Can You Draft an RFP Checklist for Selecting a Multi-Chain Stablecoin Wallet Provider?

Hey there! In this post, we’ve created a super useful checklist for decision-makers looking to assess multi-chain stablecoin wallet providers. Check it out! We're going to get into some pretty important topics, like chain coverage and cross-chain USDC with CCTP v2. We’ll also chat about account abstraction, passkeys, and the whole deal with sanctions and Travel Rule controls. Oh, and don’t forget about policy engines, service level agreements (SLAs), and pricing too. There's a lot to unpack here! You’ll come across some handy scoring rubrics, example questions you can use, and tips for putting everything into action that are perfectly aligned with what’s on the horizon for 2026.

---

Why this matters in 2026

Stablecoin operations have definitely come a long way and are now thriving across multiple blockchains. USDC can effortlessly hop between different blockchains thanks to Circle's CCTP v2, which delivers super speedy settlement times--like, we're talking just a few seconds! And here's the scoop: there’s a timeline in place to phase out CCTP v1 starting on July 31, 2026. So, if your wallet provider hasn't made the upgrade yet, they might want to get a move on because they’re seriously lagging behind!

On another note, Ethereum dropped its Pectra upgrade on May 7, 2025, and it came with EIP-7702. This cool feature lets regular accounts, known as externally owned accounts (EOAs), temporarily act like smart accounts. Pretty neat, right? This really changes the game for paymasters! It’s going to make using stablecoins for gas fees a lot easier and more accessible for a ton of people. Circle's made a big move by introducing its own Paymaster, and it’s pretty cool! Now, you can use USDC for gas payments on all the major EVM chains. Plus, it's gearing up to work seamlessly with EOAs following the Pectra upgrade. Exciting times ahead!

Hey there! Just a heads up--over in the EU, they rolled out the Transfer of Funds Regulation (TFR) “Travel Rule” starting December 30, 2024.
The European Banking Authority (EBA) has put together some guidelines on what kind of data needs to be included when making crypto transfers, especially when it comes to self-hosted wallets.

When you’re putting together your RFP, just remember to cover all your bases. You'll want to dive into cross-chain USDC functionality and see how the smart-account user experience feels. And don’t forget to weave in compliance right from the start! It’ll save you some headaches later on. For more info, swing by circle.com! You'll find all the details you need there.

Just a quick heads-up about the market: a lot of USDT liquidity is hanging out on Tron. In fact, by 2025, we’re looking at more than half of the total supply chilling over there. On the other hand, USDC relies on CCTP to make its cross-chain features work. Your provider should have the ability to handle the liquidity you need, like TRC-20 USDT, while also keeping up with the controls you want, such as sanctions, the Travel Rule, and reporting requirements. (cointelegraph.com).

---

What “multi‑chain stablecoin wallet” means now

Great news! You can now use the burn-and-mint method to bridge native USDC with CCTP v2. This replaces the old lock-and-mint approach, so things are getting a little simpler and more straightforward. Just be on the lookout for those deprecation milestones for v1. And don’t forget to have some solid proof of v2 integration on the chains that are important to you. Take a look at this link: (circle.com). You might find it interesting!

Hey there! Exciting times ahead with the new smart-account features coming our way thanks to ERC-4337 and EIP-7702! You’ll soon be able to use stablecoins for gas fees, all thanks to paymasters. Plus, there’ll be batched transactions and some pretty slick programmable controls. Can’t wait to see how these will make things easier! If you're curious to learn more, you can check out all the details right here: (ercs.ethereum.org).

We're shifting towards using passkey-based authentication, which is much tougher against phishing attempts and fits right in with today’s security standards. It’s great to see that the NIST SP 800-63-4 acknowledges syncable authenticators at the AAL2 level. That’s definitely a good sign! Learn more here: (csrc.nist.gov).

Oh, and don’t forget about the built-in AML controls you’ll want to keep an eye on. For instance, there's the way the Travel Rule data is managed in the EU. It's definitely something worth noting! This covers everything from screening for sanctions on-chain and off-chain to integrating risk scoring. If you want to dive deeper into the details, just check it out here: eba.europa.eu. It's got all the info you need!

---

The 7Block Labs RFP checklist

Feel free to add these sections and sample questions right into your RFP! At the end of this, you’ll come across some handy tips on how to weight things and a scoring rubric that could really help out.

1) Supported chains, stablecoins, and cross‑chain USDC orchestration

Make sure to ask vendors for a look at their complete end-to-end coverage, not just their “wallet connect” features. You want to see the whole picture!

Sure! Here’s a quick rundown of the supported chains along with their native stablecoin contracts like USDC, USDT, and EURC:

• Ethereum: You’ve got USDC and USDT keeping things stable here.
• Binance Smart Chain (BSC): Look out for BUSD and USDT on this one.
• Polygon: USDC is a go-to option in this space.
• Avalanche: You’ll find USDC and USDT making a splash here, too.
• Fantom: USDT is ready to roll on this chain.
• Tron: USDT is a big player here, as well.
• Solana: Catch USDC and USDT supporting this fast-paced chain.
• Cardano: EURC is the stablecoin you’ll want to check out.

Hope that helps! If you have more questions or need specifics, just let me know! Let’s make sure we have a current list of contract addresses and chain IDs saved in a version-controlled repository. It’s important to keep everything organized and easy to access!

• USDC through CCTP v2: Hey! Just a quick reminder to check that you’ve got the v2 contract set up on your target chains. Also, don’t forget to ask the vendor about their plan for migrating from v1. You’ll want to know what to expect! Just a heads up, make sure to lay out the cutover timeline and any fallback plans we have set up before we completely phase out v1 on July 31, 2026. (circle.com). Hey, could you give me a quick update on the settlement times we’ve been measuring, like p50 and p95? Also, I’d like to know how they deal with any failures when they're fetching those attestations. Thanks! Don’t forget to ask for logs that clearly separate on-chain reverts from situations where attestations just aren’t available. It’s super important to make that distinction! (btcc.com).
• Explicit bridge policy: Just a heads-up, make sure the policy is focused on being "native first" by using CCTP for USDC. And if you end up needing to use those lock-and-mint bridges, make sure there are some written exceptions in place. Don't forget to jot down the risk controls just in case we need to consider a non-burn-and-mint approach. It's always good to have a backup plan! (circle.com).
• Tron USDT: Hey, can we make sure we’ve got a handle on how TRC-20 USDT is going to be managed? I’d love to get a gauge on what the fee estimates look like and see if there are any limits on RPC throughput. Considering USDT is pretty popular on Tron, it’d be good to know what we’re dealing with! (cointelegraph.com).
• Chainlink CCIP readiness: Hey there! If you're thinking about supporting assets that aren't USDC across different chains, don’t forget to check on CCIP support. It's been around since 2024 and it's getting pretty popular--over 50 chains are expected to hop on board by 2025! Also, it’s a good idea to gather any insights or experiences related to implementing the Cross-Chain Token (CCT) standard. It'll definitely help you out! (prnewswire.com).

Sample RFP Questions:

Hey there!

Could you fill us in on how the CCTP v2 integration is going for different chains like Ethereum, Base, Arbitrum, Polygon PoS, Solana, and any others you’re working with? It would be awesome to see some test results for the v2 “Fast Transfer” feature, if that’s something you can share. Also, make sure to let us know what your rollback plan looks like in case there are any hiccups with the attestation services. Thanks! (btcc.com).

Could you send over the list of bridges you’re planning to use for stablecoins by default? And it’d be great if you could include any exceptions too. Thanks! We’re really curious about how you plan to manage monitoring and circuit breakers.

2) Key management architecture and cryptography

Wallet Security Starts with Keys - Get the Details Right

When it comes to keeping your wallet safe, everything starts with your keys. Don't forget to really dive into the details!

• MPC vs. HSM: Alright, let’s take a closer look at the MPC protocol. So, we're diving into the world of ECDSA and EdDSA today! It’s a good idea to check out various thresholds, such as 2-of-3 or 3-of-5. When you're thinking about the signing environment, it's important to figure out if you're dealing with just plain MPC or a combination of MPC and TEE. Hey, make sure to take a look at shard storage and see how they deal with disaster recovery. It's pretty interesting stuff! Make sure to give the algorithms a good check: use ECDSA for chains like Bitcoin and Ethereum, and go with EdDSA for networks like Solana. For more info, check this out: (ncw-developers.fireblocks.com).
• Open‑source posture:
• It might be a good idea to check if the MPC implementation is available to the public and whether it has gone through any audits. For instance, Fireblocks just open-sourced their MPC-CMP library, which is pretty cool! Just make sure you take a look at the license and see what it covers before diving in. If you're looking for more details, check this out: fireblocks.com. There's some good info waiting for you!
• Enterprise governance: Just a heads up, it's important to have some solid policies for approvals. You should set up programmable spending limits, and don't forget to include a bit of human oversight, especially for those higher-risk activities. It helps keep everything in check! Companies like Fordefi are really putting their policy engines and enhanced transactions front and center these days. Plus, they’ve got that SOC 2 Type II certification in the bag! It’s definitely a good idea for other providers to either step up their game or at least try to match that level of quality. Check it out: (fordefi.com).
• Attestations:
• If you can, it’s smart to ask for SOC 2 Type II and ISO/IEC 27001:2022 certificates from a reputable organization. Just a quick reminder to make sure you nail down the scope boundaries. Don’t forget to include things like hosting, key ceremonies, and custodial operations. It’s all super important! For more info, check this out: (aicpa-cima.com). You’ll find all the details you need!

Sample RFP Questions:

Hey, could you fill us in on your MPC protocol? We’d really appreciate it if you could share your audit reports and a recovery runbook, just in case any shards go missing for both ECDSA and EdDSA wallets. Thanks! (ncw-developers.fireblocks.com).

Hey! Could you send me your most recent SOC 2 Type II and ISO/IEC 27001:2022 certificates? It would be great to have the control scope included as well. Thanks a bunch! Oh, and make sure to include a list of any sub-processors that are part of the deal. (aicpa-cima.com).

3) Smart accounts, paymasters, and stablecoin‑as‑gas

Modern UX Requires Account Abstraction

In today's digital world, creating a great user experience (UX) really comes down to keeping things simple and smooth. One idea that's been really picking up steam lately is something called account abstraction. The whole point of this idea is to make it easier for users to interact with apps. We want to cut down on the hassle of managing a ton of different accounts and passwords.

What is Account Abstraction?

Account abstraction makes it super easy for users to interact with apps because they don’t have to deal with the hassle of traditional accounts. Instead of juggling a bunch of passwords or remembering unique usernames for every single service, folks can now just hop between different platforms without any hassle. It's all about making things easier and smoother for everyone!

Why is it Important?

Let me share a few reasons why account abstraction is such a big deal:

1. Simplicity: Let's be real, nobody wants to juggle a bunch of passwords. Account abstraction makes things a lot easier by cutting through the clutter.

2. Boosted Security: When you have fewer passwords to juggle, the chances of someone stealing your login info really drop. On top of that, it paves the way for some pretty cool and secure ways to authenticate, like using biometrics or even crypto wallets.

3. Boosted Engagement: If users don’t have to keep signing up or logging in over and over, they’re way more likely to stick around and check out what you've got.

How Does it Work?

When we talk about account abstraction in real life, we can see it in a few different ways:

• Single Sign-On (SSO): You know how with Google and Facebook, you can log into a bunch of different apps using just one account? That’s SSO for you! It's super convenient!
• Wallet Integration: Just imagine how crypto wallets let you dive into a bunch of different dApps without all the usual fuss of setting up accounts. It definitely makes things a lot smoother!

Conclusion

To wrap it all up, account abstraction is really setting the stage for a smoother and more user-friendly experience. As we move ahead, it’s super important for any platform looking to keep its users happy and engaged to really embrace this approach.

If you’re looking for a deeper dive, be sure to check out these resources:

• Check out this article on account abstraction to dive deeper into the topic!
• Check out the UX design principles here.

Additional Resources

• ERC‑4337 support: Hey, just a heads up--don't forget to take a look at the EntryPoint versions (v0. 7/v0. Sure! Let's talk about a few things: the bundler SLA, how it fits with mempool compatibility, and the cool tools you can get your hands on for simulation and sandboxing. If you want to dive deeper into the details, just click here. Happy exploring!
• Paymaster options:
• Supporting token-based gas fees, like USDC, and exploring different sponsorship options is really important. Check out some third-party options like Pimlico and Biconomy, as well as native solutions like Circle Paymaster. They all bring something different to the table! Hey, just a quick reminder to take a look at the rate-limiters, oracles, and how they lay out the fees. You don't want to miss those details! If you’re looking for more details, you can check it out here. It's got all the info you need!
• EIP‑7702 readiness: Make sure to check how the flow works from EOAs to those temporary smart accounts, and see how paymasters link up with EOAs after Pectra. It’s important to get a good handle on that! Hey, take a look at this for some more cool insights: Coindesk. It's got some great info on the latest Ethereum upgrade!
• Pricing transparency: Hey there! Just wanted to give you a quick heads-up: Circle Paymaster usually adds a 10% gas fee for end users. But good news! That fee is actually waived until June 30, 2025. So you can enjoy some savings for now! Always check that any vendor you're working with is upfront about their fees and who's actually going to be paying them. It's super important to avoid any surprises down the line! If you want to dive deeper into this topic, just click here for more info!

Sample RFP Questions: Hey, could you share some info on how well your ERC‑4337 UserOperation is doing? I'm really curious about the success rates and how quickly transactions typically get included when folks use your bundler on the target L2s. Thanks! Could you give me a quick rundown of the paymaster modes you support? I’d love to know about things like ERC-20 and sponsored options. Also, which chains do you cover, are there any oracle dependencies I should be aware of, and what does your fee schedule look like? Thanks! Hey, if you've got Circle Paymaster integration, don’t forget to add that in as well! (circle.com).

4) Authentication, recovery, and user access

Treat Wallet Auth Like a Regulated Login, Not a Hobby

When you think about wallet authentication, it’s super important to treat it just like you would any other secure login process. Seriously, don’t take it lightly! Let me tell you why it might be a good idea to rethink your approach:

1. Security Risks: Just like any other way to log in, using wallet authentication can have its fair share of vulnerabilities. If you brush off these risks, you could end up with hacked accounts and lost assets. It's definitely not worth the trouble!

2. User Trust: People really want to know that their private information is kept safe and sound. If you don't take wallet authentication seriously, it can really shake users' trust in your platform, and that might end up pushing them away.

3. Regulatory Compliance: Keep in mind that depending on where you are or what industry you’re in, there could be some rules about how you handle authentication methods. If you treat wallet authentication like just a side gig, you could really be putting your business at risk of not following the rules.

4. Keeping UX Consistent: Having a structured approach helps make sure that the user experience stays steady and dependable. People really value a smooth process where they can easily understand what’s coming next.

5. Scalability: As your user base starts to expand, it’s super important to make sure you’re following the best practices for wallet authentication. You'll definitely want to set up a solid system that can manage a spike in traffic while still keeping everything secure.

In short, it's super important to take wallet authentication seriously. Don't sleep on it! Your users--and your business--are definitely going to appreciate it!

• Passkeys by default: Hey, just a quick tip: when you're setting up your WebAuthn or FIDO2 passkeys, go for the ones that are tied to your device and can easily sync across different platforms. It’ll make your life way easier! This totally aligns with what the FIDO Alliance suggests and what’s outlined in NIST SP 800-63-4. They see passkeys as a solid defense against phishing attacks and even give them an AAL2 rating! If you're curious to learn more, definitely take a look at fidoalliance.org. They’ve got some great info waiting for you!
• Passkey management: Hey, it's really crucial to have strong passkey management and user guidance, similar to what you’d find in the best practices for Coinbase Smart Wallet. Hey, have you thought about using cloud keychains? They can really make managing your passwords a lot easier. Just be sure to tread carefully with mass deletions--it's easy to accidentally wipe out everything! Also, you might want to check out YubiKey options; they could add an extra layer of security for you. If you want to dive deeper into it, check it out here. It's got all the info you need!
• MFA and server-side authorization: So, when we talk about MFA, or Multi-Factor Authentication, we're really just diving into a cool way of making sure that only you can access your stuff. It's like having an extra lock on your door, not just relying on a single key. Now, when we throw server-side authorization into the mix, we’re talking about checking permissions on the server before letting anyone in. It's all about keeping your data safe and sound. Pretty neat, right? Hey there! If you're diving into embedded wallets, make sure to look into Multi-Factor Authentication (MFA) for signing and transferring stuff. Things like TOTP, SMS, or passkeys are good options to consider. Also, it’s super important to have server-authorized actions that are supported by clear ownership keys. Just a little heads-up to keep your assets safe! Hey, have you thought about checking out Privy patterns? They could really give you some great insights! If you want to dive deeper into the details, you can check it out right here. It's all laid out for you!
• Recovery: Make sure to ask about the break-glass procedures to ensure that custody stays solid. Making sure our security is top-notch involves a few important options. For instance, using guardian recovery for smart accounts is super helpful. Plus, having the ability to re-issue MPC shards and having clear revocation processes in place can really make a difference. They’re all essential to keeping everything safe and sound.

Sample RFP questions

Sure! Let me tell you how the process for passkey enrollment works. First off, we aim to keep it super simple and user-friendly. When you start the enrollment, you’ll be guided through a few easy steps to set up your passkey.

As for backup and sync, we’ve got you covered there, too. We want to make sure that if you ever switch devices or need to access your passkey from somewhere else, it’s a smooth experience. We’ve built in ways to back up your passkey securely, so you never have to worry about losing access.

And let’s not forget about portability! We designed the passkey system so you can easily use it across different devices without any fuss. It’s all about making your life easier while keeping everything secure.

If you have more questions or want to dive deeper into specific parts, just let me know! So, I’m curious--how do you protect yourself against social engineering attacks that could lead to unexpected key rotations? I think it’s a pretty important topic, especially with everything going on these days. You might want to check out this link from the FIDO Alliance for some insights: fidoalliance.org.

Hey there! When it comes to embedded wallets, we're really interested in how you're planning to set up multi-factor authentication (MFA) for both signing and transferring. Also, if you could share any evidence showing that passkeys can serve as an MFA factor, that would be awesome! (docs.privy.io).

5) AML, sanctions, and Travel Rule compliance

Compliance really needs to be built into the foundation from the get-go; it shouldn’t be something we think about later on.

• EU Travel Rule (TFR) and EBA Guidelines: So, just a heads up! The EU has this thing called the Travel Rule, or TFR for short, which basically requires that certain information about money transfers is shared when you move funds across borders. You know, to keep things transparent and secure. Alongside that, the European Banking Authority (EBA) has some guidelines to help banks and financial institutions stick to these rules. They’re all about making sure everyone plays fair and keeps our financial info safe. Starting from December 30, 2024, if you're dealing with crypto transfers, you'll have to stick to the EBA's “information requirements.” Just a heads up to keep everything above board! "Just a heads-up, you’ll need to manage self-hosted wallets too. So, keep an eye on the details for both the sender and recipient, and don’t forget to follow up on any missing information!" If you want to dive into the details, just click here. It’ll take you right to the info you’re looking for!
• Sanctions Screening: If you're working with multi-chain addresses, it’s a good idea to implement on-chain gating by using the Chainalysis oracle along with some off-chain APIs. This setup will help keep everything secure and streamlined! Let's make sure we include the OFAC, EU, and UN sanctions lists, along with some other handy resources like Elliptic or TRM. We want to have everything covered! Don’t forget to set up those demand rate limits, keep an eye on uptime SLAs, and make sure you have some solid audit trails in place! It’s super important for smooth sailing down the road. If you want to dive deeper into that, check out this link for more details!
• Policy Engine Integration:
• It’s super important to put risk-based controls in place. They can help you hit the brakes on high-risk transactions, manage your allowlists and denylists, and initiate any extra approvals whenever necessary.

Sample RFP Questions:

• Could you break down how your wallet follows the EU Travel Rule? We're really curious about how you collect the necessary data and what happens if a transfer gets rejected due to any missing information. Hey, just a quick reminder to make sure you add those data schemas and your retention schedules! You can find more info on that here. Don’t skip this step--it’s super important!

Could you show us how you deal with sanctions screening when entering an address and right before signing?
If you get a chance, it'd be great to mention how you're using Chainalysis, Elliptic, or TRM in your work. Also, don’t forget to talk about any on-chain oracles you're tapping into! (go.chainalysis.com).

6) Operational resilience, audits, and controls

If you can’t count on your systems being up and running smoothly, or if managing changes feels like a hassle, it might be better to hold off on releasing anything.

• SLAs and SLOs:
  Hey, don’t forget to check that there are published SLAs for things like API uptime, signing services, bundlers, paymasters, and those handy cross-chain relays. It’s super important to have that info on hand! Make sure to add some info about incident response and don’t skip over the history of the status page, okay?
• Certifications:
• Make sure to check for SOC 2 Type II and ISO/IEC 27001:2022 certifications from trusted sources. Honestly, these are just the basics you really want to see. Don’t forget to grab those control mappings that include key ceremonies, CI/CD processes, vulnerability management, and how we handle secrets. (aicpa-cima.com).
• Third‑party risk:
• Create a list of the sub-processors, which include things like RPCs, oracles, and relayers. If you're working with regulated data, it's super important to have options for where that data is stored.
• Disaster recovery:
  Could you send over the proof of your tested disaster recovery plans? I'm talking about the RPO and RTO stuff. It’d also be great to see any records of those key-recovery drills you’ve been doing periodically. Thanks! Hey, just a quick reminder to make sure you include options for customer-managed shard storage! It’ll really help out in the long run.

Sample RFP Questions:

Hey there! Could you send me your most recent SOC 2 Type II and ISO/IEC 27001:2022 certifications? I’d really appreciate it if you could throw in any annexes and scope statements as well. Oh, and if you could also link those controls to your wallet operations, that would be super helpful! Thanks a lot! If you're looking for more details, just check this out here. It should have everything you need! Hey there! We’d really appreciate it if you could share your uptime metrics for wallet APIs, bundlers, and paymasters from the past year. Thanks a bunch! Oh, and it would be awesome if you could throw in some root-cause analyses for any Sev-1 incidents too. That’d really help out! Thanks!

7) Developer experience and observability

There's a pretty solid connection between how fast developers can work and how well we can steer clear of incidents.

• SDKs and docs:
• Don’t worry, we’ve got all the bases covered! We offer multi-language SDKs, typed clients, and quickstart guides for ERC-4337, CCTP v2, paymasters, and sanctions integrations. You’ll be all set to dive in! Hey, don’t forget to take a look at our public changelog and the version pinning guidance! You can find all the info you need over at developers.circle.com. Happy exploring!
• Observability: Make sure you’re keeping up with our webhooks and logs for all the sign attempts, policy hits, Travel Rule payloads, and CCTP states--like burn, attest, and mint. Plus, don’t forget about the UserOperation lifecycle! It’s all important stuff that helps you stay informed. You can totally export this data straight to your SIEMs if you need to.
• Sandboxes: Check out our testnets and “dry-run” simulators designed for paymasters and cross-chain transactions! We’ve even included some mock sanctions and Travel Rule endpoints to give you a real feel for how everything works. It's a fantastic way to give everything a spin before you actually go live!

Sample RFP Questions:

Sure, let me break it down for you! Imagine we’re creating an app that handles USDC transactions, and I’ll guide you through the whole process step by step.

First up, we start by minting some USDC. This is basically just creating new tokens which will be added to our app’s wallet.

Next, we’ll do a CCTP transfer. This is how we send our freshly minted USDC to another wallet. It’s a pretty smooth process, designed to make transferring tokens simple and efficient.

Once the funds are transferred, we’re going to make an ERC-4337 call. Think of this as a way for our app to interact with smart contracts--specifically using a USDC paymaster to cover the gas fees for the transaction. It’s kind of like paying for your coffee with a rewards card instead of cash!

After that, we need to ensure everything’s in line with regulations. So, we’ll run a sanctions check. This step is essential to make sure that we’re not dealing with any restricted individuals or entities. Better safe than sorry, right?

Finally, once everything checks out, we’ll emit a Travel Rule payload. This is basically a set of rules or information that’s shared to comply with legal requirements when sending funds. It’s important to keep everything above board, especially in the world of crypto!

And there you have it! That’s the entire flow from minting USDC to completing a transaction, all while keeping things secure and compliant. Pretty neat, huh?

8) Pricing and total cost of ownership

• Gas UX fees: Let's be clear about those paymaster fees. For instance, Circle Paymaster tacks on a 10% gas uplift for users. But here's some good news: if you're a developer, you can actually bypass this fee until June 30, 2025. So, no need to stress about it just yet! (circle.com).
• Platform fees: Let's make sure we're all on the same page when it comes to pricing for stuff like seats, policies, signing for each operation, bundling operations, and cross-chain relays. Setting some caps or enterprise tiers can be really helpful when it comes to budgeting. It makes everything a bit simpler and keeps your finances more manageable!
• Compliance cost: Hey, when you're figuring out the total cost of ownership (TCO), don't forget to include stuff like Travel Rule messaging, the sanctions API, and where you’re storing audit logs. It all adds up!

---

A scoring rubric you can adopt

Weight Categories to Align with Your Risk Profile

Alright, let's talk about how to figure out your risk profile using a total of 100 points. Here's a simple way to break it down:

• Conservative (0-25 points): If you like to take a cautious approach and keep your investments on the safer side, then this is the spot for you! Picture it like your favorite cozy blanket when it comes to investing--snug and comforting, but not exactly a thrill ride.
• Moderate (26-50 points): If you’re someone who likes to take a few risks but still appreciates a solid foundation, this range is just right for you. You're open to taking some smart risks because those potential rewards are just too good to pass up!
• Balanced (51-75 points): In this range, you’ve got a nice blend of both sides. You enjoy taking a few risks here and there, but you also like to have that safety net to fall back on. It's kind of like getting to have your cake and eat it as well!
• Aggressive (76-100 points): So, you're the type who loves going after those big wins and isn’t afraid of a few twists and turns along the journey? Welcome to the aggressive crew! It’s definitely a thrilling experience, but just make sure you’re prepared for the wild ride ahead!

Take a second to think about your perspective on risk and how it makes you feel. There's no right or wrong answer here; it's all about what feels right for you personally.

• Chain, stablecoin, cross-chain USDC (CCTP v2): 20.

Hey, just a quick note -- the info you’re looking at is based on data up to October 2023.

• Security and keys (like MPC/HSM and audits): 20.
• Smart accounts and gas experience (you know, the whole ERC‑4337, EIP‑7702, and paymasters thing): 15.
• For authentication and recovery options like passkeys and multi-factor authentication (MFA), I’d give it a solid 10.
• AML/Travel Rule/sanctions: 15
• Resilience/SLAs/certs: 10
• DevEx/observability: 5
• Pricing/TCO: 5

Here's how to set your pass/fail criteria: First up, if a company doesn’t have their SOC 2 Type II and ISO/IEC 27001:2022 certifications, that’s a no-go. Also, if the target chains are missing the CCTP v2, then it's a hard pass as well. Take a look at the details here! You’ll find all the info you need.

---

Three practical vendor‑test scenarios

1) Cross‑chain USDC Treasury Move

• What We Need to Do: We're looking to burn 1,000 USDC on Base first, and then we’ll mint that exact amount on Ethereum using CCTP v2. Hey, just a quick reminder to put together an artifact that captures the transaction hashes, any changes in the Circle attestation status, and the timestamps. It’ll be super helpful!
• Success Criteria: Our goal is to hit a p95 end-to-end time of under 90 seconds when the network is running smoothly. If the attestation doesn’t go through, we’ll hit the emergency stop button, and we absolutely should avoid minting any wrapped USDC. If you're curious to learn more about this, head over to circle.com for the details!

2) Gasless Onboarding with Stablecoin-Paid Gas

• Task: If you're a new user without any native gas, you can easily get started on Optimism by completing just two steps using ERC-4337 and a USDC paymaster.
• Success Criteria: We gotta provide some solid evidence for the EIP-7702 route, whether that's for EOAs or the smart-account option. It's super important to be upfront about any extra fees that come with each transaction--like that 10% Circle fee. And don’t forget to make sure the USDC permit is being used the right way! Take a look at this: circle.com. You might find it interesting!

3) Regulated transfer to a self-hosted wallet (EU)

Alright, here’s what you need to do: kick off a transfer of €900 in stablecoins from your CASP wallet over to your self-hosted address. Just a heads up: be sure to gather and save all the important fields needed for the Travel Rule. Don't forget to walk through how to do a sanctions pre-check, and make sure to lay out the steps for dealing with any missing data. If you're looking for more details, take a peek at the EBA guidelines. They're super informative and cover everything you need to know!

---

Emerging best practices we recommend including

Hey there! So, when it comes to using USDC with CCTP v2, definitely go for the burn-and-mint approach. It’s a smart way to avoid the hassle of wrapped asset fragmentation. Just make sure to note down any fallback options for the domains that don’t have support. (circle.com). Think of sanctions screening as a bit of a safety net. It's like having layers of protection in place. Whenever you can, go for on-chain oracle gating. It's a solid choice! Pair that up with off-chain API screening that gives you some flexibility with rate limits and keeps a good record of your audit logs. That way, you’ll have a robust system in place. (go.chainalysis.com).

• Let's make passkeys the top choice! Make sure to offer both options that work just on the device and ones that can sync across multiple devices. For some great insights, take a look at FIDO and NIST 800-63-4. And hey, don't forget to mention YubiKey as a solid backup, especially if you’re dealing with regulated environments. (fidoalliance.org).
• Let's really lean into using stablecoin as a kind of fuel to boost the consumer experience.
• Set up ERC-4337 paymasters, and whenever you can, go for the Circle Paymaster for USDC transactions. It'll make handling the accounting a whole lot easier! Just a heads up--keep an eye on those fee changes! There’s going to be a 10% increase starting after June 30, 2025. Mark your calendar! (circle.com). Hey there! Just a heads-up, it's time to gear up for the Pectra/EIP-7702 parity. Exciting stuff ahead! Make sure to double-check if your provider can manage temporary smart-account behavior for EOAs, and don’t forget to confirm that it’s compatible with EntryPoint. (coindesk.com). If you're dealing with Tron (USDT) in your operations, here's what you need to know: Hey, just a quick heads up--let’s ensure that we’ve got TRC-20 support locked down. Also, we should step up our monitoring a bit because there’s a lot of stablecoin activity happening on Tron lately. (cointelegraph.com).

---

Brief vendor landscape notes (to inform questions, not endorsements)

• When you're exploring enterprise MPC platforms, definitely take some time to look into their policy engines, how they handle transaction simulations, and their SOC 2 Type II claims. It's really important to get a feel for these aspects before making a decision. You should definitely try these out with your own playbooks and don’t hesitate to ask for proof. It’s a smart move! Take a look at fordefi.com and see what it has to offer! You might find something interesting there!

So, when it comes to ERC-4337 paymaster providers like Pimlico and Biconomy, they’ve got you covered with both ERC-20 options and sponsored modes. Don’t forget to check in about the various EntryPoint versions and if there are any oracle dependencies. It’s always good to get that info sorted out! Oh, and by the way, Circle Paymaster has added support for USDC! This is awesome news for EOAs following the Pectra update. More details here: docs.pimlico.io.

Embedded wallet providers are really upping their game lately! They're starting to include support for passkey multi-factor authentication (MFA) and actions that are authorized by servers.
Don’t forget to take a look at how the passkey user experience works, along with the recovery options. It’s super important to make sure everything feels smooth and easy to use! If you want to dive deeper into the details, check out docs.privy.io for all the info!

---

30‑60‑90 day rollout checklist (post‑selection)

• Days 0-30: Let’s get started on the dev/test phase by diving into ERC‑4337, the paymaster, and the latest version of CCTP. We also need to integrate the sanctions API and the on-chain oracle. Plus, we should sort out the Travel Rule schemas and plan out how we're going to store all this info. (circle.com).
• Days 31-60: Alright, let’s dive into some real user testing! We need to get them onboarded with passkeys and set up with USDC for gas fees. Plus, let’s make sure we’re good to go with CCTP transfers. While we’re at it, we should monitor the p95 latencies and fallback rates to see how everything’s performing. And don’t forget, we should run a tabletop exercise around sanctions and the Travel Rule to figure out how we’d manage those situations.
  (eba.europa.eu).
• Days 61-90: Alright, let’s get everything prepped for production. First off, we need to double-check those SOC/ISO control mappings to ensure they’re all set. It’s also super important to practice our disaster recovery plan, especially in the unlikely event of an MPC shard loss. We should wrap up our SLAs and nail down the on-call rotations as well. Once we’ve ticked all those boxes, we can kick things off with some staged traffic and go live!

---

Red flags

People often say, “We’re all in for CCTP,” but they don’t really get into the nitty-gritty details about the v2 contracts or the plan to phase out v1, which is supposed to happen on July 31, 2026. (circle.com). So, here's the thing: there isn't really a solid plan for using passkeys just yet. They're still relying on the old SMS-only two-factor authentication for wallet access, and honestly, that doesn't exactly inspire confidence. (fidoalliance.org).

• They brought up ERC-4337, but so far, they haven't shown any evidence that it works with EntryPoint v0. 7/0. Could you handle 8 or any audits for the paymaster? Thanks! (ercs.ethereum.org). So, their comments on the Travel Rule feel a little unclear. They don't really match up with the EBA guidelines explicitly, and there's zero mention of what to do with self-hosted wallets. It’s definitely worth pointing that out! (eba.europa.eu).

---

Final takeaway

When you're putting together your RFP, make sure to ask vendors to prove a few important things. First off, they should be able to demonstrate that they’re CCTP v2-native for USDC. Next up, they really need to deliver a modern user experience, which means incorporating things like account abstraction and passkeys. Finally, they need to have a solid way to enforce sanctions and comply with Travel Rule regulations. It’s super important that there’s clear and trackable proof of everything they do. If they can’t show you all of this in a sandbox with your workflows in under two weeks, it might be time to keep looking.

At 7Block Labs, we're all about making life easier for both startups and larger companies when it comes to the RFP process. We help you score the right vendors and get a compliant pilot up and running in just 90 days! Hey there! If you need a quick and easy checklist specifically for procurement, just give us a shout. We’d love to send it your way!