Subscribe to the Non-Human & AI Identity Journal

Who is accountable for stablecoin governance in a bank?

Accountability should be shared across compliance, treasury, technology, operations, and business ownership, but it must be explicitly assigned. The programme needs a named owner for policy, a named owner for technical execution, and a clear escalation path for exceptions. Without that structure, governance becomes reactive and difficult to evidence.

Why This Matters for Security Teams

Stablecoin governance in a bank is not just a policy question. It defines who can approve issuance, custody, redemption, reconciliation, exception handling, and incident escalation. If accountability is vague, control ownership fragments across finance, legal, technology, and operations, and gaps appear exactly where regulators expect evidence of oversight. A useful starting point is the governance structure in the NIST Cybersecurity Framework 2.0, which emphasises outcomes, accountability, and enterprise-wide risk ownership.

The practical issue is that stablecoin controls span both financial and technical domains. Treasury may own reserve management, compliance may own policy interpretation, technology may own wallet and key controls, and operations may own transaction processing. Business ownership still matters because someone must accept the product risk and decide when the programme should pause. The mistake many banks make is treating governance as a committee activity rather than a named accountability model with decision rights, escalation thresholds, and audit-ready evidence. In practice, many security teams encounter governance failures only after exceptions, reconciliations, or incident response have already become inconsistent.

How It Works in Practice

Effective governance starts with a clear operating model that separates policy ownership from control execution. One executive or committee should own the risk decision for the stablecoin programme, while named functional owners manage the day-to-day controls. That usually means treasury for reserve integrity, compliance for regulatory alignment, technology for platform security, operations for processing, and internal control functions for independent challenge. Banks should document who approves launches, who can change parameters, who signs off exceptions, and who receives incident notifications.

The control set should be mapped to established security and operational requirements. For example, access to issuance systems, wallets, signing services, and settlement tooling should align with least privilege and strong authentication expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls. Governance should also define control testing cadence, evidence retention, and reconciliation ownership so that reserve attestations, transaction logs, and exception approvals can be independently verified.

A practical bank governance model often includes:

  • A named policy owner who approves the control framework and risk appetite.
  • A named technical owner who manages wallets, keys, transaction controls, and access administration.
  • A named business owner who accepts product risk and approves material changes.
  • An escalation route for fraud events, sanctions concerns, reserve mismatches, and control failures.
  • A review cycle for board reporting, audit findings, and regulatory updates.

Where banks use outsourced infrastructure, the accountability model must still remain internal. Vendor contracts can assign tasks, but they do not replace bank ownership of control outcomes. These controls tend to break down when stablecoin operations are split across multiple product teams because no single function owns the end-to-end risk picture.

Common Variations and Edge Cases

Tighter governance often increases approval overhead, requiring banks to balance speed of innovation against control defensibility. That tradeoff becomes sharper when the stablecoin is used for client payments, cross-border settlement, or treasury optimisation, because each use case may attract different legal and operational constraints. Current guidance suggests that banks should not use a single generic owner for all scenarios if the risk profile differs materially.

There is no universal standard for this yet, but strong practice is to define governance by activity rather than by product name alone. Issuance, redemption, custody, reserve management, and incident response may each need distinct control owners even if they sit under one programme lead. If the stablecoin interacts with third-party custodians, payment networks, or external blockchain infrastructure, the accountability model must also include due diligence, monitoring, and contingency planning. For broader security posture and cross-functional risk management, the same operating discipline aligns well with the accountability outcomes in NIST cybersecurity guidance, including board reporting and continuous risk oversight.

Where the bank is operating in multiple jurisdictions, governance can fracture around local regulatory expectations, especially if finance, compliance, and technology teams interpret obligations differently. That is why the strongest models use a single accountable sponsor with delegated control owners, rather than a loose federation of stakeholders.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OC-01 Governance requires clear enterprise risk ownership and accountability.
NIST SP 800-53 Rev 5 AC-1 A stablecoin programme needs formal access and control policies.

Assign a named owner for the stablecoin programme and link it to enterprise risk oversight.