By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ChainalysisPublished March 11, 2026

TL;DR: Stablecoins accounted for 84% of all illicit virtual asset transaction volume by 2025, and the FATF now urges monitoring across issuance, circulation, redemption, and P2P wallet activity, according to Chainalysis’ summary of the March 2026 targeted report. That shifts compliance from on-ramps alone to the full asset lifecycle, where visibility and enforcement capabilities now matter as much as traditional intermediary controls.


At a glance

What this is: The FATF is pushing stablecoin compliance toward lifecycle-wide monitoring, with P2P and unhosted wallet activity now inside the risk perimeter.

Why it matters: For IAM and identity-adjacent practitioners, the lesson is that governance breaks down when high-risk transactions move outside controlled intermediaries and into opaque, wallet-based interactions.

By the numbers:

👉 Read Chainalysis’ analysis of FATF stablecoin lifecycle monitoring and secondary-market risk


Context

Stablecoin compliance is moving beyond the exchange boundary. The article argues that the FATF now expects jurisdictions, issuers, and VASPs to pay attention to the full lifecycle of a stablecoin, including peer-to-peer transfers through unhosted wallets where conventional intermediary controls are absent.

That matters because the governance model changes once transactions are no longer mediated by a regulated platform. The visibility problem is similar to other identity-adjacent control gaps in digital systems: if no accountable intermediary can observe, correlate, and act, risk moves faster than oversight.

For teams that already manage access, identity proofing, or privileged operations, the parallel is clear. Control must follow the asset and the actor relationship, not stop at the first trusted boundary.


Key questions

Q: What fails when stablecoin monitoring stops at the on-ramp?

A: Risk visibility collapses once assets move into P2P circulation or unhosted wallets, because no regulated intermediary is automatically in the transaction path. That leaves issuers, VASPs, and supervisors with incomplete provenance and slower intervention options. Effective control therefore requires lifecycle monitoring, not just exchange-based onboarding checks.

Q: Why do unhosted wallets complicate AML governance?

A: Unhosted wallets remove the usual identity and reporting anchor that regulated intermediaries provide. That makes counterparty attribution harder, weakens suspicious activity detection, and forces organisations to rely on transaction ancestry and enrichment instead of direct KYC data. The result is a governance problem, not merely a data problem.

Q: How should organisations decide when to freeze or restrict stablecoin activity?

A: They should define evidence thresholds before cases arise, including which on-chain patterns, off-chain indicators, and sanctions signals justify intervention. The decision should be tied to documented authority, legal review, and escalation paths so action is consistent, auditable, and defensible under supervision.

Q: Who is accountable for monitoring secondary-market stablecoin risk?

A: Accountability is shared, but not diffuse. Issuers may hold technical intervention capability, VASPs may hold customer and transaction visibility, and supervisors may set expectations for monitoring and reporting. The key is to assign who detects, who validates, and who can act when risk emerges outside the primary market.


Technical breakdown

Why stablecoin lifecycle monitoring changes the control model

Stablecoins are programmable assets, so governance can be embedded at the protocol level as well as through off-chain analytics. That combination creates a different compliance model from traditional payments: issuers can potentially freeze, burn, allow-list, or deny-list assets, while VASPs and investigators use transaction history to assess counterparty risk. The key technical shift is that risk analysis now spans issuance, circulation, and redemption, not just the point where crypto meets fiat. This turns the stablecoin itself into a governed object whose movement and policy state can be observed across the network.

Practical implication: Treat stablecoin lifecycle data as a control surface, not a reporting afterthought, and map where technical enforcement is actually possible.

What multi-hop analysis reveals about unhosted wallet exposure

Multi-hop analysis traces funds through several prior transactions to identify whether an address is linked to sanctioned, stolen, or otherwise high-risk activity. In practice, this is how analytics tools move beyond a single wallet snapshot and build a risk narrative from network behavior. The challenge is that unhosted wallets remove the predictable identity layer found in regulated onboarding, so counterparties may be invisible at the transaction edge. That makes enrichment, clustering, and behavioural correlation essential for secondary market monitoring.

Practical implication: Build workflows that evaluate counterparties through transaction ancestry, not just direct sender and receiver fields.

Why issuer-side freeze and deny-list functions are now part of AML design

The FATF’s direction points toward issuers retaining the technical ability to intervene when illicit use is detected in circulation. In a programmable asset model, that means policy enforcement may happen after issuance and before redemption, based on on-chain evidence and off-chain investigation. This is analogous to stronger identity governance in other domains: the system must be able to revoke or constrain access after trust has already been granted. The deeper point is that compliance and engineering are converging at the protocol layer.

Practical implication: If your operating model cannot revoke or constrain high-risk activity after distribution, the control design is incomplete.


Threat narrative

Attacker objective: The attacker seeks to obscure transaction provenance long enough to move illicit value through the stablecoin ecosystem and convert it at a lower-risk exit point.

  1. Entry occurs when illicit actors move stablecoins through peer-to-peer transfers or unhosted wallets outside regulated intermediaries.
  2. Escalation happens as funds are layered through multiple hops, making provenance harder to reconstruct and risk harder to attribute.
  3. Impact occurs when the assets reach cash-out points, sanctioned destinations, or other destinations where enforcement and recovery become more difficult.

NHI Mgmt Group analysis

Stablecoin governance is becoming lifecycle governance. The FATF framing makes clear that control cannot stop at issuance or exchange onboarding. Once assets circulate peer to peer, the governance problem shifts to visibility, enforcement, and counterparty risk correlation across the full transaction graph. Practitioners should therefore assess whether their compliance model can follow the asset after it leaves a regulated boundary.

Secondary market monitoring creates a new visibility trust gap. The article highlights a class of transactions where no single regulated entity is naturally responsible for detection or reporting. That is a structural gap, not a tooling issue, because risk sits in the handoff between wallet holders, analytics, and issuer intervention. Practitioners should treat unhosted wallet activity as a governance boundary that must be explicitly instrumented.

Programmable money introduces programmable compliance debt. The more stablecoins are expected to support freeze, burn, allow-list, and deny-list actions, the more issuers inherit identity-like governance obligations over asset movement. That creates operational expectations around evidence quality, policy thresholds, and escalation authority. Practitioners should align protocol capabilities with documented decision rights before regulators force the issue.

Stablecoin lifecycle monitoring is now a cross-functional control problem. Compliance teams, investigators, platform engineers, and supervisors all need a shared operating model for what constitutes high-risk activity and who can act on it. The article signals that analytics is becoming the connective tissue between detection and enforcement, not a standalone reporting layer. Practitioners should design for shared evidence, shared thresholds, and shared action paths.

Counterparty transparency is the new AML constraint. Where identity is obscured by unhosted wallets, organizations lose the same kind of attribution they rely on in IAM and fraud workflows. That does not eliminate accountability, but it does require stronger enrichment and a documented risk posture for unknown counterparties. Practitioners should assume that visibility gaps will become a supervisory issue, not just an internal control weakness.

What this signals

Counterparty transparency will become a practical control benchmark. The more stablecoin activity shifts into unhosted and peer-to-peer channels, the more supervisors will expect firms to explain how they identify and prioritise unknown counterparties. That pressure mirrors broader identity governance trends, where visibility without action is no longer considered adequate. Teams should expect reporting to move from volume tracking toward evidence-backed intervention readiness.

Lifecycle control is becoming the real maturity test. Organisations that can only monitor primary transactions will look underpowered against a market where risk accumulates in circulation and secondary transfer paths. The same lesson appears in identity and secrets governance: once controls lag behind actual movement, remediation becomes reactive. Practitioners should prepare for assurance questions that focus on how far control extends, not whether monitoring exists.

Visibility gaps will force stronger evidence handling. As noted in our research on secrets management, remediation often lags discovery, which is a warning sign for any control model that depends on fast escalation after detection. Stablecoin programmes will face the same challenge if investigation, validation, and intervention are split across too many teams. A mature programme will shorten the time from alert to action and prove who can intervene.


For practitioners

  • Define the stablecoin lifecycle control boundary Map which risks you can observe at issuance, circulation, redemption, and peer-to-peer transfer, then assign control owners for each phase. Use that map to distinguish monitoring obligations from actual enforcement authority.
  • Operationalise multi-hop counterparty analysis Require transaction ancestry checks for transfers involving unhosted wallets or high-risk destinations, and document how far back your analytics must look before an alert is considered actionable.
  • Pre-authorise issuer intervention paths Document the approval chain for freeze, burn, allow-list, or deny-list actions before suspicious activity is detected, including evidence thresholds and legal escalation criteria.
  • Align AML monitoring with identity governance Treat counterparties as risk-bearing identities, even when they are not formally onboarded, and integrate wallet intelligence into fraud, sanctions, and investigation workflows.

Key takeaways

  • Stablecoin compliance is shifting from exchange monitoring to lifecycle governance, including peer-to-peer activity and unhosted wallets.
  • The FATF’s direction reflects a broader control reality: visibility gaps become enforcement gaps when no intermediary can observe or act.
  • Practitioners should define evidence thresholds, intervention authority, and transaction ancestry workflows before regulators make them mandatory.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Lifecycle monitoring depends on continuous access and counterparty control decisions.
NIST SP 800-53 Rev 5AU-6Secondary-market oversight relies on analysis and response to audit evidence and anomalies.
NIST AI RMFGOVERNGovernance is central because stablecoin intervention requires clear accountability and decision rights.
GDPRArt.32Where wallet intelligence links to personal data, security of processing and access control become relevant.

Use Art.32 to ensure wallet-linked personal data is protected, minimised, and accessed only on need-to-know basis.


Key terms

  • Stablecoin Lifecycle Monitoring: Monitoring stablecoin activity across issuance, circulation, transfer, and redemption rather than only on- and off-ramps. In practice, it combines blockchain analytics, risk scoring, and intervention logic so compliance teams can track exposure even when no single intermediary owns the full transaction path.
  • Unhosted Wallet: A wallet that is controlled by the user rather than by a custodian or exchange. In governance terms, the organisation cannot rely on an intermediary's identity controls and must instead verify wallet control directly before permitting regulated transfers.
  • Multi-hop Analysis: A tracing method that looks backwards through several prior transactions to assess provenance and exposure. It helps investigators identify layering, linked addresses, and risk clusters when direct counterparties do not provide enough context on their own.
  • Issuer Intervention Capability: The technical ability of a stablecoin issuer to freeze, burn, deny-list, or otherwise restrict asset movement. In governance terms, it is the point where policy becomes enforceable, making documentation, evidence thresholds, and authority boundaries essential.

What's in the full report

Chainalysis' full article covers the operational detail this post intentionally leaves for the source:

  • The report’s discussion of FATF paragraphs 62 and 64, including technical expectations for freeze and burn capabilities.
  • The practical use of blockchain analytics for counterparty risk scoring, multi-hop tracing, and real-time exposure analysis.
  • The supervisory use cases for benchmarking concentration, wallet balances, and transaction flows across stablecoin ecosystems.
  • The distinction between risk-based monitoring and hard transaction caps in secondary-market compliance design.

👉 The full Chainalysis article covers issuer controls, VASP obligations, and secondary-market analytics in more detail.

Deepen your knowledge

NHI Mgmt Group’s NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners build the control thinking needed for identity-linked risk across modern security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org