EA Notice: This feature is currently in Early Access (EA) mode. If you are interested in joining the Early Access phase, contact your Customer Success Manager for more information.
You can configure Fireblocks to provide transaction information, such as output address, transaction hash, and a Customer Reference ID, to TRM Labs for Know Your Transaction (KYT) screening. Using the AML Transaction Screening Policy, you decide which transactions are screened and sent to TRM Labs for further analysis.
Note: The AML integration is a premium feature that requires an additional purchase. Reach out to your Customer Success Manager if you do not have an agreement with an AML provider or you need help enabling the feature.
Benefits of TRM Labs
- Advanced risk coverage for decentralized finance (DeFi) protocols and cross-chain activity
- The Fireblocks Console displays risk scores using TRM Labs' native risk labels (Unknown, Low, Medium, High, Severe)
- Support for a broad range of blockchains, including Bitcoin, Ethereum, Solana, TRON, and more
- Unified policy management — configure TRM Labs screening rules alongside your existing compliance policies in the Fireblocks Console
- No custom development required
Viewing risk information
Auditable risk information about all your screened transactions is available from TRM Labs and Fireblocks. You can view your screened transactions on the Fireblocks Console's Transaction History page and Audit Log, or use the Fireblocks API. Transaction rejection information is only available from Fireblocks.
You can also receive notifications of indirect risk exposure and ongoing risk attributions via alerts in the TRM Labs UI.
Before you begin
Before you can connect your TRM Labs account, complete the setup of your compliance integrations.
Initial setup
Generate your TRM Labs API key
- Log in to your TRM Labs dashboard.
- Go to your account settings and navigate to the API Keys section.
- Generate a new API key.
- Copy the API key.
Note: Make sure the user generating the API key has the required KYT API access permissions in TRM Labs. If the user generating the API key is removed from your TRM Labs account, you will need to generate a new API key.
Activate the TRM Labs integration on Fireblocks
- In the Fireblocks Console, go to Policies > Compliance > AML Policy > Connect.
- Select TRM Labs.
- Enter your TRM Labs API key.
AML Transaction Screening Policy
The TRM Labs integration uses your workspace's AML Transaction Screening Policy to determine which incoming and outgoing transactions to screen. Upon activating the TRM Labs integration, the default AML Transaction Screening Policy is used until you create an optional custom policy.
The Screening Policy evaluates each transaction against your configured rules using the following parameters:
| Parameter | Description |
| Direction | Whether the rule applies to inbound, outbound, or any transactions. |
| Source | The source account type for the transaction. |
| Destination | The destination account type for the transaction. |
| Amount | The transaction amount range in USD. |
| Asset | The specific asset or any asset. |
| Action | Screen — send the transaction to TRM Labs for screening. Pass — skip screening and allow the transaction automatically. |
Note: A default screening rule (Default AML TRM Labs screen rule) is automatically applied to your workspace. This rule passes all transactions that do not match a custom rule above it. You can add custom rules above the default to screen-specific transaction types.
AML Post-Screening Policy
The TRM Labs integration uses your workspace's AML Post-Screening Policy to pre-determine what action to take on a screened transaction based on the result returned by TRM Labs. Upon activating the TRM Labs integration, the default AML Post-Screening Policy is used until you create an optional custom policy.
TRM Labs returns risk results using the following native risk labels:
| Risk label | Description |
| Unknown | TRM Labs was unable to determine a risk score for the transaction or address. |
| Low | The transaction or address presents a low level of risk. |
| Medium | The transaction or address presents a moderate level of risk. |
| High | The transaction or address presents a high level of risk. |
| Severe | The transaction or address poses the highest risk, typically associated with sanctions, terrorist financing, or other critical categories. |
For the full TRM Labs definition of each risk level, see Risk Score Levels in the TRM Labs documentation.
Note: The Wait action is specific to TRM Labs and reflects the asynchronous nature of transaction screening. A transaction held with a Wait action is re-evaluated when a new screening result arrives or when the Valid Before time window elapses.
The Post-Screening Policy evaluates the result against your configured rules using the following parameters:
| Parameter | Description |
| Direction | Whether the rule applies to inbound, outbound, or any transactions. |
| Risk Score Level | The TRM Labs risk label to match: Unknown, Low, Medium, High, Severe, or Any. |
| Category | The number of risk categories matched, or Any Category. For the full list of available TRM Labs risk categories, see Supported Categories in the TRM Labs documentation. |
| Valid After | The minimum time (in seconds) that must have elapsed since the transaction was registered with TRM Labs before this rule applies. |
| Valid Before | The maximum time (in seconds) after registration within which this rule applies. |
| Status | The screening status at the time of evaluation: Completed, Pending, Failed, or Any. |
| Amount | The transaction amount range in USD. |
| Asset | The specific asset or any asset. |
| Action | Accept — approve the transaction. Reject — block the transaction. Wait — hold the transaction pending the result of further screening. |
Default Post-Screening Policy rules
Fireblocks applies default rules automatically when you activate TRM Labs. These rules appear greyed out in the Console and cannot be edited or removed. They handle the standard lifecycle of TRM Labs' asynchronous transaction screening:
| Rule | Status | Valid After | Valid Before | Action | Purpose |
| Default AML TRM Labs accept | Any | Any | Any | Accept | Default rule is to accept transaction |
Note: Custom rules you add above the default rules take precedence. Rules are evaluated in order — the first matching rule wins.
Additional configurations
You can set up Customer Reference IDs to automatically associate users with incoming and outgoing transactions. This allows you to view the potential risk of transacting with each user.
Updating your API key
To switch to a new TRM Labs API key, submit a ticket to Fireblocks Support and provide your new API key. The Fireblocks team will update the key for your integration.
Testing transaction rejection
Incoming transactions
- Add two rules to the end of your AML Post-Screening Policy that reject small dust transactions (e.g., $0.0568) from an identified source, such as from a well-known exchange. The first rule should accept all transactions greater than $0.0568 and the second rule (the last rule on the policy) rejects all transactions.
- Initiate transactions above and below the amount threshold to trigger the respective rules.
These rules can be disabled at your request. Also, remember that only transactions with an attribution made within the Inbound Blocking Timeout period will be rejected. This does not include transactions that receive an “Unknown” screening result from TRM Labs.
Outgoing transactions
- Create a reject rule on your AML Post-Screening Policy to match transactions identified as high-risk by TRM Labs.
- Set one of your destination wallet addresses as a custom address in TRM Labs. You can delete the custom address after you complete testing.
These rules can be disabled at your request. Also, remember that only transactions with an attribution made within the Outbound Blocking Timeout period will be rejected. This does not include transactions that receive an “Unknown” screening result from TRM Labs.
Supported assets
Fireblocks supports all tokens on the following blockchains for screening with TRM Labs.
Notes:
- Testnet assets are not currently supported.
- You can only have one AML provider integrated with your workspace at a given time. To change AML providers, contact Fireblocks Support.