THIRD PARTY RISK MANAGEMENT FOR DIGITAL CURRENCY

With the Guiding and Establishing National Innovation for US Stablecoins Act (GENIUS Act) effectively greenlighting stablecoins and increasing market demand for digital asset capabilities, financial institutions (FIs) face mounting pressure to move quickly or risk falling behind.

Digital assets have moved from the periphery into mainstream finance, and FIs are no longer asking if they should engage – they are asking how. From stablecoin partnerships to custody services and tokenised assets, the industry is rapidly evolving.

Regulators, meanwhile, are shifting from years of advising FIs to proceed cautiously when introducing digital assets into their product offerings toward accepting the inevitable evolution of the market and developing or updating their risk management guidelines to address the unique risks posed by digital assets while balancing risk mitigation with market innovation.

FIs must move quickly to remain competitive while operating in an environment of regulatory uncertainty, where the rules are still developing. In the absence of updated regulatory guidance, FIs must set their own standards for managing the vendor landscape in the digital finance ecosystem.

This article explores why traditional third party risk management (TPRM) frameworks fall short and provides actionable recommendations for building a TPRM framework that supports the FI’s expansion into digital assets.

Evolving third-party risk landscape

As FIs expand their digital asset capabilities, they encounter vendors, such as crypto-exchanges, custodians, wallet providers, stablecoin issuers and blockchain analytics firms, that do not fit traditional TPRM models.

Many of these vendors provide both traditional third-party services and core banking services, including payments, funds movement or liquidity services, each of which carry additional risk and compliance considerations that most conventional vendors do not, including digital-currency volatility, stablecoin de-pegging, irreversible transactions, multi-signature failures, blockchain vulnerabilities, and greater exposure to fraud and illicit activity.

Oct-Dec 2025 Issue

IBM Promontory