The Wolfsberg Group's new guidance aligns with how crypto firms already operate: robust, transparent on‑chain data supports rules-based, supervised, and unsupervised models out of the box, but what does this mean for compliance professionals?
Key insights:
-
-
-
Blockchain data exceeds Wolfsberg expectations — Public, attribution-rich ledgers give crypto firms immediate access to behavioral, network, and cross-chain signals that traditional banks must retrofit or request from third parties.
-
Crypto companies can leverage this data — With abundant labeled history and real-time on-chain context, crypto companies can combine rules, supervised machine learning, and unsupervised discovery to identify emerging typologies faster and with clearer explainability.
-
SARs become actionable intelligence, not just checked boxes — By including wallets, hashes, and traceable flows, this data can turn SARs filings into ready-to-investigate leads for law enforcement, thereby converting compliance from a cost center to a competitive advantage.
-
-
The Wolfsberg Group’s recent framework on modernizing suspicious activity monitoring comes at a crucial time for cryptocurrency companies. Traditional financial institutions are being encouraged to go beyond basic transaction monitoring by including behavioral analysis, network effects, and various risk indicators in their anti-money laundering (AML) programs. For cryptocurrency companies, the framework describes capabilities that blockchain data infrastructure was essentially built to support.
Wolfsberg’s recommendations map almost perfectly to what blockchain businesses already are able to do. While traditional banks work to update legacy transaction monitoring systems with new capabilities, crypto companies operate in an environment in which the data for complex monitoring already exists. For crypto companies, this shouldn’t be seen as simply having to adapt to a new standard, but rather as a unique opportunity to set a new standard.
Investigation advantages built into the technology
Traditional financial investigations operate within closed systems. Investigators, at the start of an investigation, primarily have access to data points from their institution and what is available online. They may then need to gather additional information, each controlled by different institutions with their own legal requirements and timelines. The financial trail crosses multiple organizations, jurisdictions, and record-keeping systems that do not communicate with each other. With Suspicious Activity Reports (SARs) filings, investigators are often forced to close an investigation with gaps in the full picture.
Cryptocurrency investigations begin with transparency. Blockchain attribution tools offer visibility into fund flows throughout the entire ecosystem. The financial trail is recorded on a public ledger, in which tracking money doesn’t require negotiating with counterparts or waiting for legal approvals. This fundamentally changes what’s possible during an investigation. Questions that would take traditional investigators weeks to answer through formal channels or go unanswered by the time the SAR is due can be resolved in hours using attribution data and on-chain analysis.
The data available to cryptocurrency companies means they can move past compliance as a check-the-box exercise and start getting creative when thinking about what’s actually possible.
The Wolfsberg framework emphasizes “expanded risk indicator coverage” by analyzing data points beyond transaction amounts, dates, and counterparties. Blockchain companies have easy access to this data — wallet age, complete transaction history, interaction patterns with decentralized finance protocols, network connections to known bad actors, mixing service usage, cross-chain behavior, and anomalies that would be invisible in traditional banking. The data exists and is readily available for use in innovative and unique ways.
Detection models that can do more than react
Wolfsberg recommends combining three approaches: i) rules-based monitoring for known risks; ii) supervised machine learning for identifiable patterns; and iii) unsupervised methods for detecting emerging threats. Cryptocurrency companies can implement all three at the same time because the underlying data supports each approach.
Rules-based monitoring handles obvious cases such as sanctioned wallet addresses, direct transfers from darknet marketplaces, and transactions routed through high-risk jurisdictions. This represents baseline coverage that almost every crypto company will already have implemented. Adding the ability to look up scam wallets that are self-reported by victims online and community reporting capabilities in blockchain forensic tools, the foundation for much more effective risk mitigation is easily established.
Using blockchain’s historical data, models can be trained on years of confirmed criminal activity that law enforcement or blockchain tools have already identified. As traditional banks can’t access validated historical data across the entire payment ecosystem at this scale, they typically must rely on internal data and industry guidance to develop their models. Cryptocurrency companies, however, can utilize blockchain history and attribution databases that document known illicit activity. This means models can be trained on nearly unlimited applicable data from the past and can even be trained on near-real-time data as it gets added to databases.
Yet, it is with unsupervised learning that crypto companies can genuinely innovate beyond what traditional finance does by feeding attributed wallets, self-reported fraud wallets, and public blockchains directly into machine learning or AI models. With this, companies can analyze complex, interconnected patterns of activity that allow models to continuously identify emerging typologies and patterns in near real-time and potentially instantly expose gaps in a scenario’s current coverage.
It is with unsupervised learning that crypto companies can genuinely innovate beyond what traditional finance does by feeding attributed wallets, self-reported fraud wallets, and public blockchains directly into machine learning or AI models.
The data available to cryptocurrency companies means they can move past compliance as a check-the-box exercise and start getting creative when thinking about what’s actually possible.
SAR quality as intelligence product
The Wolfsberg framework addresses SAR quality directly, highlighting the problem of financial institutions filing too many low-value reports because their systems generate alerts that they cannot fully resolve. Indeed, institutions file thousands of SARs because they have unanswered questions or are unsure of exactly what is going on due to a lack of available data, not because they’ve identified actual money laundering.
Blockchain data changes what SAR filings can look like in ways that matter for law enforcement. When attribution tools indicate that funds originated from a wallet cluster associated with ransomware, were transferred through a mixing service, appeared in a customer’s deposit address, and were immediately withdrawn to a known cash-out service, the SAR can describe the exact pattern of suspicious activity with on-chain evidence for each step.
Including wallet addresses and transaction hashes in SAR narratives provides investigators with something traditional bank SARs rarely offer: immediate starting points they can follow without additional legal process, immediately making the SAR actionable intelligence.
Law enforcement agencies are overwhelmed with SARs, and it often feels like an investigator’s SAR filings don’t lead anywhere. However, when investigators can include information that helps law enforcement investigate and prosecute cases quickly and effectively, those investigators also may start seeing activity on the blockchain, such as illicit actors’ wallets slow down or funds be seized from a scammer’s wallet. This not only helps with the feedback loop but also confirms to an investigator that their work is making a real difference.
Building programs that lead instead of follow
The Wolfsberg framework also makes clear that innovation in AML isn’t optional. Criminal networks evolve too quickly for static rule sets and outdated monitoring systems. Advanced approaches need to be explainable, properly validated, and integrated into broader risk management frameworks.
Financial institutions need to build models that fully use available blockchain data, then validate them against on-chain patterns that can be directly observed. They should also train their investigators to understand blockchain attribution and network analysis — not just how to read a blockchain explorer, but how to interpret what attribution tools reveal about fund flows and network connections. When filing SARs, institutions need to include the on-chain evidence that makes their filings immediately actionable for law enforcement.
Traditional financial institutions are modernizing systems designed for the pre-internet era, while cryptocurrency companies are building compliance programs in a data-rich environment that makes certain investigations more effective than they’ve been in the past. The opportunity here isn’t just about meeting the Wolfsberg recommendations; rather the opportunity is showing what becomes possible when compliance programs are built with these capabilities from the ground up and when the data advantages inherent to blockchain technology get used to their full potential.
That will be what changes how regulators think about the industry — and what turns compliance from a cost center into a competitive advantage.
You can find more of our coverage of SARs and related efforts to combat financial crimes here
