This blog is a preview of our forthcoming report, “The New Rails: How Digital Assets Are Reshaping the Foundations of Finance.” Reserve your copy!
Summary
- The industry’s compliance baseline has tightened. Nearly half of organizations onboarded in 2026 now operate at alerting standards that would have placed them in the top 10% of alerting strictness in 2020. Newer entrants are launching with more aggressive monitoring.
- Financial institutions set materially stricter thresholds than crypto exchanges. Traditional financial institutions maintain lower dollar-detection floors for both illicit and non-illicit categories, signaling tighter baseline monitoring even outside explicitly criminal exposure types.
- Indirect thresholds are often 10 to 20 times more lenient than direct thresholds for the same category. This gap is widest for categories like ransomware, fraud shops, and sanctioned jurisdictions, creating exposure pathways that sophisticated actors can exploit.
- Regions vary in treatment of indirect exposure. Geography shapes how stringently financial institutions and crypto exchanges monitor their indirect exposure to suspect flows. By contrast, organizations worldwide set uniformly stringent direct exposure configurations.
The previous chapter in this series mapped where to build — the blockchains best suited for different asset classes based on speed, cost, contagion risk, and illicit exposure. But selecting the right chain is only half the equation. The other half is monitoring what happens next. Regulators increasingly view on-chain transparency as a baseline for compliance. That means traditional financial institutions must watch out for illicit flows when entering digital assets.
This chapter examines how the industry monitors illicit exposure using Chainalysis KYT (Know Your Transaction) across hundreds of organizations worldwide. The findings reveal an industry that is increasingly strict in its compliance alerting frameworks. Still, there are meaningful differences in terms of direct versus indirect inflow alerts, segment thresholds, and regional handling of alerts, likely reflecting different socio-legal compliance environments.
A note on terminology: Direct exposure refers to funds arriving immediately from a known illicit source, while indirect exposure refers to funds that pass through intermediary addresses first. Direct monitoring has become standardized; indirect is where ambiguity remains, since there’s no universal answer for how aggressively to flag funds that touched an illicit source several hops back.
2026’s average Is 2020’s top decile
To understand where the industry stands today, we first need to establish how far it has come. We constructed a “compliance index” that combines alert severity, trigger sensitivity, and minimum dollar-detection floors to measure how strictly an organization configures its indirect illicit exposure alerts. We then benchmarked all organizations against the 90th percentile of strictness observed in 2020, which we call the “gold standard” threshold of that era.
Organizations onboarded in 2020 and 2021 joined an industry still establishing norms around indirect exposure. The data reflect this: only around 10% of them met the “gold standard” for alerting. In 2023, the bars inflected upward, and by 2026, just under half of newly onboarded organizations operate at or above alerting standards that previously represented only the top decile.
This is a sign of rapid ecosystem maturation. Standard compliance configurations today would have been considered industry-leading just five years ago. The industry financial institutions are joining has already built substantial compliance infrastructure, and the bar continues to rise.
Financial institution detection thresholds run two to five times tighter than crypto-native exchanges
The compliance posture gap varies across the industry. For example, traditional financial institutions exhibit a lower tolerance for receiving suspicious flows of any type than crypto exchanges do. We can see that by comparing their alerting thresholds. Financial institutions are setting lower triggering thresholds – meaning they’ll be alerted for smaller sums – for indirect exposure to illicit and non-illicit fund flows. This is likely a function of their legacy businesses’ heightened regulatory expectations.
The gap is especially pronounced in the two groups’ treatment of indirect exposure to non-illicit flows. On average, crypto exchanges set much higher alerting minimums ($950) than traditional financial institutions ($150). Compare this to their much tighter gap on illicit funds. There, both market segments set relatively stringent alerting floors: exchanges set alerts for flows starting at $100, while financial institutions set the floor at $55.
How direct and indirect thresholds diverge by category
We compared mean detection thresholds across dozens of illicit categories, measuring how much higher indirect thresholds are set relative to their direct equivalents. The results reveal that indirect exposure thresholds exceed direct thresholds across nearly every category, reflecting the wider ambiguity about alert calibration when inflows do not directly originate with a known source. The scale of the gap, however, varies due to the unique preferences of global compliance teams and regulatory ambiguity surrounding indirect exposure.
For the most sensitive categories, including child abuse material, sanctioned entities, special measures, and terrorist financing, organizations exhibit near zero-tolerance. They set stringent alerting thresholds — for both direct and indirect exposure — at even one penny’s-worth of flows. This is expected, as exposure to these categories carries severe reputational and regulatory risk.
For categories such as ransomware, fraud shops, scams, darknet markets, and sanctioned jurisdictions, indirect thresholds often run 10 to 20 times higher than their direct equivalents. For example, an organization that alerts on $10 of direct ransomware exposure may not flag indirect ransomware exposure until it reaches $100.
Illicit actors are aware of these discrepancies and design laundering strategies around them. Compliance programs that deprioritize indirect exposure may become all the more vulnerable to bad actors.
Direct monitoring is globally uniform, but indirect monitoring varies by region
Compliance programs operate within different legal frameworks, depending on where organizations are headquartered, licensed, and operate. We analyzed threshold distributions across three major regions, AMER (Americas), EMEA (Europe, Middle East, and Africa), and APAC (Asia-Pacific), to measure how geography shapes alerting behavior.
For direct exposure alerting (the top pane), standards are uniform across geography. Threshold distributions are tightly clustered and nearly identical across all three regions, with organizations worldwide treating direct illicit exposure as consistently high-risk, necessitating low-dollar threshold triggers. This convergence likely reflects the universal nature of direct exposure risk, as regulators everywhere expect organizations to catch funds flowing directly from sanctioned wallets or known illicit actors.
By contrast, indirect exposure thresholds vary by region. EMEA maintains the strictest and most concentrated distributions, with organizations setting relatively low alerting thresholds near the $100 level across common illicit categories such as scams, fraud shops, and ransomware. The left-hand tail of the EMEA distribution highlights zero-tolerance alerting for categories such as sanctioned jurisdictions and stolen funds. The AMER region has an identical left-hand tail distribution to that of EMEA, covering almost identical zero-tolerance categories. However, AMER’s symmetry diverges, as a longer right-hand tail extends leniency for categories EMEA deem more sensitive, as listed above. Overall, AMER falls in the middle, combining moderate clustering with broader dispersion. APAC exhibits the most lenient configurations overall, with a long right-skewed distribution and secondary clustering at higher dollar values.
The implication: an APAC-headquartered counterparty may operate with different indirect monitoring standards than an EMEA-headquartered one, even if both use the same compliance tooling. For institutions building cross-regional partnerships or evaluating global counterparty networks, this regional divergence deserves attention during due diligence.
What this means for financial institutions building on-chain
The data in this chapter point to an industry in transition, one that has professionalized its approach to direct exposure but which may not yet be treating indirect risk with equivalent rigor. For traditional financial institutions entering or expanding in digital assets, several implications follow.
- Benchmark against peer institutions, not industry averages. As the data show, traditional financial institutions maintain stricter thresholds than crypto-native exchanges across both illicit and non-illicit categories. Institutions entering digital assets should calibrate to TradFi peers rather than industry-wide norms.
- Treat indirect exposure as a first-class compliance priority. The industry’s gap between direct and indirect monitoring creates an opening for illicit actors to exploit. Organizations that close this gap improve their regulatory defensibility and differentiate themselves as trustworthy counterparties.
- Assess the quality of the analytics data that underpins the monitoring systems and processes. Alert thresholds and categorisation rely on blockchain analytics data, which fundamentally determine which addresses belong to which entities and which risk categories they fall into. If that foundation isn’t robust, even well-calibrated configurations will miss real exposure or flag the wrong activity. Due diligence on providers should go beyond their headline coverage numbers; ask the hard questions and consider how their data performs in production and under scrutiny.
In an industry where institutional capital increasingly demands regulatory defensibility, the rigor of an organization’s monitoring configuration becomes a competitive asset. Chainalysis KYT, Address Screening, and Reactor provide the foundation for that infrastructure, offering real-time transaction monitoring and investigative workflows for tracing complex fund flows. For institutions looking to benchmark their configurations against industry cohorts or identify gaps before regulators do, our advisory services can help. Request a consultation to learn more.
FAQs
What is the difference between direct and indirect illicit exposure?
Direct exposure refers to transactions where an organization’s customer or wallet has immediate, first-hop contact with a known illicit entity, such as receiving funds directly from a sanctioned address. Indirect exposure refers to transactions where illicit funds flow through one or more intermediary hops before reaching the organization. Indirect exposure is particularly critical in crypto because anyone can create multiple private wallets to layer funds on-chain with minimal friction. In traditional finance, opening accounts across multiple institutions requires passing KYC checks each time, creating natural barriers to layering. The same decentralization that makes crypto accessible also makes indirect exposure monitoring essential.
Why do indirect exposure thresholds matter for compliance?
Higher thresholds mean larger amounts of illicit exposure can accumulate before an alert is generated. Organizations with lenient indirect thresholds may not detect laundered funds until they have already been processed, converted, or withdrawn, at which point regulatory and reputational damage may already be done. Tighter thresholds provide earlier warning signals, enabling proactive investigation rather than reactive remediation.
How should TradFi institutions benchmark their compliance configurations?
Institutions should compare their alerting configurations, including threshold levels, category coverage, and severity settings, against current industry cohorts rather than historical baselines. The data in this chapter show that standards have structurally tightened since 2020, meaning configurations that were once above average may now be below the median. Chainalysis can provide benchmarking analysis as part of its advisory services.
Why is there regional variation in indirect exposure monitoring?
Regional variation reflects differences in regulatory frameworks, supervisory expectations, enforcement intensity, and organizational risk culture. EMEA’s tighter configurations may reflect the influence of EU AML directives, while APAC’s more varied distribution may reflect a more heterogeneous regulatory landscape. Organizations operating globally should account for these differences when evaluating counterparties across jurisdictions.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
