As financial institutions add stablecoin payments to live product workflows, compliance becomes one of the core design questions. The underlying obligations may be familiar - AML, transaction monitoring, Travel Rule obligations, sanctions screening, and counterparty due diligence - but stablecoin operations introduce new execution requirements. Teams need to interpret onchain activity, exchange compliance data with counterparties, monitor fiat and digital asset flows together, and maintain controls that work across jurisdictions.

With stablecoin payment volumes growing, stablecoin compliance infrastructure is also becoming a commercial requirement. Enterprises and fintechs need to demonstrate mature compliance operations to banking partners, payment counterparties, and regulators. Gaps in those controls can limit access to correspondent banking relationships, slow down partnerships, and increase operational risk.

In Episode 8 of Utila’s Stablecoin Builder Series, three compliance and security leaders discussed where the bar is being set and what it takes to meet it. The conversation featured:

• ​Michelle Latzer, Co-founder & CEO of Corsa - compliance operating system for regulated companies across fiat and digital asset rails

• Pelle Brændgaard, Co-founder and CEO of Notabene- crypto-native payment network for Travel Rule compliance and transaction authorization

• Gabi Urrutia, SVP & Field CISO, Halborn - cybersecurity and risk solutions for digital asset companies

The discussion covered the practical requirements of stablecoin compliance: how teams should think about Travel Rule implementation, transaction monitoring, counterparty risk, cybersecurity, and the internal controls needed to operate at institutional scale. Below are the main takeaways for financial institutions and fintechs building stablecoin payment programs.

Compliance Expectations Come from Counterparties

Stablecoin companies building payment products need banking partners, correspondent banking network access, and relationships with payment networks to operate. Those counterparties evaluate compliance maturity before agreeing to work together, and their standards often exceed what regulators require.

Pelle Brændgaard, Co-founder and CEO of Notabene, said he regularly hears from companies whose financial counterparts demand due diligence standards well above what their regulatory regimes mandate. A banking partner providing fiat on/off ramps or correspondent banking access to a stablecoin payment provider absorbs counterparty risk through that relationship. If the provider's customer identification process is superficial, or if its transaction monitoring covers only one rail, the bank's own compliance exposure grows.

Latzer added a scaling dimension. When stablecoin payments volume grows quickly, compliance built in-house start breaking. Teams find themselves re-engineering internal logic every time they add a vendor, enter a new geography, or cross a volume threshold. The compliance program that worked at ten thousand monthly transactions often can't handle the orchestration required at ten million, particularly when it needs to coordinate across multiple vendors for transaction monitoring, travel rule compliance, and counterparty screening simultaneously.

Companies that build their compliance infrastructure on a configurable orchestration layer from the start, rather than hardcoding compliance logic, can absorb that growth without compliance teams becoming the bottleneck.

Transaction Monitoring: Monitor State, Not Flows

Traditional anti-money laundering monitoring searches for suspicious activity in payment flows. Onchain, that mental model generates false positives at scale because malicious and legitimate transactions can look structurally identical.

Urrutia pointed to the Radiant Capital hack as an example. The malicious transaction matched the fifty legitimate transactions before it. What the monitoring tools missed was a state change: someone modified the implementation of a proxy contract roughly fifty seconds before the exploit, altering admin permissions and function access. The suspicious activity wasn't in the transaction. It was in who changed the smart contract and when.

For financial institutions building compliance systems for onchain settlement, this means monitoring tools need to track contract state changes, permission modifications, and governance parameter updates, not just fund movements across wallet addresses.

Urrutia also raised the concept of "dormant zero days," where AI is discovering previously unknown vulnerabilities sleeping in deployed smart contracts and other infrastructure. The policy engine around stablecoin operations becomes a critical defense layer: even if monitoring can't catch the exploit in the code, a well-configured policy can block the resulting transaction before settlement.

Travel Rule Mirrors Wire Transfers

The crypto travel rule tends to intimidate companies encountering it for the first time. Brændgaard argued the underlying concept is familiar to anyone who has worked with traditional financial institutions.

Every Visa transaction carries merchant and customer information. Every SWIFT message includes originator and beneficiary information. That data is, functionally, travel rule compliance. Traditional FIs don't typically call it the travel rule because the information was embedded in their payment flows before FATF formalized the requirement. The original FATF virtual asset guidelines ran roughly 120 pages; the actual data requirements for virtual asset transfers occupied a single paragraph.

For crypto-native companies, compliance gaps often reflect how their operating infrastructure was originally designed. These companies have historically identified transactions by blockchain address alone, with no way to sanction-screen a counterparty by name. The travel rule provides that capability, but implementation requires joining a messaging network between regulated entities.

That creates three practical requirements:

• Network participation, not internal tooling. Travel rule compliance requires connecting to a network of counterparty institutions for exchanging originator and beneficiary data, similar to how correspondent banking relationships function for wire transfers.

• Off-chain data layer. Onchain analytics provide transaction tracing, but travel rule messages carry customer information (names, account identifiers, legal entity data) that doesn't exist on the blockchain.

• Payment UX improvement. Brændgaard argued that the crypto industry has developed a kind of Stockholm syndrome around wallet addresses as payment identifiers. Travel rule constructs allow institutions to build payment experiences where users send funds to identified people and businesses, closer to what traditional banking customers expect.

These requirements are becoming harder to defer. Travel Rule legislation now exists in 85 of 117 FATF-assessed jurisdictions, and enforcement is moving from policy guidance into active supervision across several major regulatory regimes. For stablecoin payment companies, implementation is increasingly becoming a condition for maintaining regulated counterparties, banking relationships, and cross-border payment access.

Alert Fatigue Starts with Bad Rule Calibration

As stablecoin payment flows scale, compliance teams need to review more transactions across more wallets, counterparties, chains, and jurisdictions. The challenge is not only the number of alerts, but the quality of the underlying data used to generate them. Latzer broke this problem into two parts:

The first is rule calibration. Every regulated business has a different risk profile shaped by its customers, products, geographies, and risk appetite. A stablecoin payment provider processing high-frequency cross border payments across many jurisdictions has different risk vectors than one serving institutional OTC clients. Alert rules that don't reflect those differences generate noise, and genuine suspicious activity gets buried in the volume.

The second is contextual analysis across multiple data sources. An onchain flag that looks minor in isolation can become significant when combined with the user's onboarding behavior, transaction velocity across other rails, geography patterns, or domain registration activity.

Latzer emphasized that sophisticated fraud typologies, particularly those involving coordinated behavior across multiple transactions and multiple actors, often don't trigger individual alerts but form recognizable patterns when compliance teams can view activity across a user's full risk profile. A cluster of accounts onboarding from a specific geography, moving similar amounts within a narrow time window, using recently registered domains: separately unremarkable, together a signal worth investigating.

AI-assisted triage can cut the manual burden of gathering and analyzing evidence for each alert, but Latzer flagged specific constraints. Regulators expect traceability in compliance decisions: any AI system needs to surface evidence, cite data sources, and keep a human in the loop at escalation points.

Companies building this internally are hitting complexity around PII handling, European data protection rules, and the security guardrails required when compliance systems process customer information at scale. Latzer noted that many compliance teams that started building AI tooling in-house have reversed course after encountering these requirements.

Respond Before the Incident

In traditional financial systems, incident response follows a detect-contain-remediate sequence. Urrutia argued that model fails for digital asset operations, where the window between exploit and irreversible fund movement can be ninety seconds.

He cited April 2026, when more than $600 million was stolen across crypto and digital assets exploits in a single month, driven largely by social engineering rather than code vulnerabilities. The Euler Finance case (roughly $200 million recovered only through direct negotiation with the attacker) shows what happens when reactive response is the only plan.

Urrutia's position: mature incident response in digital finance assumes the reactive phase will fail. The controls that matter are pre-incident:

• Attack simulation. Model exploit scenarios against your smart contracts and policy engine before they happen in production.

• Embedded kill switches. Design circuit breakers in smart contracts that can pause operations without requiring multi-sig approval that takes longer than the attack window.

• Pre-authorized exchange and bridge relationships. Establish emergency freeze protocols and communication channels with exchanges and bridges before an incident occurs.

Brændgaard added that messaging networks between regulated entities also enable a revert functionality for fraud cases, operating like a Visa chargeback: a message requesting reversal between trusted counterparties. This covers the broader category of fraud and error cases that account for most payment disputes, bringing stablecoin payment flows closer to the dispute resolution infrastructure that traditional banking already has.

Urrutia's closing point tied the section together: the next major stablecoin failure likely won't come from a cryptographic exploit. He argued that a poorly managed admin key, a multi-sig signer who approves without reading, or a vendor integration nobody audited after day one are all much likelier reasons for a hack. Stablecoin security in 2026 is an operational governance problem, and most financial institutions are still treating it as a cryptography problem.

Explore Stablecoin Compliance Infrastructure with Utila

Among all the insights shared in this webinar, one conclusion stood out: stablecoin compliance is becoming an operating infrastructure question. Financial institutions and fintechs need to manage AML workflows, Travel Rule requirements, transaction monitoring, counterparty due diligence, and security controls across both fiat and digital asset rails.

For many operators, the challenge is no longer limited to meeting a single regulatory requirement. Stablecoin payment programs need wallet infrastructure, approval policies, compliance integrations, and transaction controls that work together across jurisdictions, counterparties, and payment flows.

Utila provides fintechs, banks, and enterprises with the infrastructure to build and manage stablecoin and digital asset operations at scale. Serving over 300 institutions and securing more than $25 billion in monthly volume, Utila gives teams the wallet infrastructure, policy controls, role-based approvals, compliance integrations, and treasury tooling needed to operate across complex digital asset environments.

If you’re building stablecoin payment products, cross-border payment flows, or digital asset operations that need institutional-grade controls, schedule a call with our team to explore what Utila can do for your team.

Utila - Digital Asset Infrastructure

Managing digital assets at scale?

Schedule a 15-minute walkthrough of Utila’s wallet and stablecoin infrastructure.

Book a Demo