Wolfsberg Report Casts Light on Path Forward for Crypto Risk Management

Key Takeaways

• New analysis provides insights into managing AML risks for digital asset entities
• Detailed recommendation for modern risk management design
• “Homework” will need to be done by market participants to ensure future compliance

In September 2025, the Wolfsberg Group ("WG")—an association of 12 global banks that publishes guidance for financial crime risk management—released its guidance (the "Guidance") on the provision of banking services to fiat-backed stablecoin issuers. Given the prominence of the WG and its status in providing best practices for the industry and the rapid uptake in U.S. stablecoin issuance likely to be supercharged by the recently passed GENIUS Act, the Guidance is worth a close look. In particular, the Guidance provides both an overall framework and practical steps to mitigate financial crimes risk in providing banking services to stablecoin issuing customers. The Guidance thus provides a valuable resource for financial institutions seeking to adapt their Anti-Money Laundering/Countering the Financing of Terrorism ("AML/CFT") programs to evolving U.S. standards requiring a focus on the need for such programs to be effective, risk-based, and reasonably designed. (See FinCEN June 28, 2024 AML Program Proposed Rule.)

The Guidance is consistent with other thinking regarding the mitigation of financial crime related to stablecoins in that it employs longstanding financial crime principles as well as proposing some novel approaches to this rapidly developing part of the digital asset ecosystem. WG's approach underscores the developing view that much of crypto risk management can be understood through existing frameworks.

Usefully, the Guidance begins with a review of digital asset definitions. The Guidance continues by reviewing the primary types of relationships that financial institutions may establish with stablecoin issuers, which it summarizes as the provision of operating accounts, reserve accounts, and settlement accounts "for transactions related to the issuer's clients." In evaluating the overall relationship with the stablecoin issuer, the WG guidance directs the reader to previous WG guidance applicable to the assessment of any financial institution's financial crime risk management framework, namely the Financial Crime Compliance Questionnaire (FCCQ) and the Correspondent Banking Due Diligence Questionnaire (CBDDQ). The guidance then discusses best practices and controls for monitoring the risks arising from such relationships in a stablecoin issuance context.

Start with the Basics

As the foundation, the Guidance notes that "classic" risk management standards apply to managing financial crime risk for stablecoins. These principles call for an evaluation of the maturity of the issuer's overall financial crime risk management framework, including:

• The issuer's jurisdiction and the strength of the regulatory regime in that issuer's country or countries;
• Whether licensing and supervision is appropriate for the type of activity the stablecoin issuer undertakes and what level of comfort supervision may provide;
• The strength of the issuer's AML/CFT, sanction, and anti-corruption and bribery frameworks along with related policies that are developed and executed with sufficient resources, and the relationship of these frameworks to the issuer's fraud program;
• Engagement with the issuer's Board or senior management on financial crime matters, including policy approval and setting the issuer's appropriate risk appetite;
• The degree to which the issuer relies on third parties to satisfy elements of its risk management program;
• Whether the issuer has established procedures for cooperative engagement with law enforcement;
• The degree to which the issuer conducts due diligence on its partners and distributors;
• The degree to which the issuer conducts due diligence on the blockchains on which it decides to issue stablecoins;
• The application of a risk-based approach by the issuer arising from an enterprise-wide risk assessment;
• A monitoring and reporting program designed to ensure specific activity is identified and reported to relevant authorities, including the use of robust in-house or vendor blockchain analytics solutions and the approach for monitoring blockchain activity not covered by vendors;
• The screening of activity to ensure compliance with sanctions and the issuer's ability to freeze stablecoins associated with sanctioned wallets, entities, or persons;
• The issuer's commitment to compliance with standard payment transparency regulation (i.e., the "Travel Rule");
• The role of internal testing and oversight particularly including internal audit teams;
• The issuer's training and education programs; and
• How the issuer's financial crime risk management program integrates with the financial institution's own risk management and oversight approach.

Evaluating Specific Account Activities

With respect to each type of account, the Guidance predictably sets the expectations high for the institution providing the service in terms of understanding the baseline activity and profile of the account and monitoring for any changes that could affect the risk profile.

Operating Accounts

As with other financial institutions, operating accounts are used primarily by stablecoin issuers to manage expenses, including salaries, vendor payments, and intercompany treasury funds management. Such accounts typically do not contain client funds and therefore are considered lower risk from a financial crime perspective. Concerns can arise when they are misused for client-related transactions, such as (in the stablecoin context) minting or redemption, but this misuse would signal a weakness in the issuer's governance framework or a purposeful circumvention of controls. If, however, the issuer itself were to facilitate financial crime, then any bank providing operating accounts to such an issuer could find itself exposed to potential regulatory or reputational risks. Therefore, financial institutions should confirm through monitoring that the issuer's operating accounts are used solely for permissible, intended operational purposes and provide for prompt escalation in cases where deviations or suspicious activity are identified. Fortunately, this is identical to the escalation provisions applied today with "standard" banking client relationships.

Reserve Accounts

Reserve accounts contain the assets that back an issuer's obligation to redeem its stable coins at par. They are designed to safeguard funds rather than process day-to-day activities and are to remain segregated from the issuer's other assets. Thus, activities in these accounts typically should be limited to moving value between reserve and settlement accounts or investments in permitted reserve assets such as government securities as stablecoins are minted (issued) and burned (redeemed). (See the permitted reserve assets under the U.S. GENIUS Act.) Reserve accounts are somewhat higher risk due to their direct link to client funds and centrality to a stablecoin's safety and soundness and market credibility. Their risk profile depends in part on the breadth of the relationship, the nature of the reserve assets, and the need for interactions with other custodians in order to manage the reserves, among other things. For example, when a financial institution also provides the settlement accounts to a stablecoin issuer, it may have greater visibility into fund flows, thereby improving oversight and its ability to monitor the activity of the stablecoin issuer.

Oversight should consist of validating the issuer's reserve management practices and audits along with the issuer's policies and regulatory requirements and identifying anomalies that could indicate mismanagement, misrepresentation of the amount of reserves, or misuse of reserves. These expectations are similar to validating that a correspondent bank is complying with its own safeguarding and asset segregation requirements.

Settlement Accounts

Settlement accounts are the means to connect fiat and on-chain activity for stablecoin issuers. When stablecoins are issued, fiat is received from the end user and credited to a settlement account before being transferred to reserves in whatever form the stablecoin issuer's policy dictates. At redemption, the process is reversed, and fiat is released to clients through the same account. Fiat is paid out whether the issuer chooses to "burn" the stablecoin or determines to take the stablecoin into its proprietary reserve. Thus, settlement accounts are more active than reserve accounts and involve a much broader range of counterparties, making them the critical channel through which client funds flow into and out of the traditional financial system. Therefore, they carry the highest level of financial crime risk among the three accounts.

According to the Guidance, the financial institution should focus at onboarding on understanding the issuer's risk appetite and how it manages that risk. Stablecoin-specific diligence requires investigation of the types of customers the issuer serves, the underlying source of funds, how the issuer assesses the compliance framework where its clients operate, the jurisdictions and regulatory regimes applicable, and the payment flows to and from account types. The objective is for the financial institution to ensure its own appetite for risk aligns with that of its stablecoin-issuing customer. To the extent there is misalignment, the institution may prefer to refrain from serving certain segments of the issuer's user base.

In terms of stablecoin-specific diligence, the Guidance suggests the financial institution might review the following:

• The issuer's approach to minting/burning stablecoins and how those activities will manifest in the settlement account;
• How the issuer determines what kind of digital asset service providers or institutional clients the issuer will service;
• The degree of on-chain monitoring the issuer performs beyond direct business relationships;
• Any enhanced controls for transfers to or from unhosted wallets;
• Other controls including real-time verification of wallet addresses, implementing deny or allow lists, using smart contracts and technological tools for transaction blocking and reversible transactions (delayed settlement) to prevent or reverse transfers to high-risk or illicit wallets; and
• Willingness to engage with digital asset service providers linked to predicate illicit activity or the use of privacy-enhancing tools.

The Guidance notes that account activity review ("AAR") is the standard tool to assess whether the issuer customer is acting consistently with the expectations set at onboarding. All these diligence activities are intended to ensure consistency with expected behavior and detect any suspicious or prohibited activity. They should operate in coordination with the controls employed by the issuer itself. Failure to match the expected activity profile should lead to follow-up inquiries, corrective action, and possibly termination of the relationship.

Further Assessment

Throughout the discussion of these facets of the bank-customer relationship, the Guidance makes clear the central importance of understanding the intended purpose for each account and its associated product(s), as well as the expected fund flows to and from the account and the types of counterparties with which the issuer will interact (i.e., the issuer's clients). Here, financial institutions should distinguish between the issuer's direct clients—such as digital asset service providers (DASPs), corporates, or non-bank payment service providers (PSPs)—and the users who may ultimately receive stablecoins or fiat currency through those intermediaries. These distinctions will enable more rapid detection of unusual or unexpected activities and provide a better foundation for assessing their net risks.

Unique Challenge: Monitoring On-Chain Activity

The Guidance also addresses what it describes as perhaps the most unique challenge facing financial institutions providing services to stablecoin issuers: the necessity for on-chain monitoring of transaction activity. In the face of what could be a limitless obligation for public blockchains, the Guidance clearly states that the approach should focus on the single question of whether the issuer is operating within its own risk appetite. This mandate calls for a tailored and risk-based approach by the financial institution. For example, where a large corporate user is permitted to mint stablecoins for its own use, the financial institution may reasonably conclude that no on-chain monitoring is necessary. In other cases, monitoring at a macro level may be required, such as with respect to an issuer with a higher-risk appetite that provides minting or burning services to a smaller DASP in an unregulated jurisdiction in a higher-risk third country.

Issuers with high-risk users will be more expensive for the financial institution to monitor; at the high end of the risk spectrum, the financial institution may require disclosure of wallet addresses to enable the institution to leverage blockchain analytic solutions directly. On balance, the report suggests the establishment of a reasonable risk-based AAR based on the issuer's client base and its corresponding control framework. Consistent with U.S. AML/CFT principles, the Guidance is clear that it is the issuer's responsibility to detect, prevent, and report financial crimes related to its clients' activities arising from stablecoin usage.

The Guidance concludes with detailed examples of various use cases and potential on-chain monitoring approaches that would be proportionate to the risks presented. This survey of various scenarios underscores the variety of both circumstances and controls that might be employed and also cites the use of extraneous public reports on the stablecoin's use and reputation in determining the extent of appropriate controls. Intervention and enhanced monitoring might then, for example, be triggered by adverse media, again in keeping with general financial crimes risk management principles.

Conclusion

The Guidance is another wake-up call for the financial services industry to begin (or continue) the homework required to engage productively and safely with stablecoin issuers and others engaged in the growing digital assets space. It is helpful to receive confirmation that many of the standard elements of risk frameworks will apply to the stablecoin eco-system, but the new work that must be done in order to be ready is substantial. The demands on financial crimes subject matter experts to develop a sound understanding of the manner in which stablecoin issuers operate and the technology underpinning the various activities of minting, transferring, custodying, and burning such assets are substantial. Without such a common understanding, constantly refreshed given the pace of developments, the risk assessment process lacks a sound foundation. For those institutions that intend to engage with stablecoin issuers, diligence and assembly of relevant expertise should begin today.

Andrew Lorentz, Steve Gannon, and other members of Davis Wright Tremaine's financial services and digital assets practices offer key insights on stablecoin guidance and the GENIUS Act. Subscribe to stay informed.