy, coverage, and investigation times.
• Formalize escalation procedures and evidence preservation for audits and supervisory reviews.
• Align risk models with proportionality and traceability requirements of decisions.

FAQ on Screening and Source Verification

How does crypto portfolio screening work?

The screening cross-references on-chain data and off-chain sources to identify anomalous patterns, connections with sanctioned addresses, and suspicious flows to and from VASP. Alerts must be explainable and verifiable.

What steps to follow to verify the origin of the funds?

The procedure involves correlating data related to wallets, exchanges, and client documentation, combining automated analyses and manual checks, with careful monitoring of the assumptions made and the limitations arising from the available data.

Operational Impact: What Changes for Compliance Teams

The adoption of on-chain analytics tools requires banks to update AML/CFT policies, review risk thresholds, and strengthen collaboration between IT, compliance, and internal audit. The need for specialized skills and more effective data governance is likely to increase, allowing for more granular and timely monitoring. Without such adjustments, banks may encounter difficulties during inspections.