Stablecoins and Blockchain

Contracts, custody, settlement and stablecoin risks

In brief

A virtual asset contract works when it describes the actual flow and assigns the risks that operations can prove. These ten microblogs cover OTC architecture, ownership, keys, quotation, DvP, irreversible transfers, depeg, cross-border data, third parties, termination and insolvency.

Conceptual matrix of contractual risks for stablecoin custody and settlement.
Risks are controlled when contract, system and evidence assign the same party responsible for each event.

Regulatory cutoff: July 9, 2026. The pre-signature review must revalidate legislation, issuer terms, network rules, data regime and the status of each critical provider.

Reading route

Method of analysis

  1. Draw entities, accounts, wallets, keys, data and jurisdictions.
  2. Assign to each participant the function it actually performs.
  3. Compare the contract's promises with effective custody, settlement sequence, accounting treatment, privacy and preventive obligations.
  4. Convert the conclusion into contracts, controls, records and verifiable evidence.
  5. Renegotiate or re-document when keys, subcustody, price source, finality, jurisdiction or exit mechanism change.

Cross-cutting criterion between contract and operation

Every contractual obligation must correspond to an operational step, a responsible party and verifiable support. The microblogs only develop the singular assignment of ownership, keys, price, settlement, incident or exit that cannot be resolved with that common principle.


Stablecoin OTC contract: minimum architecture

Observed pattern. The contract must narrate the same flow that operations follows: mandate, quotation, funds, wallets, delivery and evidence.

Next, the order and quotation process, asset and network, price/spread/fees, acceptance, funding, authorized wallet and account, confirmations, settlement moment, ownership, custody, errors and returns are defined. AML obligations must not remain in a generic paragraph: they must allow requesting information, suspending and rejecting.

Risks that require assignment

Volatility and depeg, issuer, freezing, network, forks, congestion, counterparty, insolvency, fraud and cybersecurity. The contract does not eliminate these risks, but it defines who decides, who notifies and what remedy exists. A disclaimer does not replace operational controls.

Data protection, confidentiality, intellectual property, records, audit, subcontracting, taxes, law, jurisdiction and termination are also covered. The annexes must list assets/networks and changing parameters without rendering the contract inoperable.

LFPIORPI in force, LRITF and LFPDPPP.

How to put it into practice

OTC contract-flow map. This piece must prove that every contractual obligation has an associated operational step, owner and evidence.

  • define the capacity of the parties.
  • describe instructions.
  • map funds and assets.
  • incorporate whitelisting.
  • assign KYC and notices.
  • regulate settlement and incidents.

The review must proceed from defining the capacity of the parties, contrast it with mapping funds and assets and end in regulating settlement and incidents without filling gaps with assumptions. The result returns to design if describing instructions does not match incorporating whitelisting or if assigning KYC and notices lacks verifiable support.

The file must first show defining the capacity of the parties; then describing instructions; and finally assigning KYC and notices, preserving the relationship among the three steps. If a change of mandate, account, wallet, provider, commission or settlement appears, the conclusion no longer covers the active version and it is reviewed before the next operation.


Ownership and title over virtual assets: what the contract promises

Observed pattern. The contractual promise must specify when title is transferred and what right the client retains before settlement.

In a purchase and sale, the moment of transfer, asset, network and quantity are defined. In a commission, it is clarified whether the company acquires on the client's behalf, how it identifies the assets and what happens while they are in transit. In custody, the client's title is distinguished from the custodian's operational powers, and using or encumbering without authorization is prohibited.

The right against the issuer

A stablecoin token may grant redemption only to eligible users or through intermediaries. The company must not promise a right it does not have nor transfer to the client a nonexistent guarantee. The terms must indicate that the issuer, network and reserves are third-party risks, without denying its own responsibilities.

Evidence of ownership combines contract, order, ledger, addresses and reconciliation. In omnibus wallets, the subledger is critical; if it fails, the blockchain does not allocate units to each client.

LRITF in force, LFPIORPI and Circular 4/2019.

How to put it into practice

Title and rights table. This piece must prove that the contract specifies who holds title before, during and after each step.

  • identify the initial owner.
  • define mandate or commission.
  • establish the moment of transfer.
  • separate the redemption right.
  • regulate assets in transit.
  • document the effects of breach.

The review must proceed from identifying the initial owner, contrast it with establishing the moment of transfer and end in documenting the effects of breach without filling gaps with assumptions. The result returns to design if defining mandate or commission does not match separating the redemption right or if regulating assets in transit lacks verifiable support.

The file must first show identifying the initial owner; then defining mandate or commission; and finally regulating assets in transit, preserving the relationship among the three steps. If a change in prefunding, custody, delivery, reserve or redemption appears, the conclusion no longer covers the active version and it is reviewed before the next operation.


Custody, key control and subcustody

Observed pattern. Custody is analyzed by the effective capacity to execute operations, including multisignature schemes and subcustody.

The provider must describe standard of care, segregation, authorized persons, limits, recovery, continuity, incidents and subcontractors. It must also clarify whether the assets are held in separate or omnibus addresses and how the subledger works.

Data and security

Addresses and transactions may be linked to identity, so the processing of information requires purpose, minimization, controls and privacy notice. Seeds and private keys are not part of KYC and must never be requested from the client.

Subcustody does not erase contractual liability. Due diligence, location, audit, incident notification, use limits and a substitution plan are required. Any staking, lending or rehypothecation power requires express consent and separate analysis.

What to review

Attach a key-control diagram, signature matrix, wallet inventory and reconciliation. Test recovery and exit. Periodically review access and ensure that personnel departures are reflected immediately.

LFPIORPI, LFPDPPP in force and FATF VA/VASP 2025.

How to put it into practice

Key-control matrix. This piece must prove that the capacity to move assets is assigned and audited across all scenarios.

  • inventory keys and authorizations.
  • document the multisignature scheme.
  • segregate access.
  • regulate subcustody.
  • test recovery and continuity.
  • log events and reviews.

The review must proceed from inventorying keys and authorizations, contrast it with segregating access and end in logging events and reviews without filling gaps with assumptions. The result returns to design if documenting the multisignature scheme does not match regulating subcustody or if testing recovery and continuity lacks verifiable support.

The file must first show inventorying keys and authorizations; then documenting the multisignature scheme; and finally testing recovery and continuity, preserving the relationship among the three steps. If a new signature, custodian, subcustodian, recovery policy or access appears, the conclusion no longer covers the active version and it is reviewed before the next operation.


Quotation, price, spread and acceptance window

Observed pattern. The quotation needs a source, time, validity, asset, network, fees and a rule for movements outside the window.

The contract defines whether the quotation is indicative or binding and at what moment it is accepted. Also what happens if funds arrive later, in a different amount or if the network becomes congested. The company must not retroactively change the price without an agreed rule and evidence.

Transparency and accounting

An embedded spread and an explicit fee may have different tax and commercial documentation. The receipt must allow the client to reconstruct the net amount. The price source may be external or bilateral, but it must be identified and retained.

Operators must not have unlimited power to correct orders. Cancellations, requotes and tolerances require permissions and logs. In fast markets, a short window is valid if it is communicated clearly.

What to review

Generate an immutable ticket with identifier, timestamp, version and authenticated acceptance. Reconcile the ticket with bank, hash, invoice and ledger. Monitor price outliers and manual modifications.

CFF in force, VAT Law and LRITF.

How to put it into practice

Reproducible quotation ticket. This piece must prove that a third party can recalculate the quotation and explain any difference.

  • record asset, network and quantity.
  • identify source and time.
  • show the base price.
  • separate spread and fees.
  • define validity.
  • retain acceptance or expiration.

The review must proceed from recording asset, network and quantity, contrast it with showing the base price and end in retaining acceptance or expiration without filling gaps with assumptions. The result returns to design if identifying source and time does not match separating spread and fees or if defining validity lacks verifiable support.

The file must first show recording asset, network and quantity; then identifying source and time; and finally defining validity, preserving the relationship among the three steps. If a change of source, spread, fee, network, window or market appears, the conclusion no longer covers the active version and it is reviewed before the next operation.


DvP, prefunding and settlement finality

Observed pattern. Prefunding and DvP must assign timing risk and define the exact point of finality or return.

Prefunding reduces credit risk, but it creates custody and return risk. A sequential scheme requires confirmations and timing. An escrow adds a counterparty and must be analyzed. Calling the process “DvP” does not make it simultaneous: it is advisable to describe the steps exactly.

Moment of finality

It defines when a bank credit is considered available, how many confirmations are required, what happens in the event of a chain reorganization and when the obligation is fulfilled. Partial deliveries, network fees, wrong network and operational cutoffs are also handled.

Reconciliation identifies open operations and their age. If netting with counterparties is permitted, the individual obligations retain a trail and the contract covers insolvency.

What to review

Counterparty limits, intraday exposure, double release, cut-offs and failure playbook. Simulate the failure of a bank, node, custodian and liquidity provider. The client receives a clear status without promises of absolute instantaneity.

LFPIORPI, Banxico: SPEI and virtual assets and FATF VA/VASP 2025.

How to put it into practice

Settlement states matrix. This piece must prove that each state defines ownership, risk, reversal and evidence up to finality.

  • identify the prefunded asset.
  • define the execution condition.
  • establish network confirmations.
  • document delivery versus payment.
  • regulate partial failures.
  • reconcile or return balances.

The review must proceed from identifying the prefunded asset, contrast it with establishing network confirmations and end in reconciling or returning balances without filling gaps with assumptions. The result returns to design if defining the execution condition does not match documenting delivery versus payment or if regulating partial failures lacks verifiable support.

The file must first show identifying the prefunded asset; then defining the execution condition; and finally regulating partial failures, preserving the relationship among the three steps. If a change of sequence, prefunding, confirmations, netting or account appears, the conclusion no longer covers the active version and it is reviewed before the next operation.


Wrong wallet, irreversibility and incident protocol

Observed pattern. The prior verification protocol is more useful than a generic waiver when the transfer may be irreversible.

Before sending, the asset, network, whitelisted address, memo/tag where applicable, amount and approvals are validated. For a new addition or a sensitive amount, a small test transfer may be used. The interface must avoid copying truncated addresses without full verification.

When the incident occurs

Related movements are stopped, logs preserved, cause identified, teams notified and contractual, regulatory and data obligations evaluated. Recovery is not promised. If an exchange or custodian is involved, the previously verified channel is activated and sending sensitive information to improvised contacts is avoided.

The assignment of liability considers who provided the address, whether it was modified, which validations were omitted and whether the network was supported. A clause that imposes all risk on the client may not reflect an error of the operator itself.

What to review

Runbook with severities, contacts, evidence, communication and approval of any resend or return. Blameless post-mortem, corrective plan and testing. The incident data is retained with limited access.

LFPDPPP, LFPIORPI and FATF VA/VASP 2025.

How to put it into practice

Address and network protocol. This piece must prove that prior verification and incident response are tested and do not rest on a disclaimer.

  • validate format and network.
  • confirm ownership or control.
  • use a test transfer where appropriate.
  • apply dual approval.
  • stop upon inconsistency.
  • preserve evidence and report the incident.

The review must proceed from validating format and network, contrast it with using a test transfer where appropriate and end in preserving evidence and reporting the incident without filling gaps with assumptions. The result returns to design if confirming ownership or control does not match applying dual approval or if stopping upon inconsistency lacks verifiable support.

The file must first show validating format and network; then confirming ownership or control; and finally stopping upon inconsistency, preserving the relationship among the three steps. If a new address, incompatible network, missing memo or ambiguous instruction appears, the conclusion no longer covers the active version and it is reviewed before the next operation.


Depeg, freezing and redemption: assigning issuer risk

Observed pattern. The contract must separate market risk, issuer powers, redemption restrictions and an insolvency event.

The contract must avoid guaranteeing parity or redemption if the company is not obligated. It must identify that issuer, reserve, market, network and compliance-measure risks exist. If it offers its own quotation, distinguish that bilateral obligation from the token's promise.

Events and decisions

The policy defines internal suspension thresholds, price sources, liquidity deterioration, changes in reserves, issuer incidents and freezes. The actions may be pausing purchases, limiting withdrawals only when there is a contractual and legal basis, changing the haircut, or withdrawing the asset in an orderly manner.

Communication must be timely and accurate, without asserting nonexistent bank protection. Alternative assets and conversion require consent and a clear price.

What to review

Asset committee with fact sheets, monitoring, limits and exit plan. Retain the reviewed issuer terms and evidence of each decision. Test insolvency or unavailability of the provider, not only market movements.

LRITF, Circular 4/2019 and FATF VA/VASP 2025.

How to put it into practice

Issuer risk matrix. This piece must prove that market, issuer, redemption and custody have distinct consequences and responsible parties.

  • monitor price and liquidity.
  • review the issuer terms.
  • document available reserves.
  • identify freezing powers.
  • define escalation thresholds.
  • regulate exit and communications.

The review must proceed from monitoring price and liquidity, contrast it with documenting available reserves and end in regulating exit and communications without filling gaps with assumptions. The result returns to design if reviewing the issuer terms does not match identifying freezing powers or if defining escalation thresholds lacks verifiable support.

The file must first show monitoring price and liquidity; then reviewing the issuer terms; and finally defining escalation thresholds, preserving the relationship among the three steps. If a change of reserves, terms, eligibility, sanction, depeg or suspension appears, the conclusion no longer covers the active version and it is reviewed before the next operation.


Cross-border contract: law, jurisdiction and data

Observed pattern. Law and jurisdiction do not by themselves resolve data transfers, notifications or enforcement in third countries.

The document identifies the providing entities, corridor, currencies, token, custody and subcontractors. It defines notifications, electronic evidence, prevailing language, technological force majeure, sanctions, cooperation and enforcement of decisions.

Data transfers

KYC and the Travel Rule may carry information to foreign VASPs or providers. The privacy notice and the contracts must cover purpose, categories, recipients, security, retention, incidents and rights. Personal information is not placed directly on a public blockchain if it can be avoided.

The location of support and hosting is documented. If an authority requests data, there is a protocol that validates jurisdiction and scope. Confidentiality must not prevent mandatory reports.

What to review

Annex per corridor with roles, law, licenses, data, SLA and exit. Due diligence and processing agreements with providers. Review when the country, subprocessor or data exchange protocol changes.

LFPDPPP in force, LFPIORPI and FATF: revised Recommendation 16.

How to put it into practice

Jurisdiction and data annex. This piece must prove that the contract, notice and operation identify which data travels, for what purpose and under what protection.

  • map data categories.
  • identify controller and processor.
  • document purposes.
  • review transfers.
  • establish security and notification.
  • define law, forum and enforcement.

The review must proceed from mapping data categories, contrast it with documenting purposes and end in defining law, forum and enforcement without filling gaps with assumptions. The result returns to design if identifying controller and processor does not match reviewing transfers or if establishing security and notification lacks verifiable support.

The file must first show mapping data categories; then identifying controller and processor; and finally establishing security and notification, preserving the relationship among the three steps. If a new country, subprocessor, data category or transfer mechanism appears, the conclusion no longer covers the active version and it is reviewed before the next operation.


Providers and outsourcing: liability does not disappear

Observed pattern. Outsourcing requires rights of audit, security, continuity, subcontracting and exit; residual liability remains.

Due diligence reviews entity, jurisdiction, capacity, security, continuity, subcontracting, data, compliance and solvency. SLAs cover availability and also quality: false negatives, alert times, log integrity and support for investigations.

Indispensable rights

Audit or equivalent assurance, notification of incidents and changes, regulatory cooperation, data portability, use limits, confidentiality, indemnity and termination. The company needs to access the evidence even when the relationship ends.

If the provider uses subprocessors, it must inform and maintain equivalent obligations. The location and transfer of data are reflected in notices. Functions that cannot legally be delegated remain under the governance of the obligated party.

What to review

Inventory of third parties by criticality, owner, annual review, metrics and a tested exit plan. Avoid dependence on proprietary formats without export. Changes to the provider's model trigger a review of the perimeter.

LGOAAC, CNBV: legal framework for money transmitters, LFPIORPI and LFPDPPP.

How to put it into practice

Critical outsourcing fact sheet. This piece must prove that the entity retains oversight, continuity and exit even when it delegates execution.

  • complete due diligence.
  • define service levels.
  • reserve audit and access.
  • regulate security and incidents.
  • control subcontracting.
  • test continuity and reversibility.

The review must proceed from completing due diligence, contrast it with reserving audit and access and end in testing continuity and reversibility without filling gaps with assumptions. The result returns to design if defining service levels does not match regulating security and incidents or if controlling subcontracting lacks verifiable support.

The file must first show completing due diligence; then defining service levels; and finally controlling subcontracting, preserving the relationship among the three steps. If a new provider, subcontractor, service, incident or change of control appears, the conclusion no longer covers the active version and it is reviewed before the next operation.


Termination, insolvency and return of assets

Observed pattern. A tested exit plan identifies balances, keys, data, pending positions, returns and cooperation in insolvency.

The return depends on knowing what belongs to each client. In omnibus wallets or accounts, a subledger and reconciliation are required. An authorized destination, conversion if the asset cannot be transferred, fees, deadlines and treatment of residual amounts must be defined. No return should break identity controls or lists.

Continuity and evidence

The company retains contracts, orders, KYC, reports, bank records, hashes and communications for the applicable periods. Termination of the provider cannot destroy the file. Backups must be accessible and protected.

In insolvency, segregation, use prohibition, custody structure and rights against subcustodians matter. A commercial statement of “safe funds” does not replace legal and operational analysis.

What to review

Approved wind-down plan, daily inventory of assets and obligations, return tests and alternate providers. Define who can pause, communicate and release. Simulate the insolvency of the issuer, custodian and operator separately.

LFPIORPI, LRITF, LFPDPPP and FATF VA/VASP 2025.

How to put it into practice

Restitution and migration drill. This piece must prove that balances, keys, data and pending operations can be returned or migrated with evidence.

  • inventory assets and resources.
  • identify pending operations.
  • define return and destination.
  • secure access to data.
  • coordinate key revocation.
  • test migration and communication.

The review must proceed from inventorying assets and resources, contrast it with defining return and destination and end in testing migration and communication without filling gaps with assumptions. The result returns to design if identifying pending operations does not match securing access to data or if coordinating key revocation lacks verifiable support.

The file must first show inventorying assets and resources; then identifying pending operations; and finally coordinating key revocation, preserving the relationship among the three steps. If financial deterioration, breach, termination, block or loss of access appears, the conclusion no longer covers the active version and it is reviewed before the next operation.

Closing the dossier

The contractual architecture only covers the version of the flow and of the providers that was put to the test. The closing package must reconcile terms, risk matrix, access, settlement states and a documented restitution or migration drill.

Return to the Stablecoins and Blockchain hub.

Next step

SVA.LAW can review Contracts, custody, settlement and stablecoin risks within the specific model and convert the Stablecoins and Blockchain analysis into decisions, responsible parties and implementation evidence. Start a conversation.