TL;DR: Stablecoins have moved into production-grade financial infrastructure for settlement, payments, and liquidity, and the GENIUS Act has increased legal clarity for banks weighing issuance, partnership, or integration paths, according to Chainalysis. The governance problem is no longer whether stablecoins matter, but which operating model best fits regulatory posture, operational control, and risk tolerance.
At a glance
What this is: Chainalysis argues that banks now have three viable stablecoin operating models: issue, partner, or integrate, each with different control, compliance, and speed trade-offs.
Why it matters: This matters because identity, access, compliance, and transaction governance must align with the operating model banks choose for stablecoin participation.
👉 Read Chainalysis' framework for bank stablecoin operating models
Context
Stablecoin adoption is no longer an experimental topic for financial institutions. Banks are now deciding how to fit programmable settlement into existing controls, with the main tension sitting between speed to market, regulatory oversight, and operational ownership.
For identity, risk, and compliance teams, the practical question is how control boundaries change across issuer, partner, and integration models. That affects not only payments governance, but also account lifecycle management, counterparty oversight, and transaction monitoring across internal and external actors.
Key questions
Q: How should banks choose between issuing, partnering, or integrating stablecoins?
A: Banks should choose the model that best matches their control requirements, regulatory posture, and implementation capacity. Issuing offers the most control but also the heaviest operational burden. Partnering reduces time to market while preserving some compliance leverage. Integrating public stablecoins is fastest, but it shifts the bank toward monitoring and access governance rather than monetary control.
Q: What breaks when a bank treats stablecoin adoption as a simple product decision?
A: The bank can under-assign responsibility for reserves, transaction screening, customer onboarding, and operational monitoring. That creates governance gaps between finance, compliance, and technology teams, especially when a third party controls the token. Stablecoin adoption only works when the operating model is mapped to clear control ownership.
Q: How do banks manage risk when using a third-party stablecoin issuer?
A: Banks need a defined shared-responsibility model that covers onboarding, custody, screening, incident notification, and ongoing due diligence. The key is not just the issuer's controls, but the bank's ability to monitor customers and respond when issuer operations change. Without that, dependency risk becomes governance risk.
Q: Who is accountable for compliance when stablecoins move through banking workflows?
A: The bank remains accountable for the parts of the workflow it controls, including onboarding, screening, and customer-facing payment operations. If a third party issues the stablecoin, that party owns token mechanics and reserve administration, but the bank still needs oversight of how customers access and use the service. Accountability follows control, not brand ownership.
Technical breakdown
Issuance model: where the bank owns the control plane
When a bank issues its own stablecoin, it owns the token economics, reserve management, mint and burn workflow, distribution, and operational controls. That creates the highest degree of governance control, but it also concentrates responsibility across smart-contract security, reserve integrity, custody design, and access control for the systems that move money. The stablecoin is effectively a bank-operated settlement rail, so failures in entitlement design or key management become balance-sheet and trust issues, not just technical defects.
Practical implication: Map issuer-side controls to reserve governance, privileged access, and cryptographic key protection before treating issuance as a product decision.
Partner model: shared controls create shared accountability
In a partner model, the issuer controls the token mechanics while the bank controls customer onboarding, custody workflows, and distribution. That split can accelerate delivery, but it also creates a two-party governance boundary where responsibilities can blur during incidents, compliance reviews, or policy changes. The bank remains accountable for how customer activity is accepted and monitored, even if it does not control the token itself.
Practical implication: Document control ownership explicitly across onboarding, wallet screening, and monitoring so shared responsibility does not become shared ambiguity.
Integration model: public stablecoins shift the risk to monitoring
Integrating public stablecoins leaves the bank outside token issuance and reserve governance, but still inside the risk path for payments, screening, and transaction oversight. The operational challenge is not minting or custody, but ensuring that customer activity, counterparties, and transaction flows are visible enough for compliance and fraud controls. In this model, the bank becomes an on-ramp and control point rather than the issuer of value.
Practical implication: Prioritise real-time screening, transaction policy controls, and exception handling before exposing public stablecoin rails to customers.
NHI Mgmt Group analysis
Stablecoin governance is now an operating model problem, not a product-choice problem. The article makes clear that issuance, partnership, and integration each shift control, liability, and operational complexity in different ways. That means banks need governance designed around who owns reserve integrity, who owns transaction controls, and who owns customer risk handling. The practitioner conclusion is that model selection should be made through control mapping, not market enthusiasm.
The most important risk boundary is the split between token control and customer control. In partner and integration models, the bank may not own the asset mechanics, but it still owns onboarding, monitoring, and policy enforcement. That is structurally similar to identity governance in distributed environments, where one party operates the infrastructure and another party remains accountable for access decisions. The practitioner conclusion is that responsibility matrices must be explicit before launch.
Stablecoin adoption will push more financial control decisions into operational teams. The article notes that speed-to-market, regulatory posture, and infrastructure readiness shape the path a bank chooses. That mirrors a broader governance trend in which platform, payments, and risk teams increasingly arbitrate operational access and control decisions. The practitioner conclusion is to align treasury, payments, and security governance before scaling any digital settlement rail.
Programmable money increases the need for lifecycle thinking across access, counterparties, and workflows. The article's three-path framework is really about how control lifecycles differ when a bank issues, partners, or integrates. This is where identity governance intersects with payments governance, because the bank still needs to know who can initiate, approve, and monitor value movement. The practitioner conclusion is to treat stablecoin operating models as lifecycle governance programmes, not one-time integrations.
What this signals
Stablecoin programmes will increasingly be judged on whether control ownership is explicit enough to survive operational stress. Banks that cannot separate issuer responsibilities from customer-facing obligations will struggle to scale beyond pilot use cases.
Control-boundary governance: stablecoin adoption exposes the same problem seen in complex identity programmes, where one team runs the platform and another team remains accountable for outcomes. The practical response is to define who can initiate, approve, monitor, and revoke every material flow before the bank expands usage.
Banks should expect payments, treasury, compliance, and security teams to converge on a shared operating model. The most durable programmes will be those that build auditability and monitoring into the control plane early, not after the first cross-border or settlement incident.
For practitioners
- Map control ownership across the three operating models Define who owns reserve controls, token mechanics, customer onboarding, screening, and exception handling for issue, partner, and integrate scenarios. Use a control matrix so compliance, treasury, and security teams can see where accountability starts and stops.
- Separate issuer risk from customer risk Build distinct governance paths for token integrity, transaction monitoring, and customer-facing payment workflows. This prevents a third-party issuer problem from being mistaken for a bank-side access or onboarding problem.
- Review privileged access to settlement and reserve systems Limit administrative access to reserve management, mint and burn functions, and payment orchestration systems. Apply strong approval workflows, logging, and periodic entitlement review to the systems that can directly move value.
- Design monitoring for cross-party dependencies If partnering, require visibility into issuer operations, incident notification timelines, and change management events that could affect bank customers. Treat issuer monitoring as a standing governance input, not an occasional review item.
Key takeaways
- Stablecoin strategy for banks is now a governance choice about control boundaries, not just a question of market entry.
- The issue, partner, and integrate models each move responsibility differently across reserves, customer workflows, and transaction monitoring.
- Banks that define control ownership early will be better positioned to scale stablecoin use without creating avoidable compliance and operational gaps.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access control and governance matter where bank teams operate stablecoin workflows. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central to reserve and settlement system access. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy supports governance of shared stablecoin operating models. |
Apply AC-6 to restrict privileged access to mint, burn, reserve, and payment orchestration functions.
Key terms
- Stablecoin Operating Model: The governance and control structure a bank uses to participate in stablecoin activity. It defines whether the institution issues, partners on, or integrates public stablecoins, and determines who owns reserves, monitoring, customer onboarding, and operational accountability.
- Shared Responsibility Model: A shared responsibility model divides security duties between the cloud provider and the customer. For NHI governance, the provider supplies the platform controls, but the organisation still owns configuration, privilege review, secret handling, monitoring, and lifecycle management of its identities.
- Reserve Management: The process of controlling the fiat backing, custody, and reconciliation of a stablecoin. It is a critical governance function because errors or privileged-access failures in reserve handling can create direct financial, regulatory, and trust exposure.
What's in the full article
Chainalysis' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step comparison of the issue, partner, and integrate operating models for bank decision-makers
- Practical breakdown of compliance, reserve management, and operational ownership by deployment path
- Implementation considerations for onboarding, custody, and payment workflows across stablecoin models
- Chainalysis' own view of how its monitoring capabilities map to each operating model
Deepen your knowledge
NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course. Explore nhimg.org for resources that connect identity governance to the broader security disciplines your programme depends on.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org