← Notes

Stablecoin Issuers as Financial Gatekeepers: A Second Line Perspective

2026-03-04stablecoinscompliancefinancial crime

13 min read

Executive Summary

  • Stablecoin issuers operate within broadly familiar financial crime frameworks. The core obligations (including CDD, sanctions screening, transaction monitoring, reporting) do not disappear in a crypto-native environment.
  • What changes is the nature of the information available. On-chain transparency provides deeper transactional visibility, but attribution remains uncertain and needs to be treated carefully.
  • The Travel Rule requires regulated entities to transmit originator and beneficiary information, and firms often rely on blockchain analytics to interpret on-chain activity. In practice, the value of both depends on counterparty compliance, data coverage, and how they are governed.
  • Financial crime exposure in a stablecoin model does not sit only at wallet level. It arises across counterparties, infrastructure, and ecosystem concentration. The primary risk is not technological complexity, but governance failure - including unclear ownership of models, weak calibration, or inadequate escalation.
  • The real task for the second line is not to replicate analytics, but to ensure that the firm understands its exposure, owns its assumptions, and can defend its decisions.

Stablecoin Issuers as Financial Gatekeepers

Compliance at a stablecoin issuer is complex. Rather than onboarding merchants, the issuer is effectively controlling access to a monetary system, and this means having robust reliance relationships with organisations (such as cryptocurrency exchanges, custodians, and payment service providers) who onboard underlying customers.

While there are parallels with the approach taken by traditional financial institutions who occupy a similar role as infrastructure gatekeepers (such as card networks and correspondent banks) there are crypto-specific nuances which must be factored into the approach.

This piece explores what is similar, what is different, and the compliance challenges presented by this context. It discusses why on-chain exposure matters to a stablecoin issuer, and how its second line of defence (second line) team can go about managing these risks.

What Does Not Change

Major fiat-backed stablecoin issuers in regulated markets operate within established financial services frameworks, and are expected to meet many of the same core standards as traditional institutions. These include customer due diligence (CDD), sanctions and PEP screening, transaction monitoring, and suspicious activity reporting. Although implementation differs by jurisdiction, the underlying regulatory expectations remain familiar.

In common with card networks and correspondent banks, stablecoin issuers onboard corporate customers who conduct their own financial crime compliance on the underlying customers. This avoids unnecessary duplication and customer friction, while allowing the issuer to operate at infrastructure level.

This reliance does not transfer accountability. The stablecoin issuer remains responsible for ensuring that the counterparty's controls are effective, and must retain appropriate oversight, audit rights, and access to underlying compliance evidence where required.

What Changes in an On-Chain Environment

On-chain assets present both opportunities and risks to the compliance professional.

Transparency

Public blockchains provide a transparent record of wallet activity, creating opportunities to analyse prior flows and potential layering in a way that is not always possible in traditional finance.

Travel Rule Obligations

The Travel Rule, required under the FATF Recommendations (in particular Recommendation 16), reinforces this transparency by requiring virtual asset service providers to transmit originator and beneficiary information alongside certain transfers. While the concept mirrors information sharing in correspondent banking, implementation is more uneven. Regulatory standards differ across jurisdictions, some service providers operate in lightly regulated environments, and transfers to unhosted wallets fall outside institutional information-sharing frameworks. As a result, the effectiveness of the Travel Rule depends on counterparty compliance and the maturity of the supervising body.

However, there are also drawbacks.

Structural Limitations

Despite its transparency, on-chain data can create false confidence if its limits are not acknowledged. Fiat on- and off-ramps reintroduce opacity, while mixers and cross-chain bridges can fragment visibility and complicate attribution. Combined with the speed and 24/7 nature of token transfers, value can move across jurisdictions faster than traditional monitoring cycles detect.

Interpreting Risk Signals

Crypto-specific data needs careful interpretation. Proximity to a sanctioned wallet, or frequent bridge usage may indicate risk, but they are not conclusions in themselves. Analysts must understand both native transfers (such as ETH) and token transfers (such as ERC-20 assets like USDC) to avoid overlooking important details about how value is being transferred.

Attribution and Vendor Reliance

Transaction data is publicly available, but this does not mean it reliably provides attribution of wallet ownership. Blockchain explorers (such as Etherscan) show a wallet's activity but rarely confirm who controls it. As a result, firms often rely on third-party analytics providers (such as Chainalysis) to add colour to this analysis. Second line oversight must scrutinise vendor methodology, coverage gaps, and update cycles, as reliance on these tools does not transfer accountability away from the regulated firm.

These are not abstract technical points. They shape how risk actually affects the firm.

Why This Matters

The compliance risks faced by stablecoin issuers arise across several dimensions.

  • Direct wallet exposure: interaction with sanctioned or high-risk actors.
  • Ecosystem exposure: reliance on exchanges or partners with weak controls.
  • Infrastructure exposure: dependency on bridges or custodians with governance weaknesses.

These are ultimately governance questions. Who is responsible for identifying these risks, how quickly they are escalated, and how clearly they are reported internally, will collectively determine whether they remain manageable issues or develop into regulatory or reputational incidents.

Applying financial crime requirements becomes more complex where regulatory frameworks are immature, where VASPs operate across multiple jurisdictions with inconsistent standards, or where the stablecoin is integrated into novel DeFi structures whose risks are still evolving in practice.

The consequences of non-compliance can be material:

  • Loss of public trust in the stablecoin could prompt redemptions, reducing circulating supply and directly affecting revenue derived from reserve yield, while weakening the coin's role as widely used financial infrastructure.
  • Regulatory scrutiny could result in restrictions on issuance or transfer activity, threaten banking relationships, and expose senior management to civil or criminal consequences. For a stablecoin issuer, such intervention would strike at the core of the business model.

For these reasons, second line teams must manage these risks proportionately, and balance commercial realities with clear regulatory expectations.

Governing On-Chain Exposure

Counterparty Risk Assessments

The second line should ensure that it truly understands the risks that a counterparty poses at onboarding, by designing assessments that appropriately identify and weigh different risk factors against the actual risks faced by the firm. In addition to standard AML questions (including around how the counterparty is governed, whether there are any financial crime risks associated with the owners, and how they comply with sanctions rules), the assessment should cover risks specific to the stablecoin sector, including:

  • Where and how a VASP is licensed;
  • How the counterparty engages with regulators and local regulations;
  • The counterparty's approach to complying with travel rule requirements;
  • How it approaches blockchain analytics; and
  • The extent to which their custody architecture keeps funds safe.

Although the content of this assessment will be crypto-specific, many regulatory expectations from traditional financial services will continue to apply. This includes a responsibility for the firm's second line team to ensure that it is calibrated to properly assess the firm's risks (such as regular tuning and testing to ensure it works in real scenarios), and to ensure that there is clear governance around how calibration decisions are made.

This includes clarity over who owns the model, how risk weightings are set, how frequently they are reviewed, and how threshold changes are approved. Without defined ownership, calibration becomes informal and difficult to defend under regulatory scrutiny.

To illustrate this, I have created a tool to assess these specific forms of onboarding risk: Counterparty Risk Explorer

Wallet Exposure Analysis

Where required, the second line may analyse the on-chain data associated with specific wallets and assess the degree to which a wallet poses a financial crime risk to the firm. This involves exploring and balancing the rich tapestry of on-chain transaction information to build a defensible picture of a wallet's risk. This includes:

  • The wallet's proximity to sanctioned wallets or other wallets of heightened risk (such as mixers or darknet markets) What does the number and timing of high risk interactions tell us about the overall risk of the wallet?
  • How many other wallets has the wallet interacted with. Transfers to a concentrated cluster of wallets raises the risk that these flows are illicit.
  • How rapidly funds are moving in and out of the wallet. Higher velocity transactions raise the risk of layering.
  • The proportion of the wallet activity involving interactions with stablecoins or bridges.

These signals are indicators, rather than conclusions, and they require analysis in context by the second line.

Where material exposure is identified, there must be clear escalation pathways. Senior management (and, where appropriate, the board) should have visibility of significant sanctions proximity, concentration risk, or wider ecosystem exposure.

I have illustrated two examples of wallet exposure analysis in this tool: Wallet Exposure Explorer

Institutional Control Environment

Stablecoin issuers do not operate in isolation - they are subject to the laws, regulations, and expectations of the wider financial services sector. These are harder to quantify, but are essential for good, defensible decisionmaking. These include:

  • Being clear, concise, and transparent about the risks faced by the firm. This includes creating clear audit trails and documenting the limitations of its risk management methods and technologies, so that the firm can transparently assess their effectiveness in managing financial crime risks to the firm).
  • Taking a genuinely risk-based approach. There are often legitimate reasons for activities that generate escalations or raise the risk profile of a subject. The art of second line oversight is putting these signals in context, and stitching them together into a clear, defensible narrative about what is going on, why this matters, and what the second line advises the firm to do to manage this risk.
  • Proactively building and maintaining bridges with the wider organisation. Financial crime teams do not operate in a silo, and compliance is always more effective when there is buy-in throughout the organisation.

Stablecoin compliance is not fundamentally different from traditional financial crime oversight. What differs is the data environment and the speed at which exposure propagates. The role of the second line is to ensure that these differences are understood, bounded, and governed with clarity.