Subscribe to the Non-Human & AI Identity Journal

How should compliance teams use on-chain data in crypto risk assessments?

Compliance teams should use on-chain data as an evidence layer for token movement, concentration, liquidity, and service interaction, then combine it with KYC, sanctions, and transactional monitoring. The goal is to separate normal market behaviour from patterns that suggest laundering, fraud, or manipulation. On-chain data is most useful when it feeds a documented triage process, not when it sits in a standalone dashboard.

Why This Matters for Security Teams

On-chain data gives compliance teams a fast way to see how funds move, where value concentrates, and which services a wallet interacts with, but it is not proof by itself. The risk is treating blockchain transparency as a complete control when the real question is whether those movements fit known customer behaviour, sanctions exposure, and AML patterns. Good assessments use on-chain evidence to sharpen triage, not replace casework, as reflected in the Ultimate Guide to NHIs — Regulatory and Audit Perspectives.

That distinction matters because suspicious activity often sits in the gap between what is visible on-chain and what is known off-chain. Compliance teams still need KYC records, wallet attribution, transaction context, and escalation rules to decide whether activity is normal, evasive, or abusive. A useful program also aligns to broader control expectations in the NIST Cybersecurity Framework 2.0 and the FATF Recommendations — AML and KYC Framework, especially where customer due diligence and transaction monitoring must support defensible decisions. In practice, many teams discover the limits of on-chain intelligence only after a case has already been escalated, rather than through intentional model validation and workflow design.

How It Works in Practice

Effective crypto risk assessments start by defining what on-chain data can and cannot answer. It can show wallet clustering, transaction velocity, exposure to mixers or high-risk services, hop patterns, and interaction with sanctioned or suspicious addresses. It cannot reliably prove beneficial ownership, intent, source of funds, or whether a wallet is controlled by the customer without supporting evidence. That is why current guidance suggests using on-chain signals as one input in a documented decision tree, not as a standalone verdict.

A practical workflow usually follows four steps: ingest the transaction history, score relevant behaviours, enrich with off-chain identity and sanctions data, then assign a review action. Teams often combine rules and human review for higher-risk cases, while reserving automation for low-risk screening and obvious matches. The process should be auditable, with clear thresholds for escalation, false-positive handling, and analyst override. NHIMG’s Top 10 NHI Issues is a useful reminder that when automated systems handle sensitive value flows, governance depends on visible ownership, access control, and lifecycle discipline.

  • Use sanctions screening to confirm whether a wallet or counterparty has direct or indirect exposure.
  • Separate customer behaviour from typologies such as peel chains, rapid layering, or exchange hopping.
  • Require case notes that explain why the alert was closed, escalated, or held for investigation.
  • Retain chain evidence and analyst rationale together so audits can replay the decision.

For control design, the most relevant baselines are NIST SP 800-53 Rev 5 Security and Privacy Controls for logging and monitoring discipline and ISO/IEC 27001:2022 Information Security Management for governance and evidence handling. These controls tend to break down when compliance teams inherit wallet-monitoring tools without a clear ownership model, because alerts then accumulate faster than analysts can validate them.

Common Variations and Edge Cases

Tighter on-chain screening often increases operational overhead, requiring organisations to balance faster detection against more false positives and heavier case management. That tradeoff becomes more pronounced when teams work across multiple chains, use privacy-enhancing tools, or support products that mix custodial and non-custodial activity. There is no universal standard for how much anonymity or mixer exposure should automatically trigger escalation; best practice is evolving, and thresholds should reflect customer segment, geography, and business model.

Edge cases also matter. A high-volume market maker may generate transaction patterns that look unusual in isolation but are normal for its role. A sanctioned address may appear indirectly through a smart contract rather than a direct transfer. A wallet linked to a known service may still be risky if the service itself has weak controls or poor customer segregation. In these cases, teams should document why the behaviour is acceptable, suspicious, or unresolved, and re-check the position as new intelligence arrives. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks is relevant here because the same governance gap appears when machine-controlled wallets or automation pipelines lack clear accountability.

Where financial-crime programmes are mature, on-chain data can also support exposure reviews for third-party services, escrow flows, and treasury wallets, but only if evidence retention, access reviews, and escalation authority are already defined. In higher-risk environments, such as cross-border platforms with mixed custody models, the guidance breaks down when analysts cannot reconcile blockchain indicators with source-of-funds records and customer activity logs quickly enough to support timely decisions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the technical controls, while EU AI Act define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM-01 Risk assessments need documented risk criteria and escalation governance.
NIST SP 800-63 IAL2 Customer identity assurance affects how much off-chain evidence can be trusted.
NIST AI RMF GOVERN If analytics or scoring are automated, governance is needed for accountability.
EU AI Act AI-assisted risk scoring in compliance needs transparency and human oversight.

Tie wallet monitoring results to verified customer identity strength before making final judgments.