.png)
Frameworks, core principles and top case studies for SaaS pricing, learnt and refined over 28+ years of SaaS-monetization experience.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
The cryptocurrency industry stands at a crossroads. Following the spectacular collapses of FTX, Celsius, BlockFi, and Three Arrows Capital, digital asset issuers and custodians face unprecedented scrutiny from regulators, investors, and customers alike. The losses exceeded $2 trillion in market value during 2022's crypto winter, with much of the damage stemming from inadequate vendor oversight and risk management failures.
For crypto issuers launching new tokens and custodians safeguarding billions in digital assets, vendor due diligence is no longer a checkbox exercise—it's existential. The vendors you choose—from wallet providers and blockchain infrastructure to compliance tools and security services—directly impact your operational resilience, regulatory standing, and customer trust.
Traditional financial services have spent decades refining vendor risk management frameworks. The crypto sector, however, operates in a uniquely complex environment where technology moves faster than regulation, pseudonymous transactions challenge compliance norms, and the line between vendor and counterparty often blurs. This demands a fundamentally upgraded approach to due diligence.
According to a 2023 Chainalysis report, losses from crypto hacks, scams, and fraud totaled $20.1 billion in 2023, with compromised third-party vendors representing a significant attack vector. Meanwhile, regulators worldwide are tightening requirements—the SEC's custody rule amendments and the EU's Markets in Crypto-Assets Regulation (MiCA) now mandate specific vendor oversight protocols.
The question facing crypto executives is clear: How do you build vendor due diligence processes that match the speed of innovation while meeting institutional-grade risk standards? Here are seven critical upgrades that leading issuers and custodians are implementing to reset their vendor management for the next era of digital assets.
1. Implement Continuous Real-Time Monitoring Instead of Annual Reviews
Traditional vendor due diligence operates on annual or quarterly review cycles—a cadence that's dangerously inadequate for the crypto ecosystem. Smart contract vulnerabilities can be discovered overnight, compliance requirements can shift within weeks, and a vendor's financial health can deteriorate in days.
Leading custodians like Coinbase Prime and Anchorage Digital have moved to continuous monitoring frameworks that track vendor health in real-time. This includes automated tracking of:
- On-chain metrics: Transaction volumes, wallet balances, and smart contract activity that signal operational changes
- Security incidents: CVE disclosures, bug bounty payouts, and reported vulnerabilities
- Financial indicators: Funding rounds, layoffs, and regulatory actions
- Code repository activity: Commit frequency, contributor changes, and dependency updates for open-source components
According to a report by Solidus Labs, 74% of crypto firms that experienced vendor-related incidents in 2023 relied on static annual assessments rather than continuous monitoring. The financial services sector has already embraced continuous monitoring—Gartner research shows 68% of traditional financial institutions now use real-time vendor risk platforms.
Implement automated dashboards that aggregate data feeds from blockchain explorers, security databases, news APIs, and regulatory filings. Set threshold alerts for critical changes that warrant immediate review. This shift from periodic snapshots to continuous surveillance fundamentally changes your risk posture from reactive to proactive.
2. Conduct Rigorous Smart Contract and Code Audits Beyond Surface-Level Reviews
For crypto issuers and custodians, vendor code isn't just a technical detail—it's the foundation of trust. Unlike traditional software where bugs might cause temporary disruptions, smart contract vulnerabilities can result in permanent, irreversible loss of funds.
The Ronin Network breach in 2022 resulted in $625 million in losses, partly due to inadequate scrutiny of vendor-provided bridge code. The Nomad bridge hack cost $190 million when a routine upgrade introduced a critical vulnerability that wasn't caught in vendor reviews.
Upgrade your technical due diligence to include:
Multi-layered audit requirements: Demand vendors provide third-party security audits from reputable firms like Trail of Bits, OpenZeppelin, or CertiK. But don't stop there—conduct your own independent review or hire competing audit firms for critical integrations.
Formal verification: For high-value smart contracts, require mathematical proofs of correctness using tools like Certora or Runtime Verification. While more expensive, formal verification can identify edge cases that traditional audits miss.
Historical code analysis: Review the vendor's track record. According to research from Immunefi, 37% of DeFi protocols that suffered hacks in 2023 had been previously warned about similar vulnerabilities. Examine past audit reports, bug bounty disclosures, and how quickly vendors patched known issues.
Dependency mapping: Smart contracts rarely operate in isolation. Map the entire dependency chain, including inherited contracts, oracle providers, and external protocols. A vulnerability anywhere in the chain affects you.
Upgrade and governance processes: Understand who can modify contract code, what safeguards exist, and whether upgrades require multi-signature approvals or time-locks that allow user exit.
Fidelity Digital Assets, managing billions in crypto custody, reportedly employs a 90-day technical review process for critical vendors that includes multiple independent audits and internal penetration testing. While time-intensive, this thoroughness has helped them maintain a zero-loss track record.
3. Validate True Operational Independence and Avoid Systemic Concentration Risk
The crypto ecosystem suffers from dangerous concentration risk that often remains hidden during vendor due diligence. Multiple seemingly independent vendors may rely on the same underlying infrastructure, creating single points of failure.
The 2023 AWS outage demonstrated this risk when numerous "independent" crypto services went down simultaneously because they all used the same cloud provider. According to Coin Metrics, approximately 60% of Ethereum nodes run on centralized cloud services, with Amazon Web Services hosting roughly 50% of those.
Upgrade your concentration risk analysis by:
Infrastructure dependency mapping: Don't just ask where the vendor's servers are located—map the entire stack. Which cloud providers do they use? Which RPC node providers? Which oracle services? If your primary custodian and your backup custodian both rely on the same Infura API endpoint, you haven't achieved true redundancy.
Key person risk assessment: In crypto startups, a single developer often maintains critical infrastructure. The departure of that individual can cripple vendor reliability. Assess team depth, documentation quality, and knowledge transfer protocols.
Shared vendor analysis: Survey your vendor ecosystem to identify clustering. If five critical vendors all use the same compliance solution or the same stablecoin for settlements, you've created correlated risk.
Geographic and regulatory diversification: Following increased regulatory pressure, many vendors rushed to establish entities in the same "crypto-friendly" jurisdictions. But regulatory winds shift quickly. The coordinated regulatory crackdowns in the Bahamas following FTX's collapse affected numerous supposedly independent service providers simultaneously.
Kraken's approach to this challenge includes maintaining relationships with multiple infrastructure providers across different geographic regions and requiring proof of architectural independence before designating any vendor as part of a redundancy strategy.
4. Scrutinize Financial Stability and Business Model Sustainability
The 2022 collapses revealed a harsh truth: many crypto vendors operated on unsustainable business models propped up by bull market conditions and venture capital funding. When liquidity dried up, they failed—often taking client funds with them.
BlockFi's bankruptcy showed how even regulated, well-known vendors can hide financial instability behind consumer-facing brands. According to court filings, BlockFi had exposure to FTX and Alameda Research worth approximately $1 billion—exposure that wasn't evident from standard due diligence.
Enhance your financial due diligence with:
Audited financial statements: Require independently audited financials, not just management-prepared statements. According to a 2023 survey by the Blockchain Association, only 31% of crypto service providers undergo annual third-party financial audits—a shockingly low percentage for companies handling customer assets.
Revenue model analysis: Understand precisely how the vendor makes money. Are they profitable, or dependent on continued fundraising? If their revenue model relies on market volatility or trading volumes, what's their runway during market downturns?
Proof of reserves and solvency: For custodians and any vendor holding assets, demand proof-of-reserves attestations using Merkle tree proofs or similar cryptographic verification. Following FTX, several exchanges including Kraken and Coinbase now publish monthly attestations.
Capital adequacy: Does the vendor maintain sufficient capital reserves to cover operational risks? Are customer assets segregated from company assets? Following MiCA's implementation, EU-based crypto service providers must now maintain minimum capital requirements—apply similar standards to all critical vendors regardless of jurisdiction.
Insurance coverage: Verify the vendor maintains adequate cyber insurance and crime insurance policies. But dig deeper—many policies exclude crypto-specific risks or contain coverage gaps. Review actual policy terms, not just coverage amounts.
Silvergate Bank's collapse in March 2023 demonstrated how interconnected financial stability is in crypto. When it failed, it impacted dozens of crypto vendors who relied on its real-time payment network, creating cascading disruptions.
5. Demand Comprehensive Regulatory Compliance Evidence and Future-Proof Alignment
The regulatory landscape for digital assets is shifting from "light touch" to comprehensive oversight at breakneck speed. Vendors that were compliant in 2022 may be operating in gray areas by 2024, and those in gray areas may be explicitly prohibited by 2025.
The SEC's enforcement actions against Kraken's staking services, Coinbase's asset listings, and numerous others sent shockwaves through vendor ecosystems. Every vendor you work with carries regulatory risk that can transfer to your organization.
Upgrade compliance due diligence by requiring:
Multi-jurisdictional licensing: Don't just verify licensing in your primary jurisdiction. If you operate globally or may expand, ensure vendors hold appropriate licenses in all relevant markets. The New York BitLicense, EU's MiCA registration, Singapore's Payment Services Act licensing, and Japan's VASP registration each have different requirements.
Securities law analysis: For any vendor dealing with token issuance, staking, yield-bearing products, or DeFi integration, conduct thorough Howey test analysis. According to law firm Cooley, 67% of DeFi protocols face potential securities law issues under current SEC interpretation.
AML/CFT programs: Request detailed documentation of the vendor's anti-money laundering and counter-terrorist financing programs. This should include transaction monitoring capabilities, sanctions screening processes, and travel rule compliance for jurisdictions where it applies.
Data privacy compliance: Verify GDPR compliance for European data, CCPA for California, and other relevant privacy frameworks. The immutable nature of blockchain data creates unique privacy challenges that many vendors inadequately address.
Regulatory change preparedness: Ask vendors how they're preparing for known upcoming regulations. Have they allocated budget for MiCA compliance? Are they redesigning products to align with the SEC's recent enforcement priorities? Vendors without clear regulatory roadmaps are ticking time bombs.
Circle's USDC stablecoin provides a model here. Circle maintains money transmitter licenses in 46 U.S. states, operates under EU e-money regulations, and holds reserves in regulated financial institutions with monthly attestations from Grant Thornton. While not every vendor needs this level of licensing, the transparency and proactive compliance should be standard.
6. Test Incident Response and Business Continuity Plans Through Realistic Scenarios
When things go wrong in crypto, they go wrong fast. The ability to respond to incidents—security breaches, regulatory actions, key personnel departures, or technical failures—often determines whether an issue is a minor disruption or a catastrophic loss.
Yet according to a 2023 report by CipherTrace, only 41% of crypto service providers have documented, tested business continuity plans. Even fewer have practiced coordinated incident response with their vendors.
Enhance operational resilience verification by:
Documented incident response plans: Review the vendor's incident response playbook. Who gets notified? What are the escalation procedures? How do they communicate with customers and partners during incidents? If they can't produce this documentation, that's a red flag.
Tabletop exercises: Conduct joint scenario planning sessions with critical vendors. Walk through realistic incidents: What if their hot wallet is compromised? What if a key employee is unavailable? What if your jurisdiction suddenly bans their service? These exercises reveal gaps that questionnaires miss.
Historical performance: How has the vendor handled past incidents? When Binance suffered a $570 million bridge hack in 2022, their response—immediate communication, forensic analysis, and using company funds to make users whole—demonstrated operational maturity. Compare that to vendors who went silent during crises or made unsubstantiated promises.
Recovery time objectives: For critical services, establish and verify specific RTOs. If your custody vendor's infrastructure fails, how quickly can they restore service? Don't accept vague promises—require evidence from past incidents or testing.
Data backup and recovery: Verify redundant backups exist across geographically distributed locations. For blockchain data, confirm they maintain archive nodes and can rebuild from genesis if needed.
Communication protocols: Establish clear communication channels for normal operations and emergencies. During the FTX collapse, many institutional clients couldn't reach their account managers for days—a failure that exacerbated uncertainty and panic.
Gemini's approach includes quarterly business continuity testing with key vendors and annual comprehensive disaster recovery simulations that involve simultaneously testing multiple failure scenarios.
7. Establish Clear Contractual Rights for Audit, Oversight, and Exit
Even perfect initial due diligence becomes worthless without ongoing rights to verify compliance, monitor performance, and exit cleanly if needed. Yet many crypto issuers and custodians operate under vendor agreements that provide minimal visibility or flexibility.
The BlockFi bankruptcy revealed that many institutional clients had poorly negotiated custody agreements that subordinated their claims or limited their ability to quickly withdraw assets. Meanwhile, the Celsius collapse showed how yield product terms effectively trapped customer assets.
Strengthen your contractual framework by requiring:
Audit rights: Build in contractual rights to conduct audits of vendor security controls, financial records, and operational procedures. For critical vendors, specify minimum audit frequency and scope. Don't accept "we've been audited by someone" as sufficient—you need the right to verify independently.
Subcontractor disclosure: Require vendors to disclose all subcontractors and obtain your approval before engaging new ones. The FTX collapse revealed complex webs of related entities and undisclosed relationships that surprised even sophisticated institutional clients.
Asset segregation and control: For custodians or any vendor holding assets, demand clear segregation of customer assets from company assets with cryptographic proof. Require multi-signature wallet configurations where you control at least one key for high-value holdings.
Data portability: Ensure you can export all your data in usable formats on demand. For blockchain infrastructure vendors, verify you can migrate to alternative providers without significant downtime or data loss.
Termination rights: Include specific termination triggers beyond typical "for cause" provisions. These should include regulatory actions against the vendor, failure to maintain required insurance or licenses, breach of security standards, or change of control.
Performance guarantees: For critical services, establish SLAs with teeth—financial penalties for downtime, delayed transactions, or failed security requirements. Many crypto vendors resist SLAs, viewing them as applicable only to "traditional" businesses. Push back.
Incident notification requirements: Specify exact timeframes for vendor notification of security incidents, regulatory actions, financial difficulties, or key personnel changes. The FTX situation might have unfolded differently if institutional clients had received timely notification of Alameda's financial stress.
According to legal experts at Latham & Watkins, many crypto vendor agreements they've reviewed lack basic protective provisions standard in traditional financial services contracts. They recommend using institutional-grade master services agreements adapted for crypto-specific risks rather than accepting vendor form agreements.
Moving Forward: Building a Culture of Continuous Due Diligence
The seven upgrades outlined here share a common theme: shifting from due diligence as a one-time approval process to continuous vendor risk management as an ongoing organizational capability.
This requires investment—in technology platforms that automate monitoring, in personnel with specialized crypto risk expertise, and in processes that balance thorough oversight with the speed crypto markets demand. According to Deloitte's 2024 financial services outlook, institutions are increasing vendor risk management budgets by an average of 34% to address crypto-specific challenges.
But the alternative—continuing with minimal due diligence practices that contributed to 2022's disasters—is no longer viable. Regulators are requiring institutional-grade vendor management as a condition for licensing. Institutional investors are demanding it as a condition for capital allocation. And customers are choosing platforms based on security and stability rather than yield promises alone.
The crypto industry stands at a reset moment. Issuers and custodians that upgrade their vendor due diligence now will be positioned as the trusted, resilient infrastructure for the next wave of digital asset adoption. Those that don't risk becoming case studies in the next crisis.
Start by assessing your current vendor portfolio against these seven dimensions. Identify your highest-risk relationships and begin the upgrade process there. Build a cross-functional vendor risk committee that includes legal, compliance, technology, and business representatives. And remember: in crypto, trust is everything, and trust requires verification—continuous, thorough, uncompromising verification.
The future of digital assets depends on getting vendor risk management right. The time to act is now.