Accountability is shared, but not diffuse. Issuers may hold technical intervention capability, VASPs may hold customer and transaction visibility, and supervisors may set expectations for monitoring and reporting. The key is to assign who detects, who validates, and who can act when risk emerges outside the primary market.
Why This Matters for Security Teams
Secondary-market stablecoin activity creates a shared risk surface that is easy to misunderstand. The issuer may control reserve policy or contract-level intervention, while a VASP or exchange may see transaction patterns, customer behaviour, and concentration risk first. Supervisors, meanwhile, expect monitoring and reporting to be demonstrable, not implied. That means accountability has to be explicit across detection, validation, escalation, and action.
This is less about a single owner and more about whether the right party can observe the right signal at the right moment. Current guidance suggests that organisations should treat monitoring as a control chain, not a standalone obligation, and map it into operational governance just as they would any other financial crime or resilience process. The NIST Cybersecurity Framework 2.0 is useful here because it forces teams to define outcomes, accountability, and response paths rather than leaving monitoring as a vague compliance statement.
In practice, many teams discover gaps only after unusual secondary-market flows have already become a reporting issue, rather than through deliberate monitoring design.
How It Works in Practice
Operationally, accountability is usually divided into three functions: detect, validate, and act. Detection often sits with the party that has the best telemetry. For a VASP, that may mean wallet clustering, velocity checks, counterparty screening, and alerts for depegs, redemption stress, or abnormal transfer patterns. For an issuer, it may mean reserve monitoring, smart contract controls, market liquidity observation, and intervention readiness. Supervisors and compliance functions then decide whether the observed condition meets a threshold for escalation or disclosure.
A practical control model should define:
- which indicators are monitored continuously versus reviewed periodically
- who can corroborate whether a signal is market noise or emerging stress
- what evidence must be retained for auditability and supervisory review
- who has authority to freeze, pause, notify, or otherwise intervene
That structure maps well to NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where monitoring, incident handling, logging, and accountability need to be operationalised. It also helps distinguish routine market surveillance from event-driven escalation, which matters because secondary-market risk can emerge from liquidity fragmentation, redemption pressure, or concentrated holdings long before a formal breach occurs. For organisations with automated workflows, the control owner should also be able to explain how alerts are tuned, reviewed, and closed so that false positives do not crowd out genuine risk signals.
Where this guidance breaks down is in cross-border markets with fragmented venue visibility and no reliable access to uniform transaction data, because the entity that sees the signal may not be the entity that is allowed to act on it.
Common Variations and Edge Cases
Tighter monitoring often increases operational overhead, requiring organisations to balance earlier detection against data sharing limits, privacy constraints, and response latency. Best practice is evolving on whether issuers should monitor only token and reserve risk, or whether they also need visibility into downstream market behaviour that occurs outside their direct control.
There is no universal standard for this yet, but the practical distinction is clear: if the organisation cannot explain who owns each alert path, accountability is incomplete. In some structures, the issuer provides technical controls and market integrity safeguards, while the VASP handles customer-facing surveillance and suspicious activity escalation. In others, a regulated intermediary may perform the first-line monitoring and the issuer only receives threshold-based notifications. That division can be acceptable if documented, tested, and supervised.
The main edge cases appear when stablecoins are used across multiple venues, embedded in DeFi environments, or bridged through infrastructure that weakens traceability. In those settings, secondary-market risk can outpace the assumptions embedded in standard compliance playbooks, and the organisation may need stronger governance around data quality, escalation timing, and evidence retention. The accountability model should therefore be reviewed whenever the market structure changes, not just when a control fails.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Risk ownership must be assigned across issuer, VASP, and supervisor functions. |
| NIST SP 800-53 Rev 5 | AU-2 | Secondary-market monitoring depends on logs and event records for accountability. |
Define named owners for detection, validation, escalation, and response in the risk governance model.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org