KYT for Stablecoin Issuers: What BA Sees When USDT Freezes a Wallet

This is part 4 of our "Tools for Compliance" series. Part 3, Ongoing Customer Wallet Monitoring, covered the CASP's view of its customers. Our latest briefing, Stablecoin Freeze, covered the holder's view of the kill switch. This one completes the triangle: the issuer's view — the transaction-level workflow that runs before a compliance team ever calls addBlackList.

A stablecoin issuer occupies a strange seat in the compliance landscape. It is not a CASP — it has no retail customer making a deposit, no withdrawal to gate. Its token moves permissionlessly between wallets it has never onboarded. And yet the issuer carries sanctions exposure on every one of those transfers, regulatory obligations on its mint and redemption flows, and — uniquely — the unilateral power to act. Know Your Transaction (KYT) is how an issuer turns total visibility plus zero gatekeeping into a defensible control.

Why Issuers Run KYT at All

The obligation stack for a stablecoin issuer comes from three directions at once:

• MiCA Title IV (EMTs) and Title III (ARTs) — an EU-authorised issuer is an e-money institution or credit institution with reserve, redemption, and governance obligations. That authorisation makes it an obliged entity under the EU AML framework, with transaction-monitoring expectations attached — particularly on the flows it actually intermediates: issuance and redemption.
• Sanctions law, everywhere, regardless of MiCA — OFAC's strict-liability regime does not care whether the issuer is EU-authorised, offshore, or neither. An issuer whose token is used by a designated entity faces the question "what did you know, when, and what did you do about it" — and the on-chain record answers the first two parts whether the issuer was watching or not.
• The practical reality of the freeze power — because the issuer can act, law enforcement, regulators, and victims expect it to. The freeze authority that makes the token controllable also makes the issuer accountable for how quickly and consistently it is used.

Note what is not on the list: a customer relationship. For the overwhelming majority of transfers, the issuer has never met either side. That asymmetry — full visibility, no gate — is what makes issuer KYT structurally different from CASP screening.

The Per-Transaction Decision: What Gets Evaluated

KYT reduces to one question asked continuously: does this transfer change what we know about the risk of these addresses? The payload behind a single KYT decision:

• Counterparty labels — what is known about the sending and receiving addresses: exchange deposit address, mixer, darknet market, gambling service, sanctioned cluster, exploit-attributed wallet
• Direct list status — either address on OFAC SDN crypto entries, EU consolidated, UN, UK HMT, SECO — or in the clusters attached to those designations
• Indirect exposure — hop distance to the nearest high-risk entity, weighted by value and recency — the same exposure logic CASP screening uses, run over the issuer's entire transfer stream
• Cross-issuer signals — was either address recently frozen by another issuer? A USDC blacklisting is a high-confidence risk statement about an address that also holds USDT — and vice versa
• Flow patterns — consolidation sweeps after an exploit, peel chains, rapid hop sequences designed to outrun attribution, structuring around mint/redeem thresholds
• Velocity and value anomalies — for addresses interacting with the mint/redeem flows, deviation from their established pattern

The output is not a binary. A usable KYT decision is a risk score with reasons attached — the label, the hop distance, the cluster, the triggering rule — because the next consumer of that decision is an analyst who has to act on it within hours, sometimes while the funds are still moving.

The Rule Set an Issuer Actually Runs

Issuer KYT rules cluster into four tiers, ordered by how automatic the response can be:

Tier 1 — Designation events (response: freeze-track, fast)

A sanctions designation lands with crypto addresses attached, or law enforcement serves a request with named wallets. The rule is a lookup; the work is the response procedure: verify, sweep the cluster for related addresses across every chain the token lives on, freeze, document. Speed is the metric — the gap between designation and freeze is the launderer's window, and it is the number researchers and journalists will later measure.

Tier 2 — Exploit and theft attribution (response: freeze-track, verified)

A hack is attributed and the destination addresses identified — by the victim, by investigators, by the issuer's own tracing. Funds are typically mid-laundering: consolidating, splitting, bridging. The rule set follows the flow — new addresses receiving from the attributed cluster inherit the risk — and the freeze decision needs enough verification to survive a wrongful-freeze claim, but little enough delay to beat the next hop.

Tier 3 — Exposure thresholds (response: investigate)

Addresses whose exposure profile crosses documented thresholds: too close to a mixer, sustained flows with a sanctioned-cluster-adjacent counterparty, patterns matching a known typology. These feed an analyst queue, not a freeze queue — the same calibration discipline from part 3 applies, because an issuer's transfer stream is orders of magnitude noisier than a CASP's customer base.

Tier 4 — Mint/redeem counterparty rules (response: gate)

The one place classic pre-execution screening applies: the institutional counterparties in the issuance and redemption flows. Full KYC, sanctions screening at every touchpoint, source-of-funds on size — this tier looks exactly like CASP compliance because here the issuer is the gatekeeper.

From Alert to addBlackList: The Freeze Workflow From Inside

What the public sees is a blacklist transaction confirming on-chain. What produced it is a workflow an examiner — or a court — may later walk end-to-end:

1. Signal intake — designation feed, LE request, exploit attribution, or internal KYT alert; logged with timestamp and source
2. Verification — the on-chain case is assembled: how the address connects to the triggering event, cluster membership, value at stake, cross-chain footprint. A freeze that later proves wrong is a legal problem; this step is what prevents it
3. Legal review and decision — freeze powers are typically exercised under documented criteria with legal sign-off; jurisdiction of the requester matters, and so does consistency — an issuer that froze fast for one agency and slow for another will be asked why
4. Execution across chains — the blacklist call goes out on every chain where the actor holds the token; per-chain contracts mean per-chain transactions, and a missed chain is an open back door
5. Documentation and downstream handling — the case file supporting the freeze, the response to the holder's dispute if one comes, and — for stolen funds — the destroyBlackFunds-and-reissue path under court supervision

Seen from BA's side of the glass, the freeze event is the last line of this workflow becoming public. When the blacklist transaction confirms, what BA observes is the issuer's conclusion — and our data usually already contains the premises: the exploit cluster the address belongs to, the consolidation pattern of the preceding 48 hours, the exposure history that made the freeze defensible. That is why a freeze event is such a strong signal for everyone else's screening: it is a compliance decision, published on-chain, by the party with the best view of its own token.

How BA Does It

BA's KYT is API-first: one call per transaction, returning a risk decision scored against the BA graph of 1B+ labelled addresses across 80+ chains — direct list status, cluster membership, hop-weighted indirect exposure, and the triggering rules, in a payload built to drop into an automated pipeline with an analyst-readable rationale attached. The same engine ingests cross-issuer freeze events from the native USDT and USDC contracts on nine chains in real time, so a transfer involving an address another issuer froze twenty minutes ago scores as what it is: sanctions-equivalent risk, ahead of any list update.

For an issuer, that covers the full stack above — Tier 1 lookups, Tier 2 flow-following, Tier 3 exposure scoring, Tier 4 counterparty screening — with every decision logged for the audit trail. For everyone downstream of an issuer, the same data answers the inverse question: what does this freeze mean for my customers.

Next in the series: Tools for Compliance #5 — the DAC8 Reporting Workflow, where the obligation shifts from risk to tax: extracting customer transaction data in CARF-ready format before the first DAC8 exchanges fall due.