If you're an enterprise banking leader looking into “Wallet-as-a-Service,” the quickest way to get on-chain revenue while avoiding regulatory headaches is through a hybrid build/buy approach. This ensures you meet SOC 2, FFIEC third-party risk, and MiCA/DORA requirements while maintaining control over your key management. Here’s the practical playbook we follow at 7Block Labs to minimize procurement risks, speed up time-to-market, and demonstrate ROI within 90 days.

The “Wallet‑as‑a‑Service” Landscape: Build vs. Buy for Banks

-- Frustration -- Restlessness -- Answer -- Evidence.

Your wallet project is stuck between compliance, procurement, and engineering “unknowns”

• So, here's the deal: you need on-chain accounts, transfers, and policy controls. But then you've got Security insisting on FIPS-validated HSMs/TEEs, Audit is looking for SOC 2 Type II and ISO controls, and Risk wants some solid FFIEC-aligned oversight from third parties, all the way through. According to the interagency third-party risk management guidance, the bank's on the hook for everything--planning, due diligence, contracting, ongoing monitoring, and even termination--no matter what happens with a WaaS vendor. (federalreserve.gov)
• There's been a shift in accounting: the SEC just rolled back SAB 121 with SAB 122, which kicks in on January 30, 2025. This means the way we account for crypto custody is changing from on-balance-sheet “safeguarding liabilities” to an ASC 450 loss-contingency analysis. This could really change how you think about capital and disclosure in your business case. (sec.gov)
• If you're operating in the EU, get ready for some new responsibilities. MiCA Titles III/IV for stablecoins will kick in on June 30, 2024, and then full MiCA/DORA compliance follows by December 30, 2024, with the EBA “travel rule” guidelines also coming into play on December 30, 2024. That means your compliance setup has to be built in from the start, not just tacked on later. (finance.ec.europa.eu)
• Let’s talk engineering trade-offs: do you trust vendor-managed MPC, want bank-controlled MPC nodes, or need HSMs (FIPS 140-3) in the mix? Each choice changes your threat models, RTO/RPO, and the risk of vendor lock-in. Good news: AWS KMS and CloudHSM now offer FIPS 140-3 Level 3 options, but you’ll want to pay close attention to the integration details. (csrc.nist.gov)
• And hey, speaking of changes, L2 fee dynamics have shifted since Dencun (EIP-4844 “blob” space) rolled out, primarily lowering L2 fees. This is definitely going to impact your cost modeling for ERC-4337/AA flows and sponsored gas policies. (blog.ethereum.org)

Result: we missed our launch windows, had to rework some things during the InfoSec reviews, and saw some budget fluctuations as pricing, compliance, and architecture targets keep changing.

The hidden risks that blow up timelines and budgets

• Procurement risk: If you don't have an FFIEC-aligned TPRM pack, your vendor might look good on paper but could still fall short on legal and operational due diligence, which could hold up contracts. Be ready for a deep dive into lifecycle controls (planning through termination), sub-processor maps, and that all-important right-to-audit language. (federalreserve.gov)
• Accounting risk: If your model is still clinging to SAB 121 liabilities, you’re in for a rough ride after January 2025 with SAB 122 kicking in. Your capital and KPI projections will be off, and trust me, your CFO is definitely going to hit the brakes on the Go/No-Go until things are updated. (sec.gov)
• Regulatory fragmentation: Navigating EU travel rule routing, MiCA stablecoin constraints, and the varying U.S. BSA/AML travel rule thresholds (some proposals even suggested dropping down to $250) can really mess with data exchange between VASP and VASP, especially if self-hosted wallet flows aren’t set up right from the start. (eba.europa.eu)
• Security regressions: While MPC in TEEs has its perks, auditors will still want to dig into your cryptographic libraries, enclave attestation, geo-distribution of key shares, and your vendor’s SOC 2 Type II posture along with their ISO certifications. Fireblocks’ trust center and Coinbase/Circle disclosures can be helpful, but make sure you’ve got controls that line up with your RCSA. (trust.fireblocks.com)
• Cost surprises: WaaS pricing is a lot clearer now. For instance, Coinbase Embedded Wallets charge per operation ($0.005 per write operation; first 5,000 ops are on the house) while Circle has a per Monthly Active Wallet fee structure with tiered MAW pricing and a USDC rebate. Don’t forget about sponsored gas (like ERC-4337 paymasters/Gas Station), which comes with a platform fee plus the chain’s gas costs, meaning your COGS will largely depend on how users behave and which chain they choose. (docs.cdp.coinbase.com)
• EU resilience: DORA is all about showing that you’ve got operational resilience and solid oversight for third-party ICT. If your WaaS isn’t linked to incident/breach reporting (like the U.S. FTC Safeguards Rule's 30-day notification requirement for certain non-bank FIs), you’re opening yourself up to potential regulatory issues after an incident. (finance.ec.europa.eu)

This is where 7Block Labs comes into play with a build-vs-buy framework that’s specifically tailored for banks, not just for startups.

7Block Labs’ methodology for banks (90‑day pilot to ROI)

We mix deep protocol engineering (think Solidity and ZK) with top-notch delivery that meets bank standards (including risk management, controls, and procurement). We're all about being “Technical but Pragmatic” in our approach.

1) Business Case and Controls Baseline (Weeks 0-2)

• Let’s start by recasting the P&L using SAB 122 accounting, and we’ll incorporate the L2 fee models after Dencun, along with WaaS unit economics.
• Next up, we need to map our obligations: think about the FFIEC TPRM lifecycle, SOC 2 Type II, ISO 27001/27017/27018, DORA/MiCA in the EU, and the Travel Rule for both the U.S. and EU. We'll also cover the FTC Safeguards for our non-bank affiliates. To wrap it all up, we’ll deliver control matrices, evidence lists, and a RACI for vendor governance. Check out more on this at fdic.gov.

Architecture Options--Bank‑Controlled Keys vs. Vendor‑Managed (Week 2‑4)

• MPC topologies:
  • Vendor‑hosted MPC shards: These are a quick way to get started, like Circle’s hosted 2‑of‑2 for user wallets or the “Server Wallets” for programmatic flows. Check it out here: developers.circle.com.
  • Shared custody MPC: In this setup, a bank runs one MPC node (think Circle's keyguard flow). This approach can help you steer clear of vendor lock-in and is a better fit for stricter regulations. More info at: developers.circle.com.
  • Bank‑hosted dual MPC or HSM hybrid: Here’s where you can keep your keys safe within your own perimeter using FIPS 140‑3 HSMs, while still using WaaS for things like orchestration and user experience. Learn more at: csrc.nist.gov.
• Account Abstraction and UX:
  • Think about ERC‑4337 smart accounts that allow for passkeys or social logins. You can even sponsor gas through paymasters on EVM, while Solana/Aptos folks can use fee payer mechanisms. Check it out here: eips.ethereum.org.
• Chains:
  • EVM L2s are a great choice (they benefit from EIP‑4844 blob space fee cuts), plus keep an eye on Solana where both speed and latency are crucial--just make sure to evaluate them based on compliance and liquidity. More details at: blog.ethereum.org.

3) Vendor Shortlist and Scoring (Week 4‑6)

• Coinbase Developer Platform (Embedded + Server Wallets): This one offers TEEs for managing keys and emphasizes “self‑custody by default.” You also get built-in KYT controls and operation-based pricing, which starts at $0.005 per operation--with the first 5,000 transactions free. It's a solid choice for quick and seamless user experiences, especially in the U.S. retail market. Check it out at coinbase.com.
• Circle Programmable Wallets: Circle’s wallets give you lots of flexibility with your MPC hosting--choose between 0, 1, or 2 nodes managed by Circle or by you. Their MAW pricing comes with USDC rebates, and they have a compliance engine for things like travel rules and transaction screening in beta. Plus, they feature the ERC‑4337 Gas Station with a 5% fee on sponsored gas. This is a great pick if you’re all about stablecoin flows and working across multiple chains. More info here: developers.circle.com.
• Fireblocks: With an MPC‑CMP setup, Fireblocks boasts an audited, open-sourced library along with SOC 2 Type II and ISO certifications. They offer a policy engine and integration with Notabene for travel rules. It's a strong contender for institutional treasury and custody needs and really digs deep into internal control measures. Learn more at fireblocks.com.
• BitGo: They operate on a TSS-based MPC model with a 2‑of‑3 signature scheme, plus options for multi-sig and HSM. In a notable development, they received OCC conditional conversion approval to a national trust bank as of December 2025, which is significant for qualified custody alignment. BitGo is a robust option for fiduciary custody and asset segregation. Check them out at developers.bitgo.com.

4) Pilot Build (Week 6‑12) with “Compliance-First” Integrations

• Scope: We’re looking at 10k wallets, 3 types of transactions, a complete policy engine, plus all the compliance goodies like sanctions/KYT, travel rule, and ERP/GL reconciliation.
• Tech Sprints:
  • Developing wallet orchestration SDKs along with bank SSO/IDP.
  • Crafting policy contracts (using Solidity) to manage daily limits, ensure 4-eyes controls, run velocity checks, and facilitate smart-account recovery.
  • Implementing ZK attestations for selective-disclosure proofs--so, for instance, you can show you’re KYC’d to counterparties without revealing any personal info. This will be an optional feature in Phase 2.
  • Enhancing observability with audit logs, chain analytics events, and immutable proofs for the internal audit process.
• Controls Sprints:
  • Assembling a TPRM evidence packet, aligning with SIG Lite/Full, scheduling penetration tests, and creating a disaster-recovery runbook that connects to RTO/RPO.

We’ll be getting this done through our web3 development services, custom blockchain development services, security audit services, and our enterprise blockchain integration.

5) Scale and Transition (Post‑Pilot)

• Vendor Diversification: Think about using different providers for various regions to spread out risk.
• Performance Tuning: This includes picking the right bundler (like ERC‑4337), utilizing signature aggregation when it makes sense, and fine-tuning your gas policy for efficiency.
• Ongoing Change Management: Keep it aligned with FFIEC/DORA standards to ensure everything stays compliant and up-to-date.

What’s new in 2025‑2026 that changes your Build vs. Buy calculus

• Accounting relief: Say goodbye to SAB 121! With SAB 122 on the scene, Topic 5.FF is officially rescinded and we’re now pointing to ASC 450. This change is a win for reducing capital drag on custody lines and should make your revenue projections a bit less brutal. Time to give your CFO deck a quick refresh! (sec.gov)
• OCC trust-bank lane is open again: By December 2025, the OCC has conditionally approved national trust charters for a bunch of digital asset players, including those BitGo conversions we’ve been hearing about. If your game plan involves “qualified custody” or nationwide fiduciary services without juggling state regulations, it’s time to align your roadmaps! (occ.gov)
• ERC-4337 and Dencun matured: The smart-account user experience and Layer 2 economics are now in a place where they can support embedded wallet flows on a retail scale. Just make sure to budget for sponsored gas fees and choose your Layer 2s wisely, focusing on those with stable blob markets. (eips.ethereum.org)
• EU: MiCA/DORA are live: The EBA travel rule guidelines take effect on December 30, 2024. It might be a good idea to integrate automated VASP discovery and PII exchange (IVMS101), or you could tap into a WaaS “compliance engine” with early-access features to stay ahead of the game. (eba.europa.eu)
• HSMs and TEEs: FIPS 140-3 Level 3 options for AWS KMS/CloudHSM are making it easier to get InfoSec sign-off for keys controlled by banks, including those enclave-anchored MPC nodes or policy oracles. This should smooth out the process for you! (csrc.nist.gov)

Retail Stablecoin Payments Under Strict Controls (U.S. + EU Footprint)

• Target: We’re aiming to roll out a consumer wallet that utilizes USDC, has a smooth onboarding experience with ERC‑4337 (think email/passkey), and features compliance logic hosted by banks.
• Architecture:
  • We’re using Circle Programmable Wallets for modular MPC. To get started quickly, we'll kick off with Circle‑hosted nodes, and then in Phase 2, we’ll shift one node on-prem. Circle’s Gas Station will cover EVM smart-account gas, with fees running at cost + 5%. Plus, Circle’s Compliance Engine will take care of transaction screenings and adhere to the travel rule workflows. (circle.com)
  • For paymaster policies, expect daily gas caps tailored to different customer segments and bundler SLAs that come with automated fallback options.
  • On the EU front, we’ll stick to MiCA-compliant stablecoin usage. The Travel Rule will be enforced right off the bat with pre-trade screenings and secure PII exchanges.
• Economics:
  • We'll look at wallet unit costs based on MAW tiers with a USDC rebate compared to the expected monthly active rates. The sponsored gas budget will be linked to L2 fee scenarios after EIP‑4844. (circle.com)
• 7Block Deliverables:
  • We’ll provide smart-account templates that include policy hooks, passkey recovery flows, monitoring dashboards, and a TPRM evidence binder. This binder will cover SOC 2 Type II, ISO mappings, and breach-notification runbooks, keeping the FTC Safeguards for non-bank affiliates in mind. (ftc.gov)

2) Institutional Custody with Policy Depth and Travel Rule Automation

• Target: We're looking at corporate treasury custody and settlement that includes multi-user approvals, proper segregation, and compliance across different jurisdictions.
• Architecture:
  • We recommend using Fireblocks for MPC-CMP, which has a policy engine (think allowlists and velocity limits), controls that are auditor-friendly (like SOC 2 Type II and ISO), and integrates with Notabene for travel rule compliance. Check it out here.
  • You might also consider layering BitGo for fiduciary custody along with 2-of-3 TSS wallets, which fits with its OCC national trust conversion plans. More info can be found here.
  • Key Strategy: We’ll focus on sharding geo-distribution across TEEs/HSMs, ensuring bank-controlled recovery and independent attestation of enclaves.
• 7Block Deliverables:
  • We’ll ensure the segregation of duties in signing flows, ledger postings to ERP/GL, routing for sanctions/KYT, and provide immutable activity proofs for internal audits.
  • Plus, we’ll formalize RTO/RPO and conduct chaos-testing for withdrawal policies.

3) Embedded Wallets Inside an Existing Mobile App

• Target: We’re aiming for a smooth, branded onboarding experience that keeps crypto interactions easy and hassle-free.
• Architecture:
  • We’ll use the Coinbase Developer Platform (Embedded Wallets) for seamless onboarding via email, SMS, or OAuth. This will handle TEE-backed key management and KYT screening, plus it features a straightforward op-based pricing model ($0.005 per write, with the first 5,000 writes free each month). This setup is perfect for a “phase-one” launch focused on the U.S. retail market. Check it out here: coinbase.com.
  • AA Upgrade Path: As we see more user adoption, we can step it up by adding ERC-4337 features like sponsored gas and batch operations. More info on that can be found here: eips.ethereum.org.

Emerging best practices (what we implement by default)

• Key custody choices as a spectrum--not a binary:
  • Kick things off with vendor-hosted MPC for speed, but don’t forget to evolve into shared-custody or bank-hosted MPC/HSM down the line for better control and exit options.
• “Compliance-in-code”:
  • Make sure to encode Travel Rule pre-checks and sanctions gates right into your transaction queue; take advantage of WaaS compliance engines where you can. (circle.com)
• ERC-4337 “safety rails”:
  • Rate-limit sponsored gas based on customer tiers, stick to approved bundlers, and when it’s stable, adopt signature aggregation to help cut down those fees. (ercs.ethereum.org)
• DORA/FFIEC observability:
  • Stay ahead of the game with proactive telemetry, immutable logs, synthetic transactions, and set documented incident thresholds that line up with breach-notification windows. (finance.ec.europa.eu)
• FIPS-anchored cryptography:
  • Go for FIPS 140-3 validated modules (like CloudHSM/KMS) for anything hosted by banks; make sure to document enclave attestation for any TEE-based MPC nodes. (csrc.nist.gov)
• “Right-to-exit” plan:
  • From day one, keep your key material portable, ensure AA signer portability, and use export formats for your ledger; don’t forget to simulate a vendor exit every few months.

Build vs. Buy: a banker’s decision tree (TL;DR)

Buy (WaaS-first) if you:

• Need to demonstrate demand in 90 days or less, want a consumer-friendly user experience (think passkeys/email), and are okay with starting with vendor-managed MPC.
• Can match SOC 2 Type II + ISO proof for procurement and are on board with either per-operation or MAW pricing. Check out the details here.

Build (Bank-First) or Hybrid if:

• You need to manage MPC nodes or HSMs for any policy, recovery, or jurisdictional reasons (like having key shares hosted by the bank).
• You want to ensure alignment with fiduciary or qualified custody (especially if you're leaning towards that OCC trust bank setup) or if you need some serious ERP/GL controls that go beyond the usual WaaS offerings. (occ.gov)

No matter what, make sure to use L2s after Dencun to maintain appealing unit economics. When modeling sponsored gas, focus on real user behavior instead of just theoretical lab assumptions. (blog.ethereum.org)

What 7Block Labs delivers that de‑risks procurement and accelerates ROI

• A unified team handling both protocol engineering and bank governance:
  • We focus on Solidity smart-account engineering, ZK attestations, and integrating enclave/HSM solutions.
  • Our TPRM packs align with FFIEC/DORA standards and you’ll find SOC 2 Type II mappings and breach-notification runbooks in the mix.
• Vendor-agnostic scoring and integration:
  • We take the lead in shortlisting, negotiating, and integrating various WaaS providers--and we make sure you have a “right-to-exit” built right in.
• 90-day pilot with clear KPIs:
  • We'll nail down specific “money metrics” right from the start:
    • Aim for the first on-chain transaction in production within 6 weeks or less.
    • Boost the KYC’d wallet activation rate with an uplift from passkeys and social logins.
    • Keep tabs on unit COGS per active wallet/operation, comparing it to our baseline (including L2 and sponsorship).
    • Monitor incident MTTR and RTO/RPO during our failover drills.
• From pilot to scale:
  • We’ll evolve from “one chain, one WaaS” to a setup that supports multiple providers across different regions, complete with enterprise support, SRE playbooks, and quarterly exit simulations.

Check out what we have to offer:

• Complete dApp development solutions and smart contract development to bring your ideas to life.
• Tailored DeFi development services designed for enterprises, complete with secure policy flows.
• Innovative cross-chain solutions and bridge development that make transferring and managing assets a breeze.
• For anything related to tokenized assets: check out our asset tokenization and asset management platform development.
• And if you're looking at raising capital, our fundraising advisory is here to help!

Proof points you can take to GTM

• Compliance alignment right off the bat:
  • We’ve got the Interagency TPRM all lined up with contracts, SLAs, and monitoring in place. Check it out here: (federalreserve.gov).
  • You can find SOC 2 Type II reports and ISO mappings (like the ones from Fireblocks Trust Center) in the vendor pack. More details can be found at (trust.fireblocks.com).
  • We’re also rolling out EU MiCA/DORA playbooks, complete with travel rule workflows set up in the pilot (available through WaaS compliance features). For more on that, check (finance.ec.europa.eu).
• Cost transparency:
  • Over at Coinbase, you’ll find the per-write operation pricing at just $0.005, and the first 5k is on the house--great for the CFO’s budget modeling! Circle has MAW tiers with a USDC rebate, plus the Gas Station fee and the chain’s gas costs. We’ve integrated all of this into our COGS dashboards. You can dive deeper into the details here: (docs.cdp.coinbase.com).
• Security depth:
  • When it comes to transparency in MPC/TEE, we’ve got both the Coinbase whitepaper and Fireblocks’ MPC-CMP open-sourced. Plus, there are FIPS 140-3 HSM options available for bank-controlled keys. More info is available at (coinbase.com).
• Market readiness:
  • The post-Dencun fee dynamics are helping to lower L2 costs for AA bundles, and our pilots are showcasing fee curves based on actual usage. Read all about it here: (blog.ethereum.org).
• Regulatory runway:
  • There's some exciting momentum with the OCC’s national trust charter expected by December 2025. This could really clarify federal supervisory lanes for crypto custody, which is super handy for long-term planning if you’re considering in-house or partner-based qualified custody services. Check it out at (occ.gov).

The bottom line

• Nowadays, banks aren’t just stuck choosing between options when it comes to “Wallet‑as‑a‑Service.” By 2026, the smart move will be adopting a staged hybrid approach. This means kicking things off with WaaS to confirm there's demand and that the user experience hits the mark. You'll want to keep key controls and policies gradually under the bank’s wings while ensuring that compliance is built right into the transaction flow--rather than just being a checkbox in a presentation.
• 7Block Labs is here to help you navigate that journey with a 90-day pilot program that gets the thumbs-up from your CISO, CFO, and Head of Retail. This plan offers measurable ROI, shows off SOC 2‑ready evidence, and includes a solid exit strategy right from the get-go.

Ready to Move from Slides to Transactions?

Book a 90-Day Pilot Strategy Call

Ready to kick things off? Let’s set up a 90-day pilot strategy call! This is your chance to dive deep into your goals and lay the groundwork for success.

What We'll Cover

During our call, we'll chat about:

• Your Vision: What do you want to achieve?
• Challenges Ahead: What are the hurdles you’re facing?
• Action Steps: Let's map out a plan to get you moving!

How to Book

It’s super easy to schedule:

1. Click on this link: Schedule Your Call
2. Pick a time that works for you.
3. Get ready to brainstorm and strategize!

Looking forward to connecting and setting you up for success!

References and Source Notes

• Interagency TPRM Guidance (June 6, 2023): A collaborative effort from the Federal Reserve, FDIC, and OCC. Check it out here.
• SEC SAB 122 Rescinds SAB 121: This change takes effect on January 30, 2025. More details can be found here.
• Dencun (EIP‑4844) Mainnet Activation: Focused on the fee impacts for Layer 2 solutions. Get the scoop here.
• ERC‑4337 References and Mechanics: Dive into the specifics here.
• Circle Programmable Wallets: Learn about MAW pricing, the Gas Station fee (which is 5%), options for MPC hosting, and the Compliance Engine (covering travel rule and screening) here.
• Coinbase Embedded/Server Wallets: Discover how they handle TEE key management, KYT controls, and pricing based on operations here.
• Fireblocks: Check out their SOC 2/ISO compliance status and their open-source MPC‑CMP, plus the Notabene integration for the travel rule here.
• BitGo: They offer a TSS MPC model and have a conditional national trust conversion slated for December 2025. Learn more here.
• FIPS 140‑3 Options: Explore AWS KMS/CloudHSM validations and guidance here.
• EU MiCA/DORA Timeline Confirmation: The EBA travel rule guidelines will kick in on December 30, 2024. Get all the details here.

Book a 90-Day Pilot Strategy Call

Ready to kick things off? Let’s dive into a 90-Day Pilot Strategy Call! This is your chance to explore how we can help you navigate through your goals and challenges.

How It Works

During this call, we’ll:

1. Assess Your Current Situation: We'll take a good look at where you stand now.
2. Define Your Goals: Let’s clarify what you want to achieve in the next 90 days.
3. Create an Actionable Plan: Together, we’ll sketch out a roadmap to get you there!

What to Expect

• A relaxed, no-pressure conversation.
• Tailored insights based on your unique needs.
• Practical steps you can start implementing right away.

Ready to Get Started?

Just click the link below to schedule your call. Let’s make the next 90 days count!

Book Your Call Now!