Subscribe to the Non-Human & AI Identity Journal

How do banks manage risk when using a third-party stablecoin issuer?

Banks need a defined shared-responsibility model that covers onboarding, custody, screening, incident notification, and ongoing due diligence. The key is not just the issuer’s controls, but the bank’s ability to monitor customers and respond when issuer operations change. Without that, dependency risk becomes governance risk.

Why This Matters for Security Teams

When a bank uses a third-party stablecoin issuer, the risk is not limited to the issuer’s balance sheet or reserve model. The bank also inherits operational dependency, identity and access exposure, screening gaps, and incident response timing. That makes the arrangement a shared-control problem, not a simple vendor checkbox. Current guidance suggests treating the issuer as a critical third party with explicit controls for onboarding, custody, monitoring, and offboarding.

This is especially important because third-party exposure is where NHI risk often becomes visible only after damage. NHI Mgmt Group’s Ultimate Guide to NHIs notes that 92% of organisations expose NHIs to third parties, which is directly relevant to banking dependencies that rely on external issuance, wallets, APIs, and attestation services. The same guide also shows why this matters operationally: most organisations do not have full visibility into service accounts, and many credentials remain valid long after a breach is known.

For banks, the key mistake is assuming issuer due diligence is enough. It is not enough if the bank cannot monitor transaction behaviour, revoke access quickly, or detect when issuer controls drift. In practice, many security teams encounter dependency risk only after an issuer outage, sanctions-screening failure, or compromise has already affected customer flows.

How It Works in Practice

Risk management starts with a written shared-responsibility model that separates what the issuer controls from what the bank must control. The bank should define who owns customer onboarding, wallet provisioning, reserve attestations, sanctions and fraud screening, incident notification, reconciliation, and termination rights. This aligns with the control logic in the NIST Cybersecurity Framework 2.0, especially governance, protect, detect, respond, and recover functions.

The bank should also require evidence, not assurances. That means periodic review of issuer security controls, audit rights, API security expectations, key management, and change notification for custody or redemption processes. The OWASP Non-Human Identity Top 10 is useful here because issuer integrations usually depend on machine credentials, service accounts, and API tokens that need rotation, least privilege, and revocation procedures.

  • Map each control to an owner, an escalation path, and a test cadence.
  • Require short-lived credentials and documented revocation for issuer-facing integrations.
  • Validate screening and monitoring obligations on both sides of the relationship.
  • Test incident notification timelines with tabletop exercises and production-like failover.
  • Confirm exit plans for wallet migration, customer repayment, and issuer replacement.

Banks should also monitor for dependency concentration: a single issuer outage, policy change, or reserve event can become a customer-impacting incident even when the bank’s internal systems are healthy. NHI Mgmt Group’s 52 NHI Breaches Analysis is a useful reminder that machine identity failures regularly show up as business disruption, not just technical misconfiguration. These controls tend to break down when the issuer’s APIs, wallet operations, and screening workflows are tightly coupled to the bank’s production payment paths because fault isolation becomes too weak to contain an incident.

Common Variations and Edge Cases

Tighter third-party controls often increase onboarding time, legal review, and operational overhead, so banks have to balance resilience against speed to market. That tradeoff becomes sharper when the stablecoin issuer also performs custody, settlement, and compliance screening, because the bank may have less practical leverage over each function.

Best practice is evolving, and there is no universal standard for this yet. Some banks will keep issuance exposure at arm’s length and rely on enhanced monitoring; others will insist on contractual audit rights, reserve transparency, and strict off-ramping triggers. The right answer depends on the bank’s risk appetite, customer profile, and jurisdictional obligations. For programs with high payment volume or cross-border use, the bank should treat issuer failure as a resilience scenario, not just a counterparty credit event.

Edge cases matter. A stablecoin issuer can be compliant at onboarding and still become unacceptable later if it changes custody providers, alters sanctions controls, or weakens its incident disclosure process. That is why operational due diligence must be continuous, not annual. For banks building a more formal control baseline, NHI Mgmt Group’s Ultimate Guide to NHIs helps frame how third-party identity, offboarding, and auditability connect to governance outcomes.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.SC Third-party stablecoin risk is supplier governance and monitoring.
OWASP Non-Human Identity Top 10 NHI-03 Issuer integrations depend on machine credentials that must be rotated.
NIST SP 800-63 Identity assurance matters where banks rely on external onboarding and access.
NIST Zero Trust (SP 800-207) Zero trust helps limit issuer blast radius and continuous verification.
NIST AI RMF AI RMF-style governance applies to continuous oversight and accountability.

Verify identity proofing and authentication strength for any bank-to-issuer administrative access.