Client Alert: Notice on Use of Blockchain Analytics for New York Banking Organizations

What Is New?

On September 17, 2025, the New York State Department of Financial Services (DFS or the Department) issued guidance urging all New York banking organizations and foreign banking branches licensed by DFS to incorporate blockchain analytics tools into their compliance and risk management frameworks as they explore blockchain use cases. This guidance builds on the Department’s April 2022 guidance directed at BitLicensees and limited purpose trust charter institutions and expands expectations to traditional banking institutions engaging in or contemplating virtual currency-related activity (VCRA).[1]

The Department emphasized the utility of blockchain analytics in identifying and mitigating risks associated with money laundering, sanctions, violations, and other illicit activities. Covered institutions are expected to tailor blockchain analytics controls to their business models and risk appetites and reassess these frameworks regularly. This guidance signals a heightened regulatory expectation for proactive risk management in the face of increasing virtual currency (VC) adoption.

Highlights

Current State: Blockchain Analytics Recommended for Crypto Companies

Prior to this guidance, blockchain analytics expectations were primarily directed at VC entities licensed under 23 NYCRR Part 200 or chartered as limited purpose trust companies under the New York Banking Law. These entities were advised in April 2022 to use blockchain analytics for transaction monitoring, wallet screening, and risk assessment (“Analytics Guidance”). In December 2022, the Department issued guidance (VCRA guidance) requiring banking organizations to seek prior approval before engaging in new or significantly different VC-related activities. However, traditional banking institutions increasingly have crypto exposure through customer activity or partnerships with virtual asset service providers (VASPs), often without the same level of analytical rigor applied by VC entities. This discrepancy created a regulatory gap in risk identification and mitigation, particularly as crypto-related threats have evolved and proliferated.

Future State: Blockchain Analytics for Banking Third-Party Risk Management

Under the new guidance, covered institutions are expected to reference the Analytics Guidance and consider integrating blockchain analytics tools into their compliance programs. The Department outlines use cases including:

• wallet screening
• source-of-funds verification
• ecosystem monitoring
• counterparty risk assessments
• activity evaluation

The rationale for this updated guidance likely stems from the growing complexity and risk exposure associated with virtual currency in the banking industry. The monitoring capabilities that were effective in traditional finance will no longer ensure compliance with Office of Foreign Assets Control or suspicious activity reporting obligations. The transparency of blockchain enables the risk management of counterparties via “provenance tracing”, which allows identification of risks associated with transactions not typically possible in traditional finance.[2] This public transparency extends to the regulatory agencies: if a regulated entity fails to detect illicit use of its products (such as stablecoin transactions in sanctioned countries), a regulator could identify it using blockchain analytics without prior contact with the financial institution. As with traditional finance, these findings can lead to serious regulatory consequences, including Matters Regarding Attention, fines, or limits on operations.

Preparing to Use Blockchain Analytics

Organizations should ensure their employees are prepared for blockchain analytics integration, while not explicitly referenced in the Analytics Guidance. All staff impacted by blockchain analytics tools—from those with model risk management responsibilities through to end users—should have a robust understanding of the tools and their intended use. Even the most robust blockchain analytics controls can be rendered ineffective if personnel lack a working understanding of VC and its unique risks. Insufficient training can lead to two equally damaging outcomes: staff may overlook suspicious activity due to unfamiliarity; or may overcompensate by imposing blanket restrictions, such as inadvertently blocking legitimate transactions, which can lead to customer complaints.

To avoid these pitfalls, organizations should develop ongoing education initiatives tailored to the evolving landscape of virtual assets and develop clear procedures on how to use the analytics tools based on the entity’s risk appetite. This will ensure that staff can distinguish between genuine threats and routine activity and support sound decision-making and regulatory compliance while enabling innovation and legitimate business opportunities.

What This Means for Your Organization

Financial institutions operating in New York or under DFS jurisdiction should immediately assess their exposure to virtual currency-related activity and evaluate the adequacy of their risk management frameworks. Covered institutions should consider adopting blockchain analytics tools to monitor customer activity, assess counterparty risks, and detect potential illicit activity. Given the Department’s emphasis on tailoring controls to each institution’s risk appetite and business model, a one-size-fits-all approach will not suffice. The urgency of this update is underscored by the Department’s recognition of emerging threats and the critical role banking organizations play in safeguarding the financial ecosystem.

Noncovered institutions considering VC-related activity, including institutions not regulated by DFS, should also consider building controls in line with their risk appetites. DFS’s guidance provides examples of the risk-based approach for this activity.

BRG’s Financial Crimes Advisory team assists institutions in evaluating blockchain analytics solutions, integrating them into existing compliance programs, and aligning with DFS expectations. Our experts—including former regulators, compliance officers, blockchain specialists, and banking executives—have decades of experience helping financial institutions navigate complex regulatory changes. Our team of experts can support you as you navigate these evolving regulatory expectations.

Notes

[1] DFS defined VCRA in its December 15, 2022, guidance: “For the purposes of this Guidance, ‘virtual currency-related activity’ includes all ‘virtual currency business activity,’ as that term is defined in 23 NYCRR § 200.2(q), as well as the direct or indirect offering or performance of any other product, service, or activity involving virtual currency that may raise safety and soundness concerns for the Covered Institution or that may expose New York customers of the Covered Institution or other users of the product or service to risk of harm.” DFS, “Industry Letter Regarding Prior Approval for Covered Institutions’ Virtual Currency-Related Activity” (December 15, 2022). https://www.dfs.ny.gov/system/files/documents/2025/04/il20221215_prior_approval_rev.pdf

[2] DFS clarified the provenance tracing in its April 28, 2022, guidance: “virtual currencies, by their nature, typically enable provenance tracing (i.e., review of previous transfers or ‘hops’ along the public blockchain ledger, or ‘on-chain’). Put differently, the blockchain ledger’s immutability typically allows a historical view of a virtual currency transmission between wallet addresses, providing the opportunity for greater visibility into transaction lineage than is typically found with traditional, fiat funds transfers.” DFS, “Guidance on Use of Blockchain Analytics” (April 28, 2022). https://www.dfs.ny.gov/industry_guidance/industry_letters/il20220428_guidance_use_blockchain_analytics