Back to Blog
Financial Services14 min read

What FDIC and NYDFS Examiners Actually Ask Banks About Their Stablecoin Operations

A

Alexander Sverdlov

Security Analyst

5/15/2026
What FDIC and NYDFS Examiners Actually Ask Banks About Their Stablecoin Operations

Bank Examination · Stablecoin Operations · May 2026

What FDIC and NYDFS Examiners Actually Ask Banks About Their Stablecoin Operations

A practical pre-examination playbook for chief risk officers at banks and trust companies issuing or custodying stablecoins. The 12 questions on every recent exam, the evidence packets to have ready, the common findings, and the pre-exam tabletop that has saved every client we have walked through this with.

Key Takeaways

  • Federal and state banking examiners (FDIC, OCC, NYDFS, state regulators) now ask the same set of 12 specific questions about stablecoin and digital asset operations in nearly every recent examination of a regulated issuer.
  • None of the 12 questions are about smart contract code. All of them are about operational governance, configuration of the custody platform, on-chain authority placement, vendor management, and incident response.
  • The examiner's mental model is rooted in FFIEC IT Examination Handbook, FDIC FIL-16-2022 (crypto notification), NYDFS Stablecoin Guidance (June 2022), and the 2023 Interagency Guidance on Third-Party Relationships. Every question maps to a control objective in one of those.
  • The single biggest determinant of a clean exam is whether your evidence is organized in advance. Examiners draw conclusions about the quality of your program from how quickly and completely you can produce a requested document.
  • A pre-exam tabletop exercise simulating the actual examiner questions, conducted 60 to 90 days before the exam window, surfaces every gap you still need to close. We run this with every regulated issuer client.
  • Standard remediation order for findings: governance documentation first, then permission review evidence, then authority-placement verification, then vendor and integration controls.

Last quarter the Chief Risk Officer of an FDIC-supervised bank called me on a Tuesday afternoon. They had received a routine examination notice the week before, and the field examiner had just sent the document request list. Item 19 of 47 read: "Provide your operational risk management framework for digital asset products, including stablecoin operations, with specific evidence of (a) governance structure, (b) policy approval, (c) third-party vendor management, (d) operational controls over mint, burn, and transfer flows, and (e) any incidents or near-misses during the examination period."

The CRO had a slide deck from the product launch that referenced "operational risk framework" in the appendix. They had policies that mentioned digital assets. They had a vendor list that included the wallet platform. They did not have any of those things organized into the structure the examiner expected to see, and they had nine business days to deliver the package. We walked through the document request, sorted what they had into the structure examiners use, drafted the missing two policies, prepared the evidence binder, and ran a one-hour tabletop on the first day of the exam. The exam closed without findings on the digital asset portion.

This is the same playbook we use with every regulated issuer client. Below is the structure - the 12 questions, the evidence to prepare for each, and the pre-exam tabletop.

📝

Context

What Changed in Examiner Approach to Stablecoin Operations

Two years ago, the typical bank examination touched digital asset products lightly, often through a single bullet on the document request: "describe your involvement in any digital asset activities." That has changed. The FFIEC IT Examination Handbook updates, the FDIC's 2022 financial institution letter (FIL-16-2022), the NYDFS Stablecoin Guidance (June 2022), the 2023 Interagency Guidance on Third-Party Relationships, and the MiCA regime for European-supervised institutions have collectively turned the digital asset examination from a 30-minute conversation into a structured review with its own document request, its own evidence expectations, and its own findings template.

The federal banking agencies now expect examiners to assess digital asset operations against the same control objectives they apply to any other novel banking product: governance and oversight, third-party risk management, operational and technology risk, compliance risk (including BSA/AML), and consumer protection. The difference is that the technical surface is unfamiliar. So examiners ask twelve specific questions designed to surface whether the bank actually understands and controls the surface, regardless of whether the examiner personally understands every technical nuance.

The 12 Questions

The Questions Examiners Actually Ask

12 examiner questions for stablecoin operations The 12 Questions on Every Recent Stablecoin Exam Mapped to the framework section they come from 1. Governance structure "Who owns the digital asset risk? Show me named individuals, reporting lines, board updates." FFIEC Mgmt Booklet, FDIC FIL-16-2022 2. Policy and procedure approval "Show me the board-approved policy that authorizes this product and its approval date." FFIEC Mgmt, NYDFS Guidance 3. Operational control over mint/burn "Walk me through who can initiate a mint, who approves it, who executes, who reconciles." FFIEC Ops, NYDFS Operational Controls 4. Reserve management "Show me reconciliation between on-chain supply and off-chain reserves, daily." NYDFS Reserve Requirements 5. Third-party vendor management "Show me your inventory of digital asset vendors and due diligence on each." 2023 Interagency Third-Party Guidance 6. Key and credential management "Who controls the signing keys? Where are they stored? Recovery procedure tested?" FFIEC Info Sec, NYDFS Operational 7. BSA/AML controls "How do you screen counterparties and monitor transactions? OFAC, sanctions, SAR." BSA, NYDFS BSA/AML Transaction Monitoring 8. Incident response capability "What's your IR plan for a digital asset incident? When tested? Notification procedure?" FFIEC Bus Continuity, FDIC FIL-16-2022 9. Freeze authority and OFAC readiness "Who can exercise freeze authority? Time to freeze tested against a tabletop scenario?" OFAC, NYDFS Freeze Authority 10. Consumer protection and disclosure "How are stablecoin holders informed of risk, redemption rights, reserve status?" CFPB, NYDFS Consumer Disclosure 11. Audit and independent assessment "What independent reviews have you had? FFIEC Audit Booklet 12. Board reporting cadence "Last four quarterly board updates on FFIEC Mgmt, NYDFS Board Oversight
Figure 1. The 12 questions examiners ask about stablecoin operations, mapped to the framework section each comes from.

Questions 9 through 12 are the newest additions to the standard set and the ones banks are least prepared for. Question 9 (freeze authority and OFAC) became prominent after enforcement actions against stablecoin issuers who could not freeze sanctioned addresses quickly. Question 12 (quarterly board reporting) reflects the supervisory expectation that digital asset risk has the same governance cadence as any other material product line.

📁

Preparation

The Evidence Packets to Prepare in Advance

An examiner's confidence in your program is shaped less by the documents themselves than by how organized and complete the packet is when requested. A binder produced in 90 minutes from a structured evidence vault reads as a mature program. The same documents produced in three days from email threads reads as a program that exists on paper but not in practice. Evidence packets to have ready before the examiner asks:

Packet What's inside
Governance binderBoard-approved digital asset risk policy, organizational chart with named risk owner, board minutes showing approval, last four quarterly board updates.
Operations packetMint/burn/redeem flow diagrams, segregation-of-duties matrix, approval quorum policy, last three months of mint and burn evidence with approvals visible.
Reserve packetReserve policy, daily on-chain-to-off-chain reconciliation procedure, sample reconciliation report, attestation cadence, latest attestation report.
Vendor packetVendor inventory, due diligence questionnaires completed, SOC 2 reports for critical vendors, vendor contracts with security obligations highlighted.
Custody platform packetUser and role inventory in DFNS/Fireblocks/etc, permission baseline document, quarterly access review evidence, signing key inventory and recovery procedure with last-tested date.
On-chain authority packetToken authority document signed by CRO showing expected mint, freeze, update, and close authorities; on-chain verification screenshots; OFAC freeze procedure with time-to-freeze tested.
BSA/AML packetTransaction monitoring procedure, OFAC screening evidence, SAR filings (or "none filed" letter), counterparty risk-rating methodology.
Incident response packetWritten IR plan covering digital asset incidents, last tabletop exercise findings, notification template, regulator contact procedure, last 12 months of incidents or near-misses log.

If you have all eight packets organized today, you are ahead of approximately 80 percent of the regulated issuers we encounter at first engagement. If you have three or fewer of them, you have material work to do before your next exam window opens.

Common Findings

The Five Findings That Come Up Most Often, and How to Respond

Five common examination findings Five Most Common Findings in Recent Stablecoin Exams In order of frequency, with how to respond 1. Inadequate documentation of operational controls over mint and burn Examiner cannot see who approves what, in what sequence, with what evidence retained. Response: produce signed segregation-of-duties matrix + 90 days of mint/burn evidence with approvals. 2. Vendor due diligence incomplete or stale DDQ questionnaires from 2023, SOC 2 reports more than 18 months old, no annual refresh. Response: vendor refresh program with annual cadence + current attestations on file. 3. Recovery procedure not tested in last 12 months Disaster recovery for signing infrastructure documented but never rehearsed. Response: schedule annual recovery rehearsal in test tenant + document the test result. 4. Board reporting cadence missing or thin Digital asset risk not on the quarterly board agenda, or appears with no quantitative content. Response: standing quarterly board cyber update with risk metrics, incidents, and forward look. 5. OFAC freeze time not tested Bank can freeze in theory, has never measured how long it actually takes under realistic conditions. Response: annual freeze tabletop with measured time + documented procedure.
Figure 2. The five most common findings in recent stablecoin exams, each with a specific response pattern.

The pattern across all five: each finding has a documented control that exists, but the evidence to demonstrate operational effectiveness is missing or stale. Examiners are not asking whether you have a policy; they assume you do. They are asking whether the policy is real - whether it produces the artifacts it claims to produce on the cadence it claims to produce them.

🎯

The Tabletop

The Pre-Exam Tabletop That Saves Every Engagement

Sixty to ninety days before your expected exam window, run a 90-minute tabletop with your operational risk officer, your CCO, your head of digital asset operations, and your CISO or vCISO. The tabletop has one purpose: simulate the examiner conversation against the 12 questions, in the order an examiner would ask them, and time how long each evidence packet takes to produce.

Tabletop script (90 minutes)

  1. 0:00 - 0:05 Facilitator (typically external advisor or CRO) explains the exercise. No participant has prepared specifically for it. All evidence requests will be timed.
  2. 0:05 - 0:60 Walk through each of the 12 questions. For each, the facilitator says: "show me your evidence for this control." The owner produces it on screen or paper. Facilitator records: complete/partial/missing, and time-to-produce.
  3. 0:60 - 0:80 Walk through the most likely incident scenarios (lost credential, suspected counterparty compromise, regulator inquiry, sanctioned address detection). Owner walks through the IR procedure as it actually works today, not as documented.
  4. 0:80 - 0:90 Findings recap. The list of "complete," "partial," and "missing" becomes your pre-exam remediation list with owners and deadlines.

In every tabletop we have run with a regulated issuer, the exercise has surfaced between three and seven specific gaps that the issuer's leadership did not know existed. The cost of finding those gaps in a tabletop is half a working day for the team. The cost of finding the same gaps in a live exam is a public finding, a remediation order, and material business cost.

How Atlant Security Helps

Examiner-Ready in 4 Weeks

Our DFNS & Stablecoin Configuration Audit produces all eight evidence packets above as deliverables, surfaces every one of the five common findings before your examiner does, and includes the pre-exam tabletop as part of the engagement. The final report is structured to be handed to your FDIC, NYDFS, OCC, BaFin, FINMA, or MAS examiner without translation.

  • Four-week delivery from kickoff to examiner-ready report
  • Compliance advisory call included to walk through likely examiner questions
  • Multi-framework mapping: FFIEC, NYDFS, FDIC, MiCA, FATF, NIST CSF
  • From USD 30,000 fixed-price, no hourly billing, no scope creep
  • Senior auditor leads end to end - not outsourced, not staffed with juniors

Book a 30-minute scoping call →

Frequently Asked

Questions From Bank Chief Risk Officers

We are a small community bank with a small pilot stablecoin product. Do all 12 questions really apply to us?

Yes, scaled to the size of the activity. The examiner will not expect a $400M asset community bank to have the same depth of dedicated digital asset risk infrastructure as a $50B institution. But they will expect every one of the 12 controls to exist in proportion to the activity. A small pilot still needs a board-approved policy, a named owner, a vendor inventory, an incident plan, and so on. The depth of evidence required is smaller; the structure is the same.

Our wallet vendor (DFNS, Fireblocks, etc.) has SOC 2. Doesn't that cover our operational risk?

No. Your vendor's SOC 2 covers their controls. It does not cover how you have configured your tenant of their platform. Two banks can use the same vendor and have wildly different operational risk because of how each one has set up users, policies, recovery, and integration. Examiners specifically ask about your configuration, not the vendor's.

How early can we engage Atlant Security relative to our expected exam window?

Ideally 90 to 120 days before the exam window opens. That gives us four weeks for the configuration audit, four weeks for remediation of any material findings, and four weeks of buffer for the tabletop and final preparation. Engaging us 30 days before the exam is workable but uncomfortable; engaging us during the exam is firefighting, which we will do, but the outcome is not as clean.

Will the examiner accept a third-party configuration audit report as evidence?

Yes, increasingly. Examiners view independent third-party assessment as one of the strongest signals of program maturity, especially when the assessment maps explicitly to the regulatory frameworks the examiner cares about. Our reports are structured for this exact use case - the Executive and Examiner Summary is the document your CCO hands to the examiner without translation.

What happens if we get a finding we cannot fix before the exam closes?

An open finding is materially better than a finding you did not know about. If you can produce a documented remediation plan with owner, target date, and verification method, examiners typically accept that as adequate. The danger is the finding the bank did not anticipate and has no plan for. The tabletop and audit are designed to eliminate that surprise.

Do you work with European banks under MiCA examiners (BaFin, AMF, ACPR, etc.)?

Yes. MiCA's operational risk and outsourcing requirements map directly to the same control domains as the US framework. The terminology differs and the regulatory mapping in the report adjusts, but the underlying controls are the same. We have done examination preparation work for institutions supervised under MiCA, FINMA, and MAS regimes.

A clean stablecoin examination is not the result of good luck or a friendly examiner. It is the result of a deliberate program that produces the artifacts examiners expect to see, in the structure they expect to see them, on the cadence they expect them to be produced. The 12 questions, the eight evidence packets, the five common findings, and the pre-exam tabletop above are the structure that produces that clean exam.

If your next exam window is closer than 120 days away and you have not run a structured pre-exam review of your digital asset operations, the right next step is to schedule one. We do this work as a focused engagement that produces the entire evidence binder, the tabletop output, the remediation list, and the examiner-ready report in four weeks. Details: DFNS & Stablecoin Configuration Audit.

Pre-exam scoping call: book 30 minutes or email alexander@atlantsecurity.com.

Alexander Sverdlov

Alexander Sverdlov

Founder of Atlant Security. Author of 2 information security books, cybersecurity speaker at the largest cybersecurity conferences in Asia and a United Nations conference panelist. Former Microsoft security consulting team member, external cybersecurity consultant at the Emirates Nuclear Energy Corporation.