Accountability sits with the VASP and its compliance and identity governance functions, because they define the policy, the approved proof methods, and the transaction gate. Regulators expect firms to show that their verification model is risk-based, documented, and consistently enforced across jurisdictions.
Why This Matters for Security Teams
Unhosted wallet verification is not just a technical check. It is a control decision that can determine whether value moves, whether sanctions exposure is blocked, and whether an institution can prove it applied risk-based governance. In practice, accountability cannot sit with the wallet owner alone because the VASP defines the policy, the evidence standard, and the transaction outcome. That makes the decision part of identity governance, not a front-end convenience step.
Security and compliance teams also need traceability. The control must be defensible across jurisdictions, aligned to documented procedures, and auditable after the fact. The NIST Cybersecurity Framework 2.0 reinforces that governance and risk ownership are management responsibilities, not ad hoc operational judgments. For the identity side of the problem, the Ultimate Guide to NHIs highlights how weak governance and poor visibility create systemic control gaps across identity-driven workflows. In practice, many security teams discover this only after a failed review, a blocked payout, or a regulator asks why the same wallet passed one day and failed the next.
How It Works in Practice
Accountability usually sits with the VASP’s compliance function, but the decision process is shared across compliance, identity governance, fraud, and operations. The key is that the organisation must own the policy end to end: what evidence is accepted, how risk is scored, who can override a decision, and how results are logged. Regulators do not expect every case to be identical; they expect the model to be documented and consistently enforced.
Operationally, the control should work like this:
- Policy defines when unhosted wallet verification is required, and which risk factors trigger enhanced checks.
- Identity governance validates the proof method, such as ownership attestation, signed message challenge, or equivalent evidence.
- Compliance approves or rejects based on policy, not on informal analyst judgment.
- Transaction monitoring gates the transfer until verification is complete or a documented exception is applied.
- All decisions are recorded for audit, including who approved, what evidence was used, and why the outcome was reached.
This is similar to other identity assurance problems where the organisation must own the trust decision, not merely collect a signal. The governance lesson from Ultimate Guide to NHIs is that visibility, lifecycle control, and revocation discipline matter when an identity can initiate a high-risk action. Current guidance suggests the best models combine risk-based policy, auditable approval paths, and evidence retention that can survive cross-border review. These controls tend to break down when verification is outsourced without clear decision ownership, because the firm can no longer prove it controlled the actual gate.
Common Variations and Edge Cases
Tighter verification often increases operational friction, requiring organisations to balance transaction speed against defensibility and customer experience. That tradeoff becomes sharper when firms support multiple jurisdictions, because local expectations for proof, retention, and escalation may differ.
There is no universal standard for this yet. Some firms centralise accountability in compliance, while others split execution across fraud and identity teams under a single policy owner. What matters is that accountability remains explicit: one function owns the policy, one function owns the exception process, and one function can demonstrate that decisions were applied consistently. Best practice is evolving around risk-tiered verification, where lower-risk transfers use lighter evidence and higher-risk cases trigger stronger proof and manual review.
Edge cases also matter. Custodial wallets, regulated counterparties, and repeated trusted transfers may justify different proof thresholds than first-time wallets or high-value withdrawals. The policy should also define how disputes are handled when a wallet owner cannot complete the preferred verification method. If the organisation cannot explain why a particular proof was accepted, rejected, or overridden, the control is too weak for regulatory scrutiny. The NIST Cybersecurity Framework 2.0 is useful here because it reinforces accountable, repeatable governance rather than one-off judgment.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Accountability for verification decisions is a governance and oversight issue. |
| NIST CSF 2.0 | PR.AA-01 | Verification decisions depend on identity assurance and approval of evidence. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Wallet verification relies on strong identity and access governance around trust decisions. |
Tie unhosted wallet proof methods to approved identity assurance procedures and enforce them consistently.
Related resources from NHI Mgmt Group
- Who is accountable when transaction monitoring decisions affect customer funds?
- Who is accountable when verification failures trigger regulatory action?
- Who is accountable when AI assists identity verification decisions?
- Who should be accountable for Cloudflare changes that affect production traffic?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
