When a stablecoin issuer says they run KYT, they usually mean one of two things: screen addresses at the point of mint, or run incoming transaction checks on the redemption flow. Both are necessary. Neither is sufficient.
The compliance problem for a stablecoin issuer is structurally different from the problem an exchange faces. An exchange controls both sides of every transaction. It screens the customer on deposit. It screens the destination on withdrawal. The issuer controls neither. Once a token leaves the mint, it becomes a bearer instrument. It moves across every chain, every bridge, and every protocol that supports it. The issuer retains freeze authority: the ability to immobilize the token on supported chains. But freeze is only useful if you can see the problem first. Freeze is also irreversible. A wrong freeze is a legal and operational event you have to unwind publicly.
The post-mint visibility gap
A USDC or USDT token that leaves a minting desk today may be deposited into a DeFi lending protocol tomorrow. Next week it could be bridged to Solana. A month later it might sit in a wallet whose risk profile has changed twice since the original mint. The issuer had no transaction with that final holder. The issuer has no KYC file on them. But the issuer does have freeze authority over that token.
Regulators and banking partners understand this gap now. Under the GENIUS Act, US stablecoin issuers must demonstrate AML controls that extend beyond direct customers. The GENIUS Act does not define a specific report format, but FinCEN exam procedures treat "ongoing monitoring adequate to the risk profile" as an ongoing obligation, not a quarterly checkbox. Under MiCA's Electronic Money Token framework, Article 83 requires issuers to implement transaction monitoring systems proportionate to the nature, scale, and complexity of the issuer's activities. MAS Notice PSN01 in Singapore sets a similar expectation for major payment institutions. The practical ask across all three jurisdictions is the same: where is your token, who holds it, and what risk is building.
Screening versus monitoring: the core distinction
Screening is transactional and point-in-time. You submit an address or transaction hash. You get a risk score at that moment. It answers two questions: is this address sanctioned right now? Does this transaction touch a known mixer?
Monitoring is continuous and ecosystem-wide. It answers different questions. Across all addresses holding my token today, what is the aggregate risk exposure? Has any holder's risk profile changed since last week? Which wallet cluster just crossed a concentration threshold that requires a SAR filing?
An issuer who only screens at mint is solving yesterday's problem. An address that received a mint in January may be flagged in March. An OFAC designation lands on a Friday evening and touches hundreds of wallets that hold your token indirectly through protocols and bridges. If your only tool is a point-in-time API, you learn about it when your banking partner asks. That is too late.
The cross-chain problem
Cross-chain movement is where most stablecoin compliance programs have a real gap. It is also where the gap is hardest to close.
When USDC bridges from Ethereum to Solana through the canonical Circle bridge, the Ethereum-side USDC is burned and native USDC is minted on Solana. The on-Ethereum address that sent tokens to the bridge and the on-Solana address that receives them are the same actor. Most analytics pipelines do not connect them. They ingest each chain separately. Bridge events do not appear in standard transaction feeds. The result is a blind spot exactly where a sophisticated actor would use it.
Third-party bridges are harder still. A lock-and-mint bridge wraps the token into a new contract. The new wrapped asset has a different contract address, a different token standard, and often a different name. Attribution that was solid on Ethereum does not carry over to the wrapped representation on the destination chain. Chains where transaction fees are low and wallet creation is cheap (Tron, for instance) also generate far more fresh wallets with no history, which makes entity-level attribution thinner by design.
Honest attribution requires naming where it breaks. Privacy-preserving contracts, zero-knowledge withdrawal protocols, and off-chain settlement all create gaps that no analytics tool covers completely. A compliance program that claims to see everything across all chains is either hand-waving or has not tested its edge cases. The programs that hold up are the ones that define explicit coverage boundaries, document what falls outside them, and apply conservative thresholds when attribution confidence is low.
What a regulator-ready ecosystem report contains
When a regulator (FinCEN, OFAC, the FCA, MAS) asks a stablecoin issuer to account for ecosystem risk exposure, the question is specific. What percentage of circulating supply is held by categorized entities? What is the exposure to high-risk categories: mixers, darknet services, sanctioned jurisdictions? Has any threshold been exceeded that would require a SAR filing?
A FinCEN SAR requires: the filer's information, the subject's information, the transaction details (date, amount, account), the suspicious activity type, and a narrative. That narrative needs to be specific enough for a FinCEN analyst to understand the chain of events without blockchain expertise. "Address 0x... received funds from a Tornado Cash deposit address in transaction 0x..." is a narrative. "Elevated risk score detected" is not. The OFAC reporting obligation is more urgent: if you have reason to believe you hold a blocked asset, you have 10 business days to file a report and block the asset simultaneously.
A useful ecosystem report provides holder-level attribution: not just raw addresses, but entity labels. Named exchanges, custodians, DeFi protocols, and risk categories. It shows concentration risk by entity and cluster. It tracks risk trend over time, so the compliance team can show a regulator not just where things stand today but how they evolved. The report also needs to be producible fast. Incidents do not wait for quarterly cycles. When a mixer is sanctioned or a large holder becomes an enforcement target, the regulator's question arrives within hours. A compliance program that needs six hours of manual tracing and another day to write up a narrative is structurally behind the SLA from the start.
Action-grade evidence and the freeze decision
A freeze decision is not reversible without reputational and legal cost. The compliance program that produces action-grade evidence answers three questions before the freeze is executed: what address, with what label, supported by what evidence?
The address label needs a confidence score and a provenance trail. "Address X is labeled as Tornado Cash-linked because it received direct deposits from Tornado Cash contract 0x... on dates Y and Z, confirmed by on-chain data from provider A cross-referenced with provider B" is defensible. A single-provider label with no cross-check is not, because provider labels have errors. When Strix Leonis published attribution error rate analysis across major analytics vendors, the false positive rate for mixer-adjacent labels was non-trivial. That matters when you are freezing an address holding $4M in circulating supply.
The audit trail needs to be end to end: what address, what label, what evidence, which analyst reviewed it, what time the freeze was applied, who authorized it, and what the post-freeze outcome was. That trail is not just internal documentation. It is what you hand to the regulator when they ask how you made the decision.
Confidence thresholds need to be defined before an incident, not during one. A 95%-confidence label on a direct Tornado Cash deposit address supports a freeze. A 60%-confidence label on an address that transacted three hops away from a mixer does not. It supports a human review queue. The distinction between those two actions is the difference between a defensible compliance program and one that produces arbitrary outcomes under pressure.
What good looks like
The stablecoin compliance programs that hold up under regulatory scrutiny share a few structural characteristics.
They separate the screening function (point-in-time, API-driven, integrated into the mint and redemption flow) from the monitoring function, which is continuous, ecosystem-wide, and alert-driven. They treat those as two different products solving two different problems, not one product doing both poorly.
They have defined SLAs for sanctions designations. When OFAC publishes a new SDN entry, the relevant wallets need to be identified and reviewed in minutes, not hours. The 10-business-day OFAC filing window sounds long until you account for the time needed to investigate, document, and escalate.
They produce reports that a non-technical examiner can follow. The investigation graph, entity attribution, and SAR narrative come from a single source. They are not assembled by hand from three separate tools by an analyst who has been awake since the Friday evening designation.
Most importantly, they are built on attribution that can be defended. When a freeze decision is made, the audit trail is complete: address, label, evidence, analyst, timestamp, authorization. That trail is what separates a compliance program from a compliance posture.