TL;DR: Crypto regulation is no longer limited to enforcement, with Chainalysis mapping how 25 influential jurisdictions covering 73% of on-chain activity are shaping AML/CFT, consumer protection, market integrity, and new rules for DeFi and stablecoins. The governance challenge is now regulatory fragmentation, where compliance design must keep pace with policy expansion across markets.
At a glance
What this is: Chainalysis maps how major jurisdictions are moving crypto regulation from high-level principles toward more operational rules for AML/CFT, consumer protection, market integrity, DeFi, and stablecoins.
Why it matters: For IAM, fraud, compliance, and security teams, the shift matters because regulatory scope is expanding faster than control models, especially where on-chain activity, identity checks, and transaction monitoring intersect.
By the numbers:
- Chainalysis says its report covers 25 of the world’s most influential jurisdictions, which account for 73% of on-chain activity.
👉 Read Chainalysis's report on how global crypto regulation is reshaping compliance
Context
Crypto regulation is moving from broad policy statements to operational controls that affect onboarding, monitoring, reporting, and cross-border enforcement. For teams responsible for identity verification, fraud prevention, compliance, and transaction monitoring, the real issue is not whether regulation exists, but how quickly it is becoming embedded in day-to-day control design.
Chainalysis frames the market as a $3 trillion industry with regulation trying to catch up across 25 influential jurisdictions. That matters to practitioners because AML, consumer protection, and market integrity requirements increasingly depend on identity-linked processes, especially where digital asset activity touches KYC, wallet attribution, sanctions screening, and suspicious activity investigation.
The starting point in this report is typical for a sector moving from innovation-first to governance-heavy oversight. That is now the default pattern in digital asset markets, not an exception.
Key questions
Q: How should crypto firms handle AML compliance across multiple jurisdictions?
A: They should build a control map that ties each jurisdiction’s AML and CFT obligations to a specific owner, evidence source, and review cadence. The key is not to centralise every rule, but to standardise how obligations are translated into monitoring, reporting, and escalation workflows across the business.
Q: Why do identity verification controls matter in crypto compliance?
A: Because regulators still need to know who controls the account, wallet, or transfer path, even when the asset movement itself is pseudonymous. Identity verification links transactions to accountable entities, supports fraud detection, and gives investigators a basis for escalation when on-chain behaviour looks suspicious.
Q: What do teams get wrong about on-chain analytics?
A: They often treat blockchain visibility as a complete control rather than a signal source. On-chain analytics can identify patterns, clusters, and anomalies, but it still needs operational workflows, case handling, and decision authority before it becomes a real compliance control.
Q: Who is accountable when crypto regulation expands across DeFi and stablecoins?
A: Accountability sits with the firm that chooses the control model, the evidence standard, and the escalation path for each activity it touches. In practice, legal, compliance, fraud, and security leaders share responsibility for proving that monitoring and reporting are working where the firm operates.
Technical breakdown
How crypto regulation is shifting from policy to control design
The report describes a regulatory environment that is becoming more operational, with jurisdictions defining expectations for AML/CFT, consumer safeguards, and market conduct. In practice, that means firms need controls that can be evidenced, tested, and adapted across regions rather than treated as static legal interpretations. The compliance problem is no longer just what the rule says, but how to operationalise it across exchanges, custodians, DeFi touchpoints, and stablecoin flows.
Practical implication: Map regulatory obligations to specific control owners, evidence sources, and review cycles so policy changes become implementable controls.
On-chain analysis as a compliance and investigation control
On-chain analytics turns public blockchain data into a compliance signal by linking transactions, entities, and risk indicators. That makes it useful for sanctions screening, suspicious activity detection, and tracing exposure across wallets and intermediaries. It does not replace governance judgement, but it can strengthen monitoring where traditional account-based controls are weak or where identity is intentionally fragmented across pseudonymous addresses and multiple service providers.
Practical implication: Use blockchain intelligence as an investigative layer, then connect it to onboarding, monitoring, and case management workflows.
Why identity verification still matters in crypto oversight
Even in decentralised transaction environments, regulation still lands on identity questions: who is transacting, who is controlling a wallet, and who is accountable when risk appears. That is where IDV, fraud controls, and financial crime processes intersect. The strongest regulatory programmes will treat digital identity evidence, behavioural monitoring, and beneficial ownership as linked controls rather than separate compliance tasks.
Practical implication: Align KYC, fraud detection, and wallet-risk review so identity evidence supports both compliance and incident response.
Threat narrative
Attacker objective: The attacker aims to move or disguise illicit value while reducing attribution, delaying intervention, and exploiting compliance blind spots.
- Entry begins when criminal or high-risk actors exploit gaps in onboarding, fragmented identity evidence, or cross-platform transfer paths that are hard to reconcile.
- Escalation occurs when those actors move funds through layered wallets, services, or jurisdictions that dilute attribution and complicate monitoring.
- Impact is achieved when losses, laundering, market manipulation, or consumer harm become difficult to trace and enforce against in time.
NHI Mgmt Group analysis
Regulation is becoming an identity problem, not just a legal one. Crypto oversight increasingly depends on proving who controls accounts, wallets, and transfer paths, which places identity verification and financial crime controls at the centre of compliance design. That creates direct overlap between fraud prevention, KYC, and access governance. Practitioners should treat identity evidence as part of the control stack, not a separate onboarding formality.
Chainalysis is pointing to a market where compliance intelligence becomes operational infrastructure. Once 25 jurisdictions representing 73% of on-chain activity are in scope, firms cannot rely on one-off policy mapping or manual review. The field is moving toward continuous monitoring, risk triage, and jurisdiction-aware workflows. Practitioners should expect compliance tooling to be judged on operational coverage rather than document completeness.
Consumer protection is now inseparable from market integrity in digital asset governance. The report’s framing shows that manipulation, surveillance, and fairness are no longer niche concerns for trading venues alone. They shape how exchanges, custodians, and service providers design reporting, monitoring, and intervention logic. Practitioners should assume regulators will expect evidence that control decisions are explainable and repeatable.
DeFi and stablecoins are forcing governance models to span both decentralised and regulated systems. That creates a structural gap between protocol-level activity and the identity-based obligations that firms still must satisfy. The named concept here is regulatory friction points: the places where policy, attribution, and enforcement break down across borders and platforms. Practitioners should design for those seams first, because that is where compliance failures are most likely to surface.
On-chain visibility is useful only when it is connected to accountable workflows. Public data alone does not produce governance unless it feeds case handling, escalation, and decision records. This is where compliance teams, fraud teams, and security operations need shared evidence models. Practitioners should build controls that turn visibility into documented action.
What this signals
Regulatory expansion will increasingly force compliance teams to prove identity accountability across fragmented digital asset flows. For practitioners, that means the hard part is no longer policy interpretation alone. It is building evidence chains that can survive cross-border scrutiny, especially where wallet control, beneficial ownership, and transaction monitoring are split across teams and tools.
As on-chain oversight matures, the strongest programmes will treat monitoring as a workflow discipline, not an analytics purchase. That shifts investment toward case management, escalation logic, and audit-ready records. It also reinforces why identity and access governance matter in adjacent fraud and financial crime controls, including where service accounts, APIs, and automation support transaction operations.
For the identity side of the house, the lesson is that attribution must be operationalised before enforcement pressure rises. Teams that already struggle with service account and machine identity governance will find similar weaknesses when they try to prove who controlled a wallet or automated transfer path. The governance gap is not just technical, it is evidential.
For practitioners
- Map jurisdictional obligations to control owners Create a jurisdiction-by-jurisdiction obligations matrix for AML/CFT, consumer protection, and market integrity, then assign evidence owners for each control. This prevents compliance gaps when rules differ across operating regions.
- Link on-chain monitoring to case management Feed blockchain intelligence into investigation queues, sanctions review, and suspicious activity workflows so alerts are not stranded in a separate analytics tool. Use documented escalation criteria for wallet clusters, counterparties, and transfer patterns.
- Tighten identity checks for wallet accountability Strengthen KYC, beneficial ownership review, and fraud detection where wallet control is uncertain or delegated. The goal is to bind transaction risk back to a verifiable identity record that can support action.
- Review controls for DeFi and stablecoin exposure Assess where protocol interactions bypass the same evidence standards used for custodial or exchange activity. Build compensating controls for attribution, monitoring, and recordkeeping at those points of friction.
Key takeaways
- Crypto regulation is moving from broad principles to operational control design across AML, consumer protection, and market integrity.
- Identity verification and on-chain monitoring now sit at the centre of compliance evidence, especially where wallets and transactions cross jurisdictions.
- Practitioners should focus on accountable workflows, not just analytics, because visibility without case handling does not satisfy governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63A | Identity proofing is relevant where crypto compliance depends on knowing who controls accounts. |
| NIST CSF 2.0 | PR.AC-1 | Crypto compliance depends on controlled access and accountable identities across monitoring workflows. |
| GDPR | Art.32 | Where identity data and financial crime evidence are processed, protection and accountability controls matter. |
Apply Art.32-style safeguards to personal data used in KYC, investigations, and cross-border compliance records.
Key terms
- On-Chain Analytics: On-chain analytics is the analysis of public blockchain data to identify transaction patterns, risk signals, and entity relationships. It supports compliance and investigation work by turning wallet activity into usable evidence, but it still depends on human judgement and workflow controls to drive action.
- Know Your Customer: Know Your Customer is the process of verifying a customer’s identity before or during onboarding in regulated environments. In crypto oversight, it helps bind wallet or account activity to a real-world person or business, creating accountability for monitoring, sanctions screening, and suspicious activity review.
- Beneficial Ownership: Beneficial ownership identifies the natural person who ultimately owns or controls an entity, even if that control is indirect. In digital asset compliance, it helps teams move beyond surface-level account data and understand who should be accountable when funds, wallets, or service providers are used.
- Market Integrity: Market integrity is the condition in which trading and transaction environments operate fairly, transparently, and without manipulation or abuse. In crypto regulation, it covers controls that reduce deception, surveillance gaps, and unfair advantage, especially in markets that cross platforms and jurisdictions.
What's in the full report
Chainalysis's full report covers the operational detail this post intentionally leaves for the source:
- Jurisdiction-by-jurisdiction breakdowns of how 25 major markets approach AML/CFT, consumer protection, and market integrity
- Specific coverage of how regulation is expanding into DeFi, stablecoins, and cross-border friction points
- The report’s broader methodology for interpreting on-chain activity across 73% of the ecosystem
- Implications for compliance teams deciding how to adapt monitoring, reporting, and risk triage workflows
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners translate identity control principles into programmes that support compliance, risk, and operational resilience.
Published by the NHIMG editorial team on 2026-05-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org