The Banking RFP: A 47-Question Template for Regulated Crypto Firms

Most regulated crypto firms approach bank selection as a sales pitch. They build a deck, request a call, send the same five-page memo to every contact, and then wait. Banks, on the other side of the table, run the same conversation as procurement — they grade you against an internal rubric you never see, and the answer arrives months later as a yes, a no, or silence.

The fix is structural. Stop pitching. Run a proper RFP against your shortlist — a written request for proposal, scored against a public rubric, with a deadline. A well-built RFP compresses diligence from 16 weeks to 8, forces every counterparty to commit in writing to the same set of operational realities, and gives you pricing leverage no individual pitch ever produces.

This guide is the template. The 47-Question Banking RFP — 8 sections, 47 scored questions, one weighting matrix per firm type, and a 0–5 grading rubric. Use it on three to five shortlisted banks and EMIs; the comparison alone will tell you who is serious about crypto and who is wasting your time.

A pitch puts the bank in control of pace, criteria, and silence. An RFP inverts all three. You define the questions, you set the response deadline, and you publish the scoring rubric so every counterparty knows exactly what wins. Procurement discipline is the entire game.

Banks expect this from corporate treasurers buying cash management, FX, or trade finance. They do not expect it from crypto firms — which is precisely why it works. Sending an RFP signals you are a sophisticated counterparty, not a desperate applicant. The conversation shifts from will you bank us? to why should we pick you?

There is also a regulatory dividend. The EBA expects credit institutions to perform EDD on crypto-related customers under the Guidelines on customer due diligence.¹^[1] An RFP pre-answers the questions the bank's MLRO will ask — substance, source-of-funds methodology, transaction monitoring stack, sanctions tooling — which is why a well-structured RFP often shaves 4–8 weeks off internal credit committee timelines.

The 47 questions cluster into eight scoring sections. Each section has a purpose, a weight, and a verdict-line that should be obvious from the answer.

• Section 1 — Operational Fit: account structure, currencies, settlement rails, payment file formats.

• Section 2 — Substance & AML Stack: local hires, MLRO seniority, transaction monitoring vendor, EDD playbook.

• Section 3 — Transaction Profile Fit: expected volumes, ticket sizes, counterparty geographies, fiat/crypto split.

• Section 4 — Sanctions & Screening: OFAC/EU/UN list cadence, secondary sanctions handling, name screening tooling.

• Section 5 — Custody Flow Integration: qualified custodian whitelisting, on/off-ramp policy, Travel Rule routing.

• Section 6 — Audit & Assurance: SOC 2, ISO 27001, segregation of funds, audit access for your statutory auditor.

• Section 7 — Pricing & SLAs: account fees, FX margins, SEPA/SWIFT costs, ticket response times, monthly minimums.

• Section 8 — Exit & Continuity: notice periods, de-risking triggers, account closure run-off, data portability.

Operational fit is the cheapest section to fail and the most expensive to discover late. A bank can be willing to onboard you and still be structurally incompatible with the way you actually move money.

1. 1

   Can you provide segregated client money accounts with dedicated IBANs per end-client?

2. 2

   Which currencies do you settle natively (EUR, GBP, USD, CHF, SGD, AED) and which require correspondent banking?

3. 3

   Do you support SEPA Instant, SWIFT gpi, and Faster Payments out of the same legal entity?

4. 4

   Which payment file formats do you accept (pain.001 ISO 20022, MT103, JSON API) and what is the cutoff for same-day execution?

5. 5

   Do you provide an API-first interface with sandbox access, or is the relationship dashboard-only?

This is the section the bank's MLRO will read first. The FCA's SYSC 4 general organisational requirements²^[2] map almost one-for-one to what every credit institution will probe — governance, three lines of defence, MLRO authority, and reporting lines.

1. 1

   How many local FTEs do you have in your licensed jurisdiction, and where do compliance and operations report?

2. 2

   Is your MLRO board-approved, full-time, and resident in the licensing jurisdiction?

3. 3

   Which transaction monitoring vendor do you use (on-chain and fiat-leg), and what are your tuning thresholds?

4. 4

   Provide your EDD playbook for high-risk customer types (PEPs, non-cooperative jurisdictions, privacy-coin counterparties).

5. 5

   What is your SAR / STR filing cadence for the last 12 months, in absolute and per-account terms?

6. 6

   How do you handle source-of-funds and source-of-wealth evidence on crypto-derived deposits over €100,000?

7. 7

   Provide the last regulatory inspection findings (redacted) and remediation timelines.

Volume mismatch is the single biggest reason post-onboarding accounts get closed. The bank approves you assuming €5M/month and 200 transactions; you actually run €40M and 8,000 transactions. Pre-empt the entire conversation by disclosing forecast volumes against the bank's stated thresholds. The PSD2 Directive³^[3] framework is the baseline the bank will use to size your liquidity and risk profile.

1. 1

   What are your monthly volume thresholds before mandatory review (per account, per currency)?

2. 2

   What is your single-ticket limit for outbound SWIFT and SEPA without manual approval?

3. 3

   Which counterparty geographies are categorically off-limits (vs reviewable case-by-case)?

4. 4

   What fiat/crypto ratio is acceptable for our on-ramp / off-ramp flow before triggering enhanced review?

5. 5

   Do you accept inbound payments from non-VASP exchanges routed through OTC desks?

6. 6

   How many other licensed crypto clients of comparable volume do you currently service, and what is your concentration cap?

Sanctions failures are existential. The bank will assume you do nothing here unless you can document the opposite — vendor, list cadence, secondary-sanctions logic, and the human escalation path. OFAC, EU consolidated list, UN, HMT, and SECO are the minimum five.

1. 1

   Which screening vendor do you use for names, vessels, addresses, and crypto wallets?

2. 2

   What is your list-refresh cadence — real-time, hourly, end-of-day?

3. 3

   How do you treat secondary sanctions exposure (e.g. Russia-adjacent counterparties through CIS jurisdictions)?

4. 4

   Do you operate on-chain analytics (Chainalysis, Elliptic, TRM Labs) on incoming wallet flows?

5. 5

   What is the escalation SLA from alert to human decision, and who has authority to release a held payment?

Under MiCA⁴^[4] Title V, CASPs must segregate client assets and rely on qualified custodians for the crypto leg. The bank needs to know exactly which custodian payment instructions originate from, and which wallets are pre-whitelisted.

1. 1

   Do you support whitelisting of a named qualified custodian as the sole counterparty for fiat instructions?

2. 2

   What is your policy on on-ramp / off-ramp volumes per end-user per month?

3. 3

   Do you carry Travel Rule payload metadata through the fiat leg using ISO 20022 reference fields?

4. 4

   Can you provide a named relationship manager who has worked with crypto-native EMIs in the last 24 months?

5. 5

   What is your stance on stablecoin issuance reserves held in tokenised MMF, T-bills, or pure deposits?

Your statutory auditor will need access to the bank's systems for confirmations, balance proofs, and walkthroughs. Under DORA⁵^[5], you also need to evidence ICT third-party risk management — and the bank is squarely in scope.

1. 1

   Provide current SOC 2 Type II and ISO 27001 certificates, dated within the last 12 months.

2. 2

   How are client funds segregated — on balance sheet, trust account, or central bank reserve?

3. 3

   Will you sign an audit access letter to our statutory auditor (Big Four or equivalent) within 10 business days of request?

4. 4

   Do you support a DORA-compliant ICT third-party agreement with named subcontractor disclosure?

5. 5

   Provide your BCP and last live failover test report.

6. 6

   What is the RTO and RPO you commit to under your master services agreement?

Pricing is where the RFP delivers visible savings. Asking three or more counterparties to bid the same line items typically compresses FX margins by 15–35 bps and SEPA/SWIFT fees by 20–50% versus the first quote.

1. 1

   Account opening fee, monthly maintenance, per-sub-account charge.

2. 2

   All-in FX margin for top 5 pairs at three notional bands (€100k, €1M, €10M).

3. 3

   SEPA, SEPA Instant, and SWIFT per-transaction cost, both originating and incoming.

4. 4

   Any monthly minimums or revenue floors?

5. 5

   Documented ticket response SLA by severity (P1 / P2 / P3) and after-hours coverage.

6. 6

   Settlement cutoff times per currency, and weekend / bank holiday coverage.

7. 7

   Interest paid on safeguarded balances (EMI client money), and the rate-setting mechanism.

8. 8

   Price-review schedule and price-rise notice period.

The EBA has explicitly told supervised banks to stop wholesale de-risking of customer categories in its Guidelines on de-risking.⁶^[6] That said, individual account exits remain perfectly legal and the most common source of operational pain for crypto firms. Get the exit terms in writing before you sign.

1. 1

   What is your contractual notice period for unilateral account closure?

2. 2

   List the specific triggers that automatically initiate exit (e.g. SAR over X, change of control, regulator censure).

3. 3

   During run-off, which functions remain live (incoming-only, outgoing-only, FX)?

4. 4

   What data portability do you provide on exit (transaction history format, retention period)?

5. 5

   Will you provide a reference letter to a successor bank stating the relationship was not closed for AML reasons (where true)?

Same shortlist, same firm, two different processes. The outcome diverges sharply on timeline, leverage, pricing, and the quality of the relationship that follows.

Sections are not equally important for every firm. A stablecoin issuer cares disproportionately about custody flow and audit; an MSB cares about transaction profile and pricing; a CASP cares about substance and exit. Use the table below as a starting point and adjust within ±5 points per section based on your specifics.

Grade each of the 47 answers on a 0–5 scale. The rubric must be published inside the RFP so respondents calibrate to it.

• 5 — Best in class. Quantitative answer, evidence attached, exceeds the asked threshold. E.g. "SOC 2 Type II dated 4 months ago, attached, no exceptions."

• 4 — Meets standard. Quantitative answer with one minor gap. E.g. "SOC 2 Type II dated 11 months, attached."

• 3 — Adequate. Qualitative answer, no evidence, but plausible. "We hold SOC 2."

• 2 — Concerns. Vague answer, hedged, or partial. "We can discuss this on a call."

• 1 — Major gap. Non-answer or admission of absence. "Not currently in place."

• 0 — Disqualifying. Refusal to answer, evidence of non-compliance, or red-flag inconsistency with another answer.

Multiply the score by the section weight from the rubric, sum across sections, and rank counterparties by the total. A composite score below 60 out of 100 should be eliminated regardless of the relationship. A counterparty scoring 0 on any single question should also be eliminated even if their total is high — the zero indicates either a hard gap or a refusal to engage at the right level.

Six patterns kill more RFPs than any underlying problem with the firm itself. Avoid all six and the response rate from serious counterparties climbs above 80%.

• Too long. 47 questions is the ceiling. Add a 48th and respondents triage — drop one and you weaken the rubric.

• No deadline. A 21-day response window is standard. No deadline signals no buyer power.

• Sent to too many counterparties. 3–5 is correct. More than 7 looks like a spray-and-pray and serious banks decline.

• No rubric disclosed. Without the weighting matrix, respondents over-invest in the wrong sections.

• Hiding your own profile. Forecast volumes, geographies, custodian, and licence status belong in the cover memo. Banks will not bid blind.

• Treating the RFP as the final negotiation. It is the start. The winner is brought back for a second round on pricing and SLAs before signing.

Yes, if the firm has any meaningful operational profile (forecast volumes above €1M/month, a real licence, or multi-currency needs). Below that scale, an RFP is overkill and a structured shortlist call works. Above it, an RFP almost always pays for itself in the first 12 months through FX margin compression alone.

Three to five. Fewer than three and you have no real comparison; more than seven and serious counterparties suspect a tender-stuffing exercise and decline to respond. Mix the shortlist across Tier-1 EU clearing banks, specialist crypto-native EMIs, and one BaaS sponsor bank to test the full range.

21 calendar days is the market standard. Shorter and you exclude banks whose answers must clear a credit committee; longer and the urgency evaporates and responses drift to the bottom of someone's inbox.

The serious ones do — and at much higher rates than they respond to cold outreach. A well-structured 47-question RFP signals you understand the bank's diligence burden and have already done half the work. Response rates from properly shortlisted counterparties run at 75–90% in our experience, compared with sub-30% for unstructured pitches.

The eight-section structure is portable. The specific questions in Sections 1, 4, and 5 need light localisation — currency rails, sanctions list mix, and custodian whitelisting all shift between the EU, UK, Singapore, and UAE. The weighting rubric and scoring scale stay the same.

• What Banks Actually Evaluate When Onboarding a CASP: the inside-view rubric your RFP needs to pre-answer.

• The Three-Bank Resilience Standard: why your RFP should always close at least two relationships, never one.

• Cost of Banking a Regulated Crypto Firm 2026: the benchmark price book to calibrate your Section 7 scoring.

• Time-to-Bank Benchmark 2026: realistic timelines that justify the 8-week target an RFP enables.

The 47-Question Banking RFP is a procurement tool, not a sales script. Treat it as such and the conversation with your shortlist banks changes character within a single cycle — from supplication to negotiation, and from a 16-week wait to an 8-week commitment with price leverage built in. Build the rubric once, refine it with every cycle, and your treasury function compounds its bargaining position with every renewal.