By NHI Mgmt Group Editorial TeamPublished 2026-05-27Domain: Cyber SecuritySource: Chainalysis

TL;DR: Nearly half of organisations onboarded in 2026 now operate at alerting standards that would have placed them in the top 10% in 2020, while indirect exposure thresholds are often 10 to 20 times looser than direct thresholds for categories like ransomware and fraud shops, according to Chainalysis. That gap makes indirect flow governance the control line that determines whether compliance programmes detect risk early or inherit it late.


At a glance

What this is: Chainalysis reports that digital asset compliance alerting has tightened sharply, but indirect exposure remains materially less strict than direct exposure across categories and regions.

Why it matters: For IAM, PAM, and governance teams, the lesson is that threshold design and counterparty due diligence now shape exposure control as much as transaction monitoring itself.

By the numbers:

👉 Read Chainalysis' report on how digital assets are reshaping financial compliance rails


Context

Digital asset compliance is no longer defined only by whether organisations can detect direct exposure to known illicit sources. The harder governance problem is indirect exposure, where risk arrives through intermediary addresses and threshold tuning determines whether a transaction is flagged or allowed through. For identity and access teams, this is a familiar control lesson: policy sensitivity matters as much as visibility.

Chainalysis frames the issue as a maturity shift in on-chain monitoring, with newer entrants holding far stricter alerting baselines than older programmes did in 2020. That matters because compliance outcomes depend on configurable thresholds, categorisation quality, and regional operating context, not simply on whether a monitoring platform exists. The same logic applies to broader IAM governance, where controls fail when their thresholds are misaligned with actual risk.


Key questions

Q: How should financial institutions set thresholds for indirect exposure monitoring?

A: They should set indirect exposure thresholds separately from direct thresholds and justify the difference by category, jurisdiction, and investigative capacity. A useful baseline is whether the control would flag multi-hop flows early enough to interrupt laundering before value is withdrawn or converted. If indirect thresholds are looser than direct ones, the programme should document why that risk is acceptable.

Q: Why do indirect transaction thresholds need different treatment from direct thresholds?

A: Indirect flows introduce attribution ambiguity because the funds do not arrive straight from a known illicit source. That makes them easier to under-monitor if teams copy direct-exposure settings into multi-hop scenarios. The result is delayed detection, weaker defensibility, and a larger window for illicit value to move beyond intervention.

Q: What do compliance teams get wrong about regional monitoring differences?

A: They often assume that a shared platform creates shared policy outcomes. In practice, EMEA, AMER, and APAC can apply the same tooling but still produce very different threshold behaviour, especially for indirect exposure. Teams should assess regional policy, not just central platform ownership, when reviewing counterparties.

Q: How do organisations know if indirect exposure monitoring is actually working?

A: They should test whether suspicious multi-hop flows generate alerts early enough to support investigation before funds are dispersed. A working control has coherent thresholds, consistent category treatment, and reliable entity attribution. If alerts only appear after value has already moved through several layers, the monitoring programme is late rather than effective.


Technical breakdown

Direct versus indirect exposure thresholds

Direct exposure refers to funds arriving immediately from a known illicit source. Indirect exposure adds one or more intermediary hops before the funds reach the monitored organisation, which makes risk attribution less deterministic and raises calibration questions. In practice, teams set lower thresholds for direct flows because the link to a sanctioned wallet, fraud source, or ransomware actor is clearer. Indirect flows require a policy decision about how much ambiguity is acceptable before an alert fires. That decision is not just technical, because it encodes regulatory tolerance and investigative capacity into the monitoring stack.

Practical implication: document separate threshold logic for direct and indirect exposure instead of reusing one policy across both.

Why regional compliance baselines diverge

Regional variation reflects differences in supervisory expectations, enforcement intensity, and organisational risk culture. The article shows that direct exposure monitoring is globally uniform, while indirect exposure settings vary meaningfully across AMER, EMEA, and APAC. EMEA is tighter, APAC is more lenient, and AMER sits in between. This pattern suggests that counterparty risk cannot be assessed only at the product level. The same transaction monitoring tooling can produce very different outcomes depending on where the organisation is headquartered and how its compliance team interprets indirect risk.

Practical implication: assess counterparties and affiliates by regional monitoring posture, not just by tool stack.

How compliance indexes turn configuration into governance

The report’s compliance index combines alert severity, trigger sensitivity, and minimum dollar-detection floors to show how strict an organisation really is. That is useful because raw platform adoption tells you little about whether the control is genuinely defensive. A team can use the same monitoring system and still be far more permissive if its thresholds are high, its indirect categories are narrow, or its alerting logic is inconsistently tuned. This is the same governance pattern seen in IAM programmes: policy design determines whether a control has real operational force.

Practical implication: measure the effective control posture, not just the presence of a monitoring platform.


Threat narrative

Attacker objective: The attacker’s objective is to move illicit value through monitoring gaps without triggering a compliance review at the point where intervention would still be effective.

  1. Entry occurs when illicit funds are layered through intermediary wallets to obscure the first-hop source before reaching an exchange or financial institution.
  2. Escalation happens when indirect thresholds are set 10 to 20 times higher than direct thresholds, allowing suspicious value to move further before triggering review.
  3. Impact is delayed detection, where laundered or sanctioned funds clear operational controls before investigators can intervene.

NHI Mgmt Group analysis

Indirect exposure is the category that exposes compliance maturity, not direct exposure. Direct monitoring has already converged toward a global baseline, so the differentiator is how organisations treat multi-hop flows. When indirect thresholds are 10 to 20 times looser, the control is signalling a tolerance for ambiguity rather than a mature risk posture. Practitioners should treat indirect exposure as the real test of compliance discipline.

Configuration drift is a governance problem, not a tooling problem. The article shows that the same monitoring stack can produce sharply different outcomes depending on threshold values, category definitions, and regional policy. That is structurally similar to IAM and PAM programmes where policy intent collapses if the control is left to local tuning. The lesson for identity-led governance is to manage policy consistency as an operational control.

Counterparty due diligence now has to include threshold behaviour. Organisations entering digital assets cannot rely on headline compliance claims if indirect monitoring is materially more permissive in one region or business unit. The practical question is whether a counterpart’s control environment would alert on the same patterns your own programme would consider suspicious. Teams should make threshold posture part of onboarding and third-party risk review.

Compliance defensibility depends on the quality of the underlying attribution data. Alert thresholds are only as good as the blockchain analytics that identify entities and risk categories. If the attribution layer is weak, a strict threshold still misses the wrong flows or flags the wrong ones, which creates false confidence. Practitioners should treat data provenance and entity resolution as part of the control stack, not a background dependency.

Digital asset monitoring is moving toward policy normalisation, but indirect risk remains uneven. The market is converging on stricter direct exposure rules, yet indirect exposure still reflects local legal interpretation and organisational appetite. That means the next governance gap is likely to be inconsistency across regions, counterparties, and business lines. Security and compliance leaders should expect more scrutiny of how monitoring policies are justified, not just whether they exist.

What this signals

Indirect-flow governance is becoming the compliance analogue of secret lifecycle control. The organisations that win here will not be the ones with the loudest monitoring claims, but the ones that can prove policy consistency across regions, business units, and counterparties. For practitioners, that means treating threshold reviews, category mappings, and escalation tuning as standing governance work rather than a periodic compliance exercise.

The next pressure point will be explainability. When regulators ask why indirect exposure is handled differently from direct exposure, teams will need a defensible rationale tied to risk, not habit. That is where control documentation, analytics provenance, and regional policy alignment become audit artifacts, not internal housekeeping.


For practitioners

  • Define separate thresholds for direct and indirect flows Maintain distinct policy baselines for first-hop exposure and multi-hop exposure, with documented rationale for category-specific sensitivity and escalation paths.
  • Benchmark against current peer cohorts Compare alerting floors, category coverage, and severity settings against present-day peers rather than 2020-era baselines, because the acceptable range has tightened materially.
  • Include regional posture in counterparty review Assess AMER, EMEA, and APAC monitoring behaviour during due diligence so you can spot counterparties whose indirect exposure policies are materially looser than yours.
  • Validate the attribution layer before tuning thresholds Test whether entity resolution and risk categorisation remain reliable under real transaction volumes, because threshold accuracy depends on the quality of the underlying analytics.

Key takeaways

  • Digital asset compliance has matured quickly, but indirect exposure remains the weak point in monitoring policy.
  • Nearly half of 2026 onboardings now sit at a strictness level that was top-decile in 2020, showing how fast the baseline has shifted.
  • Teams should govern indirect thresholds, regional differences, and attribution quality as core control decisions, not tuning details.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Threshold governance supports controlled access and monitoring of risky transaction flows.
NIST SP 800-53 Rev 5AU-6Audit review and analysis are central when alert thresholds determine compliance outcomes.
ISO/IEC 27001:2022A.5.15Access control policy discipline aligns with consistent threshold governance across regions.
GDPRGDPR may apply where onboarding and identity data are processed in regional compliance workflows.

Review personal data handling and cross-border governance if transaction monitoring uses identifiable customer records.


Key terms

  • Direct Exposure: Direct exposure is a first-hop transaction from a known illicit source to a monitored wallet or account. It is usually treated as the clearest compliance signal because attribution is immediate and the case for alerting is straightforward.
  • Indirect Exposure: Indirect exposure is transaction risk that arrives after one or more intermediary hops, making source attribution less certain. It is harder to calibrate because teams must decide how much layering is enough to justify a compliance alert.
  • Compliance Index: A compliance index is a composite measure that turns policy settings into a comparable strictness score. In this article, it combines alert severity, trigger sensitivity, and minimum detection floors to show how stringent an organisation’s monitoring really is.
  • Threshold Calibration: Threshold calibration is the process of setting alert floors and sensitivity levels so a monitoring system flags risk at the right time. In digital asset compliance, weak calibration often appears when indirect flows are tolerated at much higher values than direct flows.

What's in the full report

Chainalysis' full report covers the operational detail this post intentionally leaves for the source:

  • Benchmark methodology for the compliance index, including how alert severity and trigger sensitivity were combined
  • Category-by-category threshold data for indirect versus direct exposure across ransomware, fraud shops, scams, and sanctioned jurisdictions
  • Regional distributions for AMER, EMEA, and APAC that show where indirect monitoring is most lenient
  • Practical guidance on evaluating blockchain analytics data quality before tuning production alerting

👉 The full Chainalysis report includes the benchmark methodology, regional distributions, and category-level threshold comparisons.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, secrets management, and identity lifecycle control. It helps practitioners translate governance pressure into operational policy across modern security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org