A compliance team's guide to the five risk domains that matter right now
Here's the thing about stablecoins: the name is doing a lot of work. "Stable" implies safety. It implies predictability. And for a long time, compliance teams at banks, fintechs, and asset managers were able to treat stablecoins as someone else's problem a crypto-native curiosity that didn't really intersect with their regulatory responsibilities.
That window has closed.
The stablecoin market hit $320 billion in aggregate market cap in April 2026, up more than 50% in a single year. The GENIUS Act, the U.S.'s first comprehensive stablecoin framework was signed into law in July 2025. FDIC, OCC, FinCEN, and OFAC all issued proposed rules in April 2026. The Bank for International Settlements has been issuing warnings about systemic risk. Morgan Stanley launched a dedicated stablecoin reserves money market fund. Traditional finance has arrived, and regulators are right behind it.
If your compliance program hasn't caught up to this moment, this piece is where to start. Here are the five stablecoin risk domains that every compliance team needs to understand and own in 2026.
Reserve Backing & Depeg Risk: The Foundation Is Shakier Than It Looks
Everything in stablecoin risk flows from one question: what is actually backing this thing?
For fiat-backed stablecoins like USDT and USDC, the answer involves cash, Treasury bills, repurchase agreements, and depending on the issuer some less liquid assets sitting in the mix. For yield-bearing and algorithmic variants, the picture gets far more complex: crypto collateral, leveraged positions, and programmatic stability mechanisms that have a history of failing under pressure.
The depeg events of late 2025 made this very concrete. In October 2025, USDe the algorithmic stablecoin from Ethena Labs temporarily traded at $0.65 on Binance following a macro shock tied to U.S.-China trade tensions. In a single week in November, three separate DeFi stablecoins lost their pegs following protocol exploits, wiping out hundreds of millions in value. These weren't fringe instruments held by retail traders. They were integrated into DeFi protocols used by institutional capital.
Even the "safe" stablecoins carry risk here. The question isn't just whether a stablecoin holds T-bills, it's whether reserves are independently attested, how frequently, whether redemption rights are contractually enforceable, and whether exit liquidity is sufficient to handle a large institutional withdrawal without slippage. Most issuers still publish monthly attestations at best. Most compliance teams have no real-time visibility into reserve composition changes.
The institutional response is already in motion. In April 2026, Morgan Stanley Investment Management launched the MSNXX Stablecoin Reserves Portfolio a government money market fund specifically designed for stablecoin issuers to hold reserves in, invested exclusively in T-bills and overnight repos with daily liquidity. It's a direct response to what GENIUS Act compliance will require: high-quality liquid asset backing, no ambiguity.
For compliance teams, reserve quality and peg stability need to be monitored continuously (not reviewed quarterly). dd.xyz by Webacy provides live depeg monitoring and peg deviation scores across major stablecoins, along with liquidity, holders, and fund flows in real time. The scoring methodology is fully documented for teams that need to explain their monitoring approach to auditors or regulators.
AML, Sanctions & Financial Integrity: The Enforcement Clock Is Running
If there's one section of this piece your legal team should read, it's this one.
On April 8, 2026, FinCEN and OFAC jointly issued a Notice of Proposed Rulemaking that, once finalized, will formally treat permitted payment stablecoin issuers as financial institutions under the Bank Secrecy Act. This is the first time federal law has explicitly required a specific category of U.S. persons to maintain a formal sanctions compliance program not just comply with existing OFAC rules, but build and maintain an effective program with documented internal controls, risk assessments, testing, auditing, and senior management accountability.
The operational requirements are significant. Issuers will be required to have the technology to block, freeze, and reject transactions on both primary and secondary markets meaning the compliance burden doesn't stop at issuance. Comments on the proposed rule are due June 9, 2026, with a 12-month implementation clock expected once the rule is finalized.
For banks and fintechs that hold stablecoins, accept them as collateral, or integrate them into payment flows, the downstream implications are just as important. If your counterparty is a stablecoin issuer that gets flagged for AML deficiencies, that's your counterparty risk. If stablecoins moving through your platform interact with sanctioned wallets even indirectly that's your exposure.
This is also the risk domain most easily addressed with existing tooling if you're using the right tools. Wallet-level sanctions screening, address poisoning detection, and transaction-level risk scoring: these are capabilities that have existed in crypto-native infrastructure for years and are now being pulled into regulated compliance workflows
Liquidity Risk & Systemic Contagion: How a Stablecoin Run Becomes Your Problem
This is the risk that the BIS keeps flagging and it's the one most compliance teams haven't fully internalized yet.
In April 2026, BIS General Manager Pablo Hernández de Cos made the case plainly: “runs on stablecoins could put broader financial stability at risk, given their links to the traditional financial sector and conventional financial instruments”. This isn't an abstract scenario. It's a structural vulnerability that emerges specifically when stablecoins grow large enough to matter to the Treasury market and they're getting there.
A Federal Reserve's analysis from April 2026 made the same point: stablecoins' expanding integration with conventional payment infrastructure amplifies their systemic footprint. A stablecoin that was once contained to crypto markets is now being used as a settlement layer, a collateral asset, and a yield-bearing treasury instrument by traditional financial institutions. That interconnection is a two-way street.
For compliance teams, the practical question is: where does your institution have exposure to stablecoin liquidity risk? It shows up in more places than people expect stablecoins held as collateral by counterparties, yield strategies that route through DeFi protocols using stablecoin liquidity, cross-chain bridge exposures, and whale concentration risk where a single large holder can move markets.
The liquidity picture for any given stablecoin is not static. DEX and CEX liquidity depth changes. Holder concentration shifts. Large mints or burns visible in real-time supply flow data can signal an emerging event before it shows up in price.
Regulatory & Monetary Sovereignty Risk: The Policy Environment Is Shifting Fast
This one is less about a specific stablecoin failing and more about the regulatory ground shifting under institutions that have already integrated stablecoins into their operations.
Central banks globally are deeply uncomfortable with dollar-denominated stablecoins operating across their jurisdictions without monetary policy transmission effects. The BIS has framed this explicitly: large stablecoin adoption erodes seigniorage, weakens monetary transmission, and shifts systemic power away from local currencies and central bank deposits. In emerging markets, dollar stablecoins are already acting as de facto currency substitutes, a feature that the BIS and IMF have flagged as a financial integrity threat.
In the U.S., the regulatory picture is evolving quickly. The GENIUS Act established the framework; OCC, FDIC, and state regulators are actively filling in the details. The Delaware Payment Stablecoins Act added a state-level layer. MiCA is live in Europe. These aren't harmonized; they create genuine compliance complexity for any institution operating across jurisdictions.
For compliance teams, this means two things. First, the stablecoins you approved six months ago may need to be re-evaluated as their regulatory standing is formalized (or not). The USDS rating on dd.xyz by Webacy is a useful example: despite a strong on-chain and liquidity profile (A- overall, peg deviation of just 0.04%), the primary risk driver is unresolved regulatory standing across MiCA and U.S. frameworks. That's exactly the kind of nuance a point-in-time review misses.
Second, issuer and governance risk the regulatory licenses held, the redemption rights enforceability, the centralization of admin keys needs to be part of your stablecoin assessment framework, not just the reserve composition.
The Compliance Team's Toolkit: Why Continuous Monitoring Is the New Standard
Here's where we get practical.
The existing approach to stablecoin risk at most institutions looks something like this: review the issuer's monthly attestation, check if the stablecoin is on an approved list, maybe pull a point-in-time risk report from a third-party provider. Review annually or when something goes wrong.
That approach doesn't work anymore and it doesn't work for a specific reason: stablecoin risk parameters move daily. Reserve composition changes. Smart contracts get upgraded. Oracle dependencies shift. Whale wallets start moving. Peg deviation creeps up before it becomes a headline. By the time a quarterly review catches something, the event has already happened.
The framework that actually works for compliance teams looks like this: a unified risk rating for each stablecoin (an A+→F scale maps directly onto credit frameworks compliance teams already use), with continuous on-chain monitoring and threshold-based alerts that trigger when scores cross defined levels. Webhook delivery means those alerts flow into existing compliance workflows with no manual monitoring required.
dd.xyz by Webacy is built exactly for this. It provides live stablecoin risk ratings across all dimensions that matter to compliance teams collateral and backing, issuer and governance, peg stability and liquidity, and on-chain and technical risk updated continuously as on-chain data changes. The Safety Rating methodology documents how ratings are calculated, alerts are configurable by threshold, delivered via webhook or email, and cover everything from peg deviation events to smart contract upgrade actions.
For teams that need to go deeper vault-level risk for yield strategies, or full API access for custom compliance tooling docs.webacy.com is the place to start.
The Bottom Line
Stablecoin risk in 2026 is not a single thing. It's a stack: reserve quality, AML/sanctions exposure, liquidity and contagion risk, regulatory uncertainty, and the gap between static review and what's actually happening on-chain right now.
Compliance teams that treat this as five separate problems will spend a lot of time and get incomplete coverage. The teams getting ahead of it are treating stablecoin risk as an infrastructure problem and solving it with the same rigor they bring to counterparty credit risk: defined methodologies, continuous monitoring, and alerts that don't require someone to be watching a dashboard.
The regulatory window is short. The GENIUS Act implementation clock is running. The FinCEN/OFAC comment period closes June 9. This is the moment to build the framework, not react to the next depeg.
Explore live stablecoin risk ratings at dd.xyz by Webacy. API documentation and integration guides at docs.webacy.com.
